| File name: | 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21 |
| Full analysis: | https://app.any.run/tasks/cce4c02e-80aa-402b-81d3-66af0d5a9c50 |
| Verdict: | Malicious activity |
| Analysis date: | December 14, 2024, 01:18:54 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections |
| MD5: | 127B46969213D3C9AFC3BC5ED33472E6 |
| SHA1: | 136625C2C973F6C444F47C9EB253C30FEFBFBDBB |
| SHA256: | 0C17AF38BD93CD86D3FD50A2BB4957BE178F50C72AE960FBB70769B7FE585D21 |
| SSDEEP: | 6144:c0/1Thw5w4qjPRrf2VrRZHMrbLcPNx0O1LWo1L7rP0OKLWooL7rM0O2LWowL7rw2:HcPNd1CUrbKChrC2C9rDrMShebIUA31 |
MALICIOUS
JEEFO has been detected
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
- icsys.icn.exe (PID: 2800)
- svchost.exe (PID: 6056)
- explorer.exe (PID: 3172)
Changes the autorun value in the registry
- explorer.exe (PID: 3172)
- svchost.exe (PID: 6056)
SUSPICIOUS
Starts application with an unusual extension
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
Executable content was dropped or overwritten
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
- icsys.icn.exe (PID: 2800)
- explorer.exe (PID: 3172)
- spoolsv.exe (PID: 2600)
Executes application which crashes
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4052)
Starts itself from another location
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
- icsys.icn.exe (PID: 2800)
- explorer.exe (PID: 3172)
- svchost.exe (PID: 6056)
- spoolsv.exe (PID: 2600)
The process creates files with name similar to system file names
- icsys.icn.exe (PID: 2800)
- spoolsv.exe (PID: 2600)
Creates or modifies Windows services
- svchost.exe (PID: 6056)
INFO
The sample compiled with english language support
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
- icsys.icn.exe (PID: 2800)
- explorer.exe (PID: 3172)
- spoolsv.exe (PID: 2600)
Create files in a temporary directory
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
- icsys.icn.exe (PID: 2800)
- explorer.exe (PID: 3172)
- spoolsv.exe (PID: 2600)
- svchost.exe (PID: 6056)
- spoolsv.exe (PID: 4724)
Checks supported languages
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4052)
- icsys.icn.exe (PID: 2800)
- explorer.exe (PID: 3172)
- spoolsv.exe (PID: 2600)
- svchost.exe (PID: 6056)
- spoolsv.exe (PID: 4724)
Reads the computer name
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4052)
- svchost.exe (PID: 6056)
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4716)
Reads the machine GUID from the registry
- 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe (PID: 4052)
Checks proxy server information
- WerFault.exe (PID: 4128)
Reads the software policy settings
- WerFault.exe (PID: 4128)
Creates files or folders in the user directory
- WerFault.exe (PID: 4128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| OriginalFileName: | TJprojMain.exe |
|---|---|
| InternalName: | TJprojMain |
| ProductVersion: | 1 |
| FileVersion: | 1 |
| ProductName: | Project1 |
| CharacterSet: | Unicode |
| LanguageCode: | English (U.S.) |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x0000 |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | 1 |
| OSVersion: | 4 |
| EntryPoint: | 0x290c |
| UninitializedDataSize: | - |
| InitializedDataSize: | 12288 |
| CodeSize: | 106496 |
| LinkerVersion: | 6 |
| PEType: | PE32 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| TimeStamp: | 2013:04:01 07:08:22+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Total processes
128
Monitored processes
9
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5920 | "C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe" | C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.00 Modules
| |||||||||||||||
| 4716 | "C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe" | C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 4052 | c:\users\admin\desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | C:\Users\admin\Desktop\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: AppXor Exit code: 3762504530 Version: 1.0.0.0 Modules
| |||||||||||||||
| 4128 | C:\WINDOWS\SysWOW64\WerFault.exe -u -p 4052 -s 1068 | C:\Windows\SysWOW64\WerFault.exe | 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Problem Reporting Exit code: 0 Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2800 | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Windows\Resources\Themes\icsys.icn.exe | 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 3172 | c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\explorer.exe | icsys.icn.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.00 Modules
