Malware analysis 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc Malicious activity

Add for printing

File name:	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc
Full analysis:	https://app.any.run/tasks/8c2d97c1-6155-4eab-917a-edc98a3cd386
Verdict:	Malicious activity
Analysis date:	January 10, 2025, 19:42:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	expiro sinkhole m0yv autoit
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	DE74305F29857F83BC99D71524A8842B
SHA1:	DD587BD360B681B2EC73BB7BCFC871F8FE981AE0
SHA256:	03428FE5C6161E6F512514D5F1827BAA24617611FD068D98E0A8BE94FC8030BC
SSDEEP:	49152:bHlGAbWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZX:gAyQX21RBt7QjTmcaTH/vU4do9Pcjq1v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- M0YV mutex has been found
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- EXPIRO has been detected (SURICATA)
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Expiro has been found (SURICATA)
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Connects to the CnC server
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Request for a sinkholed resource
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- M0YV has been detected (YARA)
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
SUSPICIOUS
- Executes application which crashes
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Contacting a server suspected of hosting an CnC
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Process drops legitimate windows executable
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Executable content was dropped or overwritten
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
INFO
- Creates files or folders in the user directory
  - WerFault.exe (PID: 6384)
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Reads mouse settings
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- The process uses AutoIt
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Reads the computer name
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Checks supported languages
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- The sample compiled with english language support
  - 03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe (PID: 556)
- Reads the software policy settings
  - WerFault.exe (PID: 6384)
- Checks proxy server information
  - WerFault.exe (PID: 6384)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet:	Unicode
LanguageCode:	English (British)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0000
ProductVersionNumber:	0.0.0.0
FileVersionNumber:	0.0.0.0
Subsystem:	Windows GUI
SubsystemVersion:	5.1
ImageVersion:	-
OSVersion:	5.1
EntryPoint:	0x27dcd
UninitializedDataSize:	-
InitializedDataSize:	637952
CodeSize:	581120
LinkerVersion:	12
PEType:	PE32
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
TimeStamp:	2024:12:04 23:28:50+00:00
MachineType:	Intel 386 or later, and compatibles

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

130

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2192

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

556

"C:\Users\admin\AppData\Local\Temp\03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe"

C:\Users\admin\AppData\Local\Temp\03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221225477

Modules

Images
c:\users\admin\appdata\local\temp\03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll

6296

"C:\Users\admin\AppData\Local\Temp\03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe"

C:\Windows\SysWOW64\svchost.exe

—

03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

6384

C:\WINDOWS\SysWOW64\WerFault.exe -u -p 556 -s 1368

C:\Windows\SysWOW64\WerFault.exe

03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Problem Reporting

Exit code:

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll

Add for printing

Total events

3 452

Read events

3 452

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6384	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_03428fe5c6161e6f_9756a8acd431e8ede34a38fc2d638dc9b6fa2_ff863105_544458c8-d40a-4f7e-ad3e-9a21d5167762\Report.wer		—
		MD5:—	SHA256:—
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	C:\Users\admin\AppData\Local\Temp\aut55E3.tmp		binary
		MD5:1C512AD2627ECC378C15052A42BE284F	SHA256:2844B278776AF0B0477C05612988360B8C548A3FFF7C562C9B68D9AF644962E1
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe		executable
		MD5:7FF2E5604ED882385C49800F39587405	SHA256:AC91EC7D7C5BB04A6FBDB3AC7CC4A8B5D54A75432159FAF67D351E7D1D142696
6384	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER6565.tmp.WERInternalMetadata.xml		xml
		MD5:9BD38D191C0BE4A0103699CF2D7FC378	SHA256:94BA353D938087F3C120A3435DD28500B027EA5B44827413831E9E0CA172B9D3
6384	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER65B4.tmp.xml		xml
		MD5:F77184926E45053BA688A5C385EEED15	SHA256:4E89EABBD4491B61B37E13EB611C8BEAE2F1CF6355A01695236E1DC9ED008FC9
6384	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WER614D.tmp.dmp		dmp
		MD5:6AABEFB1A2BEF9FCCD62B2E8C2B7FC83	SHA256:BE3E1B75C7ADFACEF2F158B1DE59E0B045A4E5917F359B4C45B53C620EBB9D62
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe		executable
		MD5:1A8EA0D420BB6D065C6E26A19DD2106E	SHA256:DD6CAF487A175B7E0956A0FDE1AE683CA0E5111E742A28C5CEC1EB32A5C90DDA
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	C:\Users\admin\AppData\Local\Temp\atule		binary
		MD5:1C512AD2627ECC378C15052A42BE284F	SHA256:2844B278776AF0B0477C05612988360B8C548A3FFF7C562C9B68D9AF644962E1
6384	WerFault.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785		binary
		MD5:F6F53CD09A41E968C363419B279D3112	SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	C:\Program Files\Common Files\microsoft shared\ClickToRun\officesvcmgr.exe		executable
		MD5:96A675963F45A83598A0AEDC82B32C7B	SHA256:0A55670973E355111B92E666D48B049BD082C176FE7BE2114B7258D8FB4788D5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	POST	200	54.244.188.177:80	http://pywolwnvd.biz/ltylqtdlcdjmppke	unknown	—	—	malicious
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	POST	200	54.244.188.177:80	http://cvgrf.biz/caxrtksbmsns	unknown	—	—	malicious
4712	MoUsoCoreWorker.exe	GET	200	184.24.77.35:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7060	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6384	WerFault.exe	GET	200	2.16.241.12:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	POST	200	18.141.10.107:80	http://ssbzmoy.biz/othvhufm	unknown	—	—	malicious
4712	MoUsoCoreWorker.exe	GET	200	23.37.237.227:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6384	WerFault.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
7060	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	184.24.77.35:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.37.237.227:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2160	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.16.204.148:443	www.bing.com	Akamai International B.V.	DE	whitelisted
1176	svchost.exe	40.126.31.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1176	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
556	03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc.exe	54.244.188.177:80	pywolwnvd.biz	AMAZON-02	US	malicious

DNS requests

Domain	IP	Reputation
crl.microsoft.com	184.24.77.35 184.24.77.37 2.16.241.12 2.16.241.19	whitelisted
www.microsoft.com	23.37.237.227 2.23.246.101	whitelisted
google.com	142.250.185.206	whitelisted
www.bing.com	2.16.204.148 2.16.204.137 2.16.204.138 2.16.204.139 2.16.204.161 2.16.204.152 2.16.204.135 2.16.204.141 2.16.204.132	whitelisted
login.live.com	40.126.31.73 20.190.159.71 20.190.159.64 20.190.159.0 40.126.31.69 20.190.159.75 40.126.31.71 20.190.159.23	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
pywolwnvd.biz	54.244.188.177	malicious
ssbzmoy.biz	18.141.10.107	malicious
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
cvgrf.biz	54.244.188.177	malicious

Threats

PID	Process	Class	Message
—	—	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
—	—	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
—	—	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
—	—	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

03428fe5c6161e6f512514d5f1827baa24617611fd068d98e0a8be94fc8030bc

DE74305F29857F83BC99D71524A8842B

DD587BD360B681B2EC73BB7BCFC871F8FE981AE0

03428FE5C6161E6F512514D5F1827BAA24617611FD068D98E0A8BE94FC8030BC

49152:bHlGAbWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZX:gAyQX21RBt7QjTmcaTH/vU4do9Pcjq1v

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

M0YV mutex has been found

EXPIRO has been detected (SURICATA)

Expiro has been found (SURICATA)

Connects to the CnC server

Request for a sinkholed resource

M0YV has been detected (YARA)

SUSPICIOUS

Executes application which crashes

Contacting a server suspected of hosting an CnC

Process drops legitimate windows executable

Executable content was dropped or overwritten

INFO

Creates files or folders in the user directory

Reads mouse settings

The process uses AutoIt

Reads the computer name

Checks supported languages

The sample compiled with english language support

Reads the software policy settings

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings