analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe

Full analysis: https://app.any.run/tasks/e872963a-08e1-4ad5-80cd-7ebc0f92d891
Verdict: Malicious activity
Analysis date: May 04, 2024, 18:26:04
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

813B31F7EE7BBDD8E42890394EA6F16F

SHA1:

31F3B24AB55399F61CA2A39055714883BA01807C

SHA256:

07A437E8B997D03BC1380C93A69D19DC236DC672F737540F98C618F7B0D5908F

SSDEEP:

196608:F0kL+/fHfiYjRLwPK3sZI7rOvkIec6+MxU:FVmq0RwPK3ou6PehjxU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • Cyber.exe (PID: 6592)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • paakacqik.exe (PID: 6792)
      • Cyber.exe (PID: 6592)

    • Executable content was dropped or overwritten

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • Cyber.exe (PID: 6592)

    • Reads the date of Windows installation

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • paakacqik.exe (PID: 6792)

    • Uses ICACLS.EXE to modify access control lists

      • Cyber.exe (PID: 6592)

    • Application launched itself

      • paakacqik.exe (PID: 6792)

  • INFO

    • Checks supported languages

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • Cyber.exe (PID: 6592)
      • paakacqik.exe (PID: 6792)
      • paakacqik.exe (PID: 7064)

    • Reads the computer name

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • Cyber.exe (PID: 6592)
      • paakacqik.exe (PID: 6792)

    • Process checks computer location settings

      • 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe (PID: 6484)
      • paakacqik.exe (PID: 6792)

    • Reads the software policy settings

      • slui.exe (PID: 6884)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0xfce7
UninitializedDataSize: -
InitializedDataSize: 64512
CodeSize: 135168
LinkerVersion: 14
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2016:08:14 19:15:54+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
147
Monitored processes
21
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe cyber.exe no specs cyber.exe icacls.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs conhost.exe no specs paakacqik.exe no specs conhost.exe no specs sc.exe no specs conhost.exe no specs paakacqik.exe no specs conhost.exe no specs sppextcomobj.exe no specs slui.exe filecoauth.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6484"C:\Users\admin\AppData\Local\Temp\07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe" C:\Users\admin\AppData\Local\Temp\07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6532"C:\tcls\Cyber.exe" C:\tcls\Cyber.exe07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\tcls\cyber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6592"C:\tcls\Cyber.exe" C:\tcls\Cyber.exe
07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe
User:
admin
Integrity Level:
HIGH
Modules
Images
c:\tcls\cyber.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6640icacls "C:\WINDOWS\" /grant Administrator:(OI)(CI)FC:\Windows\SysWOW64\icacls.exeCyber.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
123
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6652icacls "C:\WINDOWS\" /grant Administrators:(OI)(CI)FC:\Windows\SysWOW64\icacls.exeCyber.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
123
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6660\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6668icacls "C:\Users\admin\AppData\Local\Temp\" /grant Administrator:(OI)(CI)FC:\Windows\SysWOW64\icacls.exeCyber.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
123
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6684\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6692icacls "C:\Users\admin\AppData\Local\Temp\" /grant Administrators:(OI)(CI)FC:\Windows\SysWOW64\icacls.exeCyber.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
123
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6712\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 152
Read events
4 135
Write events
17
Delete events
0

Modification events

(PID) Process:(6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6484) 07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6792) paakacqik.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6792) paakacqik.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6792) paakacqik.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6792) paakacqik.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(7092) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
3
Suspicious files
0
Text files
0
Unknown types
2

Dropped files

PID
Process
Filename
Type
7072FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-04.1827.7072.1.odlbinary
MD5:BFD2667FAFDE9EF7F10DCEDC95F35588
SHA256:F1B2A8B99E5F3466D589638FE8E7C051074ECA9EAE7032246B26EB209548E326
648407a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exeC:\tcls\Client.dllexecutable
MD5:76EB13182111ADDD7F0AF02BC8C17420
SHA256:A3841858E540AA052CE043D231CC32B23D5E3C977E4E95AEAC5611F1BC31F35C
648407a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exeC:\tcls\Cyber.exeexecutable
MD5:E30F528038EFC32CBA51643BF67B7AF2
SHA256:E6544E5013F949FBB7F478B2857811E62AC3E1C58961177A68F6A5C043FA80A5
6592Cyber.exeC:\WINDOWS\paakacqik.exeexecutable
MD5:AE62909C8433ECDBE8289E3E1B5EC35E
SHA256:6CF2B9A34AB1F04433DF6E6B0284777EAB479C3C0D855C2462DF17CB88FFA167
7072FileCoAuth.exeC:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-05-04.1827.7072.1.aodlbinary
MD5:28DCA2FF4B34B5A52A2E59DF202A6ED3
SHA256:33BACCB7296F1ED1F995FC77A23049F261CF391AC0388F9E8DD161F8C17B7F94
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
41
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3592
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
unknown
528
svchost.exe
GET
200
2.19.45.226:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6412
SIHClient.exe
GET
200
2.19.45.226:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
6412
SIHClient.exe
GET
200
2.19.45.226:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
5196
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4540
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4364
svchost.exe
239.255.255.250:1900
unknown
528
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
528
svchost.exe
2.19.45.226:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5196
svchost.exe
20.190.160.14:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown
5196
svchost.exe
192.229.221.95:80
EDGECAST
US
whitelisted
1032
svchost.exe
2.19.45.160:443
go.microsoft.com
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
www.microsoft.com
  • 2.19.45.226
whitelisted
login.live.com
  • 20.190.160.14
  • 40.126.32.68
  • 20.190.160.22
  • 40.126.32.72
  • 20.190.160.20
  • 40.126.32.74
  • 40.126.32.134
  • 40.126.32.136
whitelisted
go.microsoft.com
  • 2.19.45.160
whitelisted
slscr.update.microsoft.com
  • 52.165.165.26
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
arc.msn.com
  • 20.199.58.43
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.21
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
07a437e8b997d03bc1380c93a69d19dc236dc672f737540f98c618f7b0d5908f.exe