analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.corp.att.com/agnc/wp-content/themes/agnc/windows/agnc.exe

Full analysis: https://app.any.run/tasks/a25784e3-30d9-4267-be28-29d8db7102ed
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: March 14, 2019, 23:24:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MD5:

324E7779F5B51D4D8854164131813390

SHA1:

7B966BD8A8867C2B88D4AD5EF381931E3565979D

SHA256:

06783E33267841C0B4489D7518FB1224109F867F792EE8DDBD508A3C3FC8AB4B

SSDEEP:

3:N1KJS48kKoQlAQrFwdSKiIGLN:Cc4coQlAkFwQnIGLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • agnc.exe (PID: 296)
      • agnc.exe (PID: 2372)
      • agnc.exe (PID: 3472)
      • NetVC.exe (PID: 2248)
      • NetAutoconnectFocusSvc.exe (PID: 3504)
      • SwiCardDetect.exe (PID: 2128)
      • NetClientSvc.exe (PID: 3080)
      • NetLogSvc.exe (PID: 3812)
      • NetClient.exe (PID: 2476)
      • netcfgsvr.exe (PID: 2852)
      • NetVC.exe (PID: 3580)
      • CellularPlugInController.exe (PID: 2864)
      • COMSierraCdmaSDKServer.exe (PID: 3612)
      • COMSierraGobiSDKServer.exe (PID: 3128)
      • COMGobiSDKServer.exe (PID: 2696)
      • COMSIE~1.EXE (PID: 2536)
      • COMSierraGSMSDKServer.exe (PID: 3440)
      • COMWMBServer.exe (PID: 1244)
      • COMOptionSDKServer.exe (PID: 1556)
      • COMATCommandSDKServer.exe (PID: 2572)

    • Writes to a start menu file

      • msiexec.exe (PID: 3788)

    • Registers / Runs the DLL via REGSVR32.EXE

      • msiexec.exe (PID: 3788)

    • Loads dropped or rewritten executable

      • NetClientSvc.exe (PID: 3080)
      • SwiCardDetect.exe (PID: 2128)
      • NetAutoconnectFocusSvc.exe (PID: 3504)
      • NetLogSvc.exe (PID: 3812)
      • netcfgsvr.exe (PID: 2852)
      • MSIEXEC.EXE (PID: 312)
      • NetClient.exe (PID: 2476)
      • CellularPlugInController.exe (PID: 2864)
      • COMGobiSDKServer.exe (PID: 2696)
      • COMSierraGSMSDKServer.exe (PID: 3440)
      • COMSIE~1.EXE (PID: 2536)
      • COMSierraGobiSDKServer.exe (PID: 3128)
      • COMSierraCdmaSDKServer.exe (PID: 3612)
      • COMWMBServer.exe (PID: 1244)
      • COMOptionSDKServer.exe (PID: 1556)
      • COMATCommandSDKServer.exe (PID: 2572)

    • Changes the autorun value in the registry

      • NetClient.exe (PID: 2476)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3228)
      • MsiExec.exe (PID: 3716)
      • MSIEXEC.EXE (PID: 312)
      • MsiExec.exe (PID: 3560)
      • DrvInst.exe (PID: 2036)
      • DrvInst.exe (PID: 3120)
      • DrvInst.exe (PID: 3772)
      • msiexec.exe (PID: 3788)

    • Starts Microsoft Installer

      • agnc.exe (PID: 3472)

    • Creates COM task schedule object

      • msiexec.exe (PID: 3788)
      • MsiExec.exe (PID: 3560)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3788)
      • DrvInst.exe (PID: 2036)
      • DrvInst.exe (PID: 3120)
      • DrvInst.exe (PID: 3772)
      • SwiCardDetect.exe (PID: 2128)
      • MsiExec.exe (PID: 3560)
      • CellularPlugInController.exe (PID: 2864)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 3120)
      • DrvInst.exe (PID: 2036)
      • DrvInst.exe (PID: 3772)
      • MsiExec.exe (PID: 3560)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2036)
      • DrvInst.exe (PID: 3772)
      • DrvInst.exe (PID: 3120)
      • MsiExec.exe (PID: 3560)