| |||||||||||||||
| 2600 | c:\windows\resources\spoolsv.exe SE | C:\Windows\Resources\spoolsv.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 6056 | c:\windows\resources\svchost.exe | C:\Windows\Resources\svchost.exe | spoolsv.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.00 Modules
| |||||||||||||||
| 4724 | c:\windows\resources\spoolsv.exe PR | C:\Windows\Resources\spoolsv.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
Total events
6 484
Read events
6 461
Write events
18
Delete events
5
Modification events
| (PID) Process: | (4716) 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process |
| Operation: | write | Name: | LO |
Value: 1 | |||
| (PID) Process: | (4128) WerFault.exe | Key: | \REGISTRY\A\{9bfd2639-3f4c-2dfe-2c44-60fe9c26ab59}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
| (PID) Process: | (4128) WerFault.exe | Key: | \REGISTRY\A\{9bfd2639-3f4c-2dfe-2c44-60fe9c26ab59}\Root\InventoryApplicationFile\PermissionsCheckTestKey |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4128) WerFault.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | ClockTimeSeconds |
Value: 0BDD5C6700000000 | |||
| (PID) Process: | (4128) WerFault.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\IdentityCRL\ClockData |
| Operation: | write | Name: | TickCount |
Value: 0A74130000000000 | |||
| (PID) Process: | (2800) icsys.icn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process |
| Operation: | write | Name: | LO |
Value: 1 | |||
| (PID) Process: | (3172) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Explorer |
Value: c:\windows\resources\themes\explorer.exe RO | |||
| (PID) Process: | (3172) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Svchost |
Value: c:\windows\resources\svchost.exe RO | |||
| (PID) Process: | (3172) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Explorer |
Value: | |||
| (PID) Process: | (3172) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Svchost |
Value: | |||
Executable files
5
Suspicious files
6
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_KOBL2NSUSCX5AB2O_71e719fca4936f4b31da676338b69689b79837_b7f29f34_0e8ffb5d-c383-4f43-952f-c1e101c4b31c\Report.wer | — | |
MD5:— | SHA256:— | |||
| 4128 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe .4052.dmp | — | |
MD5:— | SHA256:— | |||
| 4128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER6BFC.tmp.dmp | binary | |
MD5:721680C537A8B90AD8387AEC7B986FD3 | SHA256:0A4BE5C6E6EE6C2B7BD17164AFCCD0C718BB6D953B06C52A15A1A86BEE02C034 | |||
| 2800 | icsys.icn.exe | C:\Windows\Resources\Themes\explorer.exe | executable | |
MD5:61013569B24A1DC1932903F7EA78E13E | SHA256:97C6536BC6E9296B5EF894C88BAF2AF83C2D712D811A81D57EB3A753A718B037 | |||
| 2800 | icsys.icn.exe | C:\Users\admin\AppData\Local\Temp\~DF2AFF2AC1A8B5722E.TMP | binary | |
MD5:A7F1E23D056B8266B24867441BCDD80C | SHA256:DA5971550860754858334313F5DB394DDB616142AC6F133A9A14FFE139FCC65C | |||
| 4716 | 0c17af38bd93cd86d3fd50a2bb4957be178f50c72ae960fbb70769b7fe585d21.exe | C:\Windows\Resources\Themes\icsys.icn.exe | executable | |
MD5:68C011A023D6E97F6E9B82773D5BD631 | SHA256:5BD3404426DCB37E1FFE6CBE5034AAAC95AD6ED768E46135BDBA11834EDB2992 | |||
| 4128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER71D9.tmp.WERInternalMetadata.xml | xml | |
MD5:62EC8328EC4C492A6E22E57E02AC8941 | SHA256:48F0B149C6BD1268BC003A1454C65AA0B53A94ECD9C664A5C79CE92A508ABEA5 | |||
| 3172 | explorer.exe | C:\Windows\Resources\spoolsv.exe | executable | |
MD5:2E188FA882DB887B8ECBBDC08C3EF0A4 | SHA256:CF4465EF2A9940357ABDD0C3164D79EAEB2790B1C8CF67BDB55893A316E405D4 | |||
| 2600 | spoolsv.exe | C:\Windows\Resources\svchost.exe | executable | |
MD5:BD5DC6E26B1E19F848752B541D75F2FA | SHA256:5C48325C0CC22D3E193F6084B595BBDE09EF92B8A3825F9B9D71CB748E1BBB09 | |||
| 4128 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WER7209.tmp.xml | xml | |
MD5:9FC03BE39389ABE3EEFA52E92FFB040E | SHA256:C524423EA30EE7A6EEE4CE2F9EBDB8339FF16E0DF6162D8E4F3FE18A0CAC9079 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
19
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5736 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5736 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5736 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5736 | svchost.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5736 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4128 | WerFault.exe | 20.189.173.21:443 | watson.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |