download:

/vir/Email-Worm.Win32.NetSky.af

Full analysis: https://app.any.run/tasks/2bd9f19b-61ab-4a01-9060-75fdd78de99a
Verdict: Malicious activity
Analysis date: February 15, 2025, 18:35:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:

E355F8895DA5C1DE6D0251AD57B9DC70

SHA1:

69578EAA573347B82A8DF00A3A841D0964231254

SHA256:

0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868

SSDEEP:

768:PEn57DfpZfsZ6Fhs3sV7/kJDvnWazlxRhTXJOlm:PEn57DfpZPhAsV7/uTnWahxRhum

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • Email-Worm.Win32.NetSky.af (PID: 2092)

  • SUSPICIOUS

    • Starts another process probably with elevated privileges via RUNAS.EXE

      • runas.exe (PID: 1252)

    • Starts application with an unusual extension

      • runas.exe (PID: 1252)

    • Executable content was dropped or overwritten

      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Reads the Internet Settings

      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Connects to SMTP port

      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Drops a file with a rarely used extension (PIF)

      • Email-Worm.Win32.NetSky.af (PID: 2092)

  • INFO

    • Checks supported languages

      • Email-Worm.Win32.NetSky.af (PID: 2092)
      • wmpnscfg.exe (PID: 2248)

    • Creates files in the program directory

      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2248)
      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2248)

    • Disables trace logs

      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Reads the machine GUID from the registry

      • Email-Worm.Win32.NetSky.af (PID: 2092)

    • Checks proxy server information

      • Email-Worm.Win32.NetSky.af (PID: 2092)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.7)
.exe | Generic Win/DOS Executable (23.4)
.exe | DOS Executable Generic (23.4)
.vxd | VXD Driver (0.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2004:02:16 16:48:25+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, No debug
PEType: PE32
LinkerVersion: 2.56
CodeSize: 32768
InitializedDataSize: 4096
UninitializedDataSize: 77824
EntryPoint: 0x1b050
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start runas.exe no specs email-worm.win32.netsky.af wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1252"C:\Windows\System32\runas.exe" /user:administrator C:\Users\admin\Desktop\Email-Worm.Win32.NetSky.afC:\Windows\System32\runas.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Run As Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\runas.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\credui.dll
c:\windows\system32\user32.dll
2092C:\Users\admin\Desktop\Email-Worm.Win32.NetSky.afC:\Users\admin\Desktop\Email-Worm.Win32.NetSky.af
runas.exe
User:
Administrator
Integrity Level:
HIGH
Modules
Images
c:\users\admin\desktop\email-worm.win32.netsky.af
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2248"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
3 332
Read events
3 318
Write events
8
Delete events
6

Modification events

(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:MsnMsgr
Value:
C:\Windows\MsnMsgrs.exe -alev
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Taskmon
Value:
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Taskmon
Value:
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:KasperskyAv
Value:
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:system.
Value:
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Email-Worm_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Email-Worm_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(2092) Email-Worm.Win32.NetSky.afKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Email-Worm_RASAPI32
Operation:writeName:FileTracingMask
Value:
Executable files
2 432
Suspicious files
3
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\ResidentEvil2.zip.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\puteiros!!.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\multas.pifexecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\caspa.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\barrio.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\MulataDandoOcujpg.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\vadias peladas!!.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Windows\MsnMsgrs.exeexecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\traficoemSP!.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
2092Email-Worm.Win32.NetSky.afC:\Program Files\Adobe\Acrobat Reader DC\Reader\WebResources\Resource1\static\js\plugins\unified-share\cafe!!.zip.screxecutable
MD5:E355F8895DA5C1DE6D0251AD57B9DC70
SHA256:0254C6CCDC4030D81E563FFC16EFE1F89BFFC1BB92AB0B43D74B8516CFAA3868
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
22
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:137
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted
2092
Email-Worm.Win32.NetSky.af
17.57.170.2:25
mx-in.g.apple.com
APPLE-ENGINEERING
US
whitelisted
2092
Email-Worm.Win32.NetSky.af
52.101.8.49:25
microsoft-com.mail.protection.outlook.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2092
Email-Worm.Win32.NetSky.af
103.168.172.223:25
in1-smtp.messagingengine.com
Cloudflare London, LLC
AU
unknown
2092
Email-Worm.Win32.NetSky.af
51.81.61.70:25
mx01.earthlink-vadesecure.net
OVH SAS
US
unknown
2092
Email-Worm.Win32.NetSky.af
194.104.108.22:25
de-smtp-inbound-2.mimecast.com
Mimecast Services Limited
DE
suspicious
2092
Email-Worm.Win32.NetSky.af
138.197.213.185:25
mx1.forwardemail.net
DIGITALOCEAN-ASN
US
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.78
whitelisted
apple.com
whitelisted
mx-in.g.apple.com
  • 17.57.170.2
whitelisted
microsoft.com
whitelisted
microsoft-com.mail.protection.outlook.com
  • 52.101.8.49
  • 52.101.11.0
  • 52.101.42.0
  • 52.101.40.26
whitelisted
pobox.com
unknown
in1-smtp.messagingengine.com
  • 103.168.172.223
  • 103.168.172.217
  • 103.168.172.221
  • 103.168.172.220
  • 103.168.172.219
  • 103.168.172.216
  • 103.168.172.218
  • 103.168.172.222
unknown
netcom.com
unknown
mx01.earthlink-vadesecure.net
  • 51.81.61.70
unknown
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/vir/Email-Worm.Win32.NetSky.af