    • Creates or modifies windows services

      • DrvInst.exe (PID: 3772)

    • Reads Environment values

      • NetClientSvc.exe (PID: 3080)
      • NetClient.exe (PID: 2476)
      • CellularPlugInController.exe (PID: 2864)

    • Creates files in the program directory

      • NetLogSvc.exe (PID: 3812)

    • Reads Internet Cache Settings

      • NetClient.exe (PID: 2476)

    • Reads internet explorer settings

      • NetClient.exe (PID: 2476)

    • Connects to server without host name

      • NetClient.exe (PID: 2476)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2960)
      • chrome.exe (PID: 3228)
      • msiexec.exe (PID: 3788)

    • Changes internet zones settings

      • iexplore.exe (PID: 2960)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3244)
      • chrome.exe (PID: 3228)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3244)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 292)

    • Searches for installed software

      • msiexec.exe (PID: 3788)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2708)
      • MsiExec.exe (PID: 3560)
      • MsiExec.exe (PID: 3716)

    • Dropped object may contain Bitcoin addresses

      • msiexec.exe (PID: 3788)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3788)

    • Creates files in the program directory

      • msiexec.exe (PID: 3788)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
49
Malicious processes
18
Suspicious processes
8

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs agnc.exe no specs agnc.exe agnc.exe no specs msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe msiexec.exe regsvr32.exe no specs drvinst.exe drvinst.exe drvinst.exe netvc.exe no specs rundll32.exe no specs swicarddetect.exe no specs netclientsvc.exe no specs netautoconnectfocussvc.exe no specs netlogsvc.exe explorer.exe no specs netclient.exe netcfgsvr.exe no specs netvc.exe no specs cellularplugincontroller.exe comsierragsmsdkserver.exe no specs comsierracdmasdkserver.exe no specs comgobisdkserver.exe no specs comsierragobisdkserver.exe no specs comsie~1.exe no specs comoptionsdkserver.exe no specs comatcommandsdkserver.exe no specs comwmbserver.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3244"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2960 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3228"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
4068"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x6e8000b0,0x6e8000c0,0x6e8000ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
3368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3224 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
68.0.3440.106
2600"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=852,12880393318024985150,387484032312687251,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=4DE2CD9408DB6E6CBF725CCB09DAA35B --mojo-platform-channel-handle=952 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
3628"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=852,12880393318024985150,387484032312687251,131072 --enable-features=PasswordImport --service-pipe-token=49588E8557F1D01EE7635FD5C5F568C3 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=49588E8557F1D01EE7635FD5C5F568C3 --renderer-client-id=5 --mojo-platform-channel-handle=1756 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
2240"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=852,12880393318024985150,387484032312687251,131072 --enable-features=PasswordImport --service-pipe-token=6E65F2F0D56CF7B65F073A119A824B28 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6E65F2F0D56CF7B65F073A119A824B28 --renderer-client-id=3 --mojo-platform-channel-handle=2052 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3172"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=852,12880393318024985150,387484032312687251,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=9E1B86A3AACFFD973E5336645B70E999 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9E1B86A3AACFFD973E5336645B70E999 --renderer-client-id=6 --mojo-platform-channel-handle=3476 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3088"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=852,12880393318024985150,387484032312687251,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=A0AA07DB4EDC0A77B4A356EE5F2506DF --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=A0AA07DB4EDC0A77B4A356EE5F2506DF --renderer-client-id=7 --mojo-platform-channel-handle=3724 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
68.0.3440.106
Total events
5 912
Read events
3 314
Write events
0
Delete events
0

Modification events

No data
Executable files
202
Suspicious files
193
Text files
713
Unknown types
39

