| File name: | file |
| Full analysis: | https://app.any.run/tasks/e4f4bce8-e0dc-4302-842d-1bd0d57f1a7d |
| Verdict: | Malicious activity |
| Analysis date: | December 05, 2022, 17:15:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | BFEB50FC297E738DFA963A5F6DA482B0 |
| SHA1: | F5F6FA85B5A11BEEAD6D5E9B1C508934F0AF99CD |
| SHA256: | FE8F5C79DD2959E556E3A7A85DD04ABD241C40ADD5DF49313E52145875D39AE6 |
| SSDEEP: | 196608:91OP1STRs9nnI1z47TrdIDSet4hAthJPfnDlk7bhOEb1Vx:3OtwWhnoe8t4hAJPP5kNNb1L |
MALICIOUS
Application was dropped or rewritten from another process
- Install.exe (PID: 2576)
- LFfauDN.exe (PID: 3952)
- YTusyFT.exe (PID: 3832)
Uses Task Scheduler to run other applications
- Install.exe (PID: 2576)
- LFfauDN.exe (PID: 3952)
- YTusyFT.exe (PID: 3832)
- YTusyFT.exe (PID: 3832)
- rundll32.EXE (PID: 2184)
Loads the Task Scheduler DLL interface
- schtasks.exe (PID: 2656)
- schtasks.exe (PID: 2216)
- schtasks.exe (PID: 3016)
- schtasks.exe (PID: 564)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 3856)
- schtasks.exe (PID: 296)
- schtasks.exe (PID: 3756)
- schtasks.exe (PID: 1120)
- schtasks.exe (PID: 3332)
- schtasks.exe (PID: 3832)
- schtasks.exe (PID: 3276)
- schtasks.exe (PID: 2372)
- schtasks.exe (PID: 1032)
- schtasks.exe (PID: 4052)
- schtasks.exe (PID: 2512)
- schtasks.exe (PID: 1780)
- schtasks.exe (PID: 1728)
- schtasks.exe (PID: 3912)
- schtasks.exe (PID: 2772)
- schtasks.exe (PID: 3516)
- schtasks.exe (PID: 1084)
- schtasks.exe (PID: 3240)
Modifies exclusions in Windows Defender
- reg.exe (PID: 1564)
- reg.exe (PID: 3916)
- reg.exe (PID: 3572)
- reg.exe (PID: 2012)
- reg.exe (PID: 2400)
- reg.exe (PID: 2624)
- reg.exe (PID: 3576)
- reg.exe (PID: 3764)
- reg.exe (PID: 3048)
Steals credentials from Web Browsers
- YTusyFT.exe (PID: 3832)
Drops the executable file immediately after the start
- YTusyFT.exe (PID: 3832)
Creates a writable file the system directory
- YTusyFT.exe (PID: 3832)
Modifies files in the Chrome extension folder
- YTusyFT.exe (PID: 3832)
Loads dropped or rewritten executable
- rundll32.EXE (PID: 2184)
SUSPICIOUS
Reads the BIOS version
- Install.exe (PID: 2576)
Starts itself from another location
- file.exe (PID: 3264)
Reads the Internet Settings
- Install.exe (PID: 2576)
- YTusyFT.exe (PID: 3832)
Starts CMD.EXE for commands execution
- forfiles.exe (PID: 1616)
- forfiles.exe (PID: 2648)
- LFfauDN.exe (PID: 3952)
- YTusyFT.exe (PID: 3832)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 2892)
- cmd.exe (PID: 2168)
- cmd.exe (PID: 1784)
- cmd.exe (PID: 744)
- cmd.exe (PID: 2676)
- cmd.exe (PID: 1972)
- cmd.exe (PID: 3056)
- cmd.exe (PID: 2552)
Executes via Task Scheduler
- powershell.EXE (PID: 3052)
- LFfauDN.exe (PID: 3952)
- powershell.EXE (PID: 3248)
- YTusyFT.exe (PID: 3832)
- rundll32.EXE (PID: 2184)
Starts application from unusual location
- schtasks.exe (PID: 2656)
- schtasks.exe (PID: 2216)
- schtasks.exe (PID: 3016)
- schtasks.exe (PID: 564)
Executes scripts
- LFfauDN.exe (PID: 3952)
Creates a directory in Program Files
- YTusyFT.exe (PID: 3832)
Checks Windows Trust Settings
- YTusyFT.exe (PID: 3832)
Reads settings of System Certificates
- YTusyFT.exe (PID: 3832)
Adds/modifies Windows certificates
- YTusyFT.exe (PID: 3832)
Creates files in the Windows directory
- YTusyFT.exe (PID: 3832)
Executable content was dropped or overwritten
- YTusyFT.exe (PID: 3832)
Creates a software uninstall entry
- YTusyFT.exe (PID: 3832)
INFO
Checks supported languages
- Install.exe (PID: 2576)
- file.exe (PID: 3264)
- Install.exe (PID: 868)
- LFfauDN.exe (PID: 3952)
- YTusyFT.exe (PID: 3832)
Creates a file in a temporary directory
- file.exe (PID: 3264)
- Install.exe (PID: 868)
- Install.exe (PID: 2576)
- powershell.EXE (PID: 3052)
- powershell.EXE (PID: 3248)
Reads the computer name
- Install.exe (PID: 2576)
- YTusyFT.exe (PID: 3832)
Reads security settings of Internet Explorer
- powershell.EXE (PID: 3052)
- powershell.EXE (PID: 3248)
Creates files in the Windows directory
- schtasks.exe (PID: 2656)
- schtasks.exe (PID: 2216)
- schtasks.exe (PID: 3016)
- schtasks.exe (PID: 564)
Process checks SAM and SYSTEM backups
- YTusyFT.exe (PID: 3832)
Creates files in the program directory
- YTusyFT.exe (PID: 3832)
Process checks computer location settings
- YTusyFT.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 2010-Nov-18 16:27:35 |
| Detected languages: |
|
| CompanyName: | Igor Pavlov |
| FileDescription: | 7z Setup SFX |
| FileVersion: | 9.20 |
| InternalName: | 7zS.sfx |
| LegalCopyright: | Copyright (c) 1999-2010 Igor Pavlov |
| OriginalFilename: | 7zS.sfx.exe |
| ProductName: | 7-Zip |
| ProductVersion: | 9.20 |
DOS Header
| e_magic: | MZ |
| e_cblp: | 144 |
| e_cp: | 3 |
| e_crlc: | 0 |
| e_cparhdr: | 4 |
| e_minalloc: | 0 |
| e_maxalloc: | 65535 |
| e_ss: | 0 |
| e_sp: | 184 |
| e_csum: | 0 |
| e_ip: | 0 |
| e_cs: | 0 |
| e_ovno: | 0 |
| e_oemid: | 0 |
| e_oeminfo: | 0 |
| e_lfanew: | 232 |
PE Headers
| Signature: | PE |
| Machine: | IMAGE_FILE_MACHINE_I386 |
| NumberofSections: | 5 |
| TimeDateStamp: | 2010-Nov-18 16:27:35 |
| PointerToSymbolTable: | 0 |
| NumberOfSymbols: | 0 |
| SizeOfOptionalHeader: | 224 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 4096 | 104938 | 104960 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.60849 |
.rdata | 110592 | 17556 | 17920 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.36802 |
.data | 131072 | 23112 | 12800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 1.37054 |
.sxdata | 155648 | 4 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0.0203931 |
.rsrc | 159744 | 2656 | 3072 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 3.30196 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 3.75404 | 744 | UNKNOWN | English - United States | RT_ICON |
2 | 3.18403 | 296 | UNKNOWN | English - United States | RT_ICON |
5 | 1.43775 | 52 | UNKNOWN | English - United States | RT_STRING |
500 | 3.09294 | 184 | UNKNOWN | English - United States | RT_DIALOG |
1 (#2) | 2.78284 | 148 | UNKNOWN | English - United States | RT_STRING |
1 (#3) | 2.37086 | 34 | UNKNOWN | English - United States | RT_GROUP_ICON |
1 (#4) | 3.44049 | 700 | UNKNOWN | English - United States | RT_VERSION |
Imports
KERNEL32.dll |
OLEAUT32.dll |
SHELL32.dll |
USER32.dll |
Total processes
161
Monitored processes
69
Malicious processes
12
Suspicious processes
10
Behavior graph
Click at the process to see the details