Dropped files

PID
Process
Filename
Type
2960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2960iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a42fabe8-ff26-4e1b-bd1b-53489cfe717a.tmp
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.old~RF21536e.TMPtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\LOG.oldtext
MD5:1AA66EFDB743FB0A8DCC1CD79B0B6542
SHA256:28D56532CCED7375A2A1C7731E57C1A1C2EC1AC9827F3E5BEEE7F8069A5F87DD
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:92BE6B127E72365885AD4C3FB6534EE2
SHA256:54302A2573ACC775720E7DB0AD85873276713302B4F72596A8DCC44B01C70E51
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Download Service\EntryDB\000016.dbtmp
MD5:
SHA256:
3228chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Last Versiontext
MD5:C10EBD4DB49249EFC8D112B2920D5F73
SHA256:90A1B994CAFE902F22A88A22C0B6CC9CB5B974BF20F8964406DD7D6C9B8867D1
2960iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
31
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
chrome.exe
GET
301
23.8.7.35:80
http://www.corp.att.com/agnc/wp-content/themes/agnc/windows/agnc.exe
NL
malicious
3244
iexplore.exe
GET
301
23.8.7.35:80
http://www.corp.att.com/agnc/wp-content/themes/agnc/windows/agnc.exe
NL
malicious
3228
chrome.exe
GET
301
23.8.7.35:80
http://www.corp.att.com/agnc/wp-content/themes/agnc/windows/agnc.exe
NL
malicious
2476
NetClient.exe
POST
200
204.146.172.230:80
http://204.146.172.230/iProbe1?&s=default
US
binary
44 b
unknown
2476
NetClient.exe
POST
200
204.146.172.230:80
http://204.146.172.230/iProbe1?&s=default
US
binary
44 b
unknown
2960
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3244
iexplore.exe
23.8.7.35:80
www.corp.att.com
Akamai International B.V.
NL
whitelisted
3228
chrome.exe
172.217.23.163:443
www.gstatic.com
Google Inc.
US
whitelisted
2960
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3228
chrome.exe
216.58.208.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3228
chrome.exe
216.58.207.67:443
www.google.de
Google Inc.
US
whitelisted
3228
chrome.exe
172.217.21.237:443
accounts.google.com
Google Inc.
US
whitelisted
3244
iexplore.exe
23.8.7.35:443
www.corp.att.com
Akamai International B.V.
NL
whitelisted
3228
chrome.exe
172.217.17.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3228
chrome.exe
216.58.207.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3228
chrome.exe
23.8.7.35:80
www.corp.att.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.corp.att.com
  • 23.8.7.35
malicious
www.gstatic.com
  • 172.217.23.163
whitelisted
www.google.de
  • 216.58.207.67
whitelisted
clientservices.googleapis.com
  • 216.58.208.35
whitelisted
safebrowsing.googleapis.com
  • 172.217.17.106
whitelisted
accounts.google.com
  • 172.217.21.237
shared
ssl.gstatic.com
  • 216.58.207.35
whitelisted
apis.google.com
  • 172.217.18.174
whitelisted
www.google.com
  • 172.217.18.100
  • 172.217.23.164
whitelisted

Threats

PID
Process
Class
Message
3244
iexplore.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
3228
chrome.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
3228
chrome.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
3228
chrome.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3228
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
Process
Message
NetLogSvc.exe
Scheduler +I 03/14 23:28:16.024 0664: Did not find command to execute in registry
NetLogSvc.exe
AconFocusSvc+I 03/14 23:28:16.305 0F30: --------- Started NetAutoconnectFocusSvc ---------
NetLogSvc.exe
Firewall +I 03/14 23:28:16.805 04D8: Enter CFirewallSvc::FirewallSvcStartup
NetLogSvc.exe
Firewall +I 03/14 23:28:16.820 04D8: Enter CFirewallSvc::StartLogTrace
NetLogSvc.exe
Filter +I 03/14 23:28:16.820 04D8: Enter CNetFwDiag::startNetFwTrace
NetLogSvc.exe
Filter +I 03/14 23:28:16.820 04D8: Firewall network events logging thread started
NetLogSvc.exe
Filter +I 03/14 23:28:16.820 0FCC: Enter CNetFwDiag::ShowRecentNetEvents
NetLogSvc.exe
Firewall +E 03/14 23:28:16.820 04D8: IsTrustedDomainKeyPresent - RegQueryValueEx returned 2
NetLogSvc.exe
Firewall +I 03/14 23:28:16.820 04D8: Did not find TrustedDomains in registry; NOT registering interface change callback
NetLogSvc.exe
AconFocusSvc+I 03/14 23:28:16.883 0F30: RunMessageLoop called
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.corp.att.com/agnc/wp-content/themes/agnc/windows/agnc.exe