File name:	WEXTRACT (Stage 1).EXE
Full analysis:	https://app.any.run/tasks/00ff18b8-ba51-4913-a571-673638703895
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 16, 2024, 09:13:12
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	loader python
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	C836D9F939E17837428F185F0FC8003F
SHA1:	119BE5EBA7EB367593BB5314AB52E00B0A54E638
SHA256:	0C22DDA19FBE3FDF12E8664C87CC1EF161A2B76D828DF88B025952750985FD51
SSDEEP:	3072:jGiyr95MfxewjwVGkk125W2PScVgkl7T25Tz7unJrOXjmOVV++:jdyr95MfxewjwVDw2LnT25qndIjjVVX

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

MachineType:	AMD AMD64
TimeStamp:	2062:07:25 12:18:00+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.2
CodeSize:	31744
InitializedDataSize:	124928
UninitializedDataSize:	-
EntryPoint:	0x8200
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	11.0.19041.1
ProductVersionNumber:	11.0.19041.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	Win32 Cabinet Self-Extractor
FileVersion:	11.00.19041.1 (WinBuild.160101.0800)
InternalName:	Wextract
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	WEXTRACT.EXE .MUI
ProductName:	Internet Explorer
ProductVersion:	11.00.19041.1


(PID) Process:	(5920) python-installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(5920) python-installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(5920) python-installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(5920) python-installer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(4744) python-3.10.0rc2-amd64.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore
Operation:	write	Name:	SrCreateRp (Enter)
Value: 40000000000000003A9E7F6371A7DA018812000090120000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1788) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Enter)
Value: 48000000000000000503826371A7DA01FC06000098150000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1788) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppGetSnapshots (Leave)
Value: 48000000000000008689DC6371A7DA01FC06000098150000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1788) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Enter)
Value: 48000000000000008689DC6371A7DA01FC06000098150000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1788) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppEnumGroups (Leave)
Value: 4800000000000000EA56E16371A7DA01FC06000098150000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:	(1788) dllhost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP
Operation:	write	Name:	SppCreate (Enter)
Value: 480000000000000091DBEA6371A7DA01FC06000098150000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

PID	Process	Filename		Type
1788	dllhost.exe	C:\System Volume Information\SPP\snapshot-2		—
		MD5:—	SHA256:—
1788	dllhost.exe	C:\System Volume Information\SPP\metadata-2		—
		MD5:—	SHA256:—
5920	python-installer.exe	C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\lib_JustForMe		—
		MD5:—	SHA256:—
7084	WEXTRACT (Stage 1).EXE.exe	C:\Users\admin\AppData\Local\Temp\IXP000.TMP\payload.bat		text
		MD5:A3858C24BACA7100FEF6B83CEADA9F99	SHA256:F3CCFBADCA44D6147FDA1577858E0B79A575A9221A2CC89431AEDA142E39B2A6
5920	python-installer.exe	C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.ba\SideBar.png		image
		MD5:CA62A92AD5B307FAEAC640CD5EB460ED	SHA256:F3109977125D4A3A3FFA17462CFC31799589F466A51D226D1D1F87DF2F267627
5920	python-installer.exe	C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.ba\Default.thm		xml
		MD5:7A6207931F4F6A7F803128FC3AFDF8DA	SHA256:6A91F0AC6A2169FFDB3AC84C715F77EB5B1527C27DD5AC4C60174242997937A6
5920	python-installer.exe	C:\Users\admin\AppData\Local\Package Cache\{be83e501-a7bf-4692-a6f1-0deb418ad1fb}\state.rsm		binary
		MD5:E16BFE0E71D4CC6FEB7B654E22FF353D	SHA256:89713AE2DBF46A3B9233D9A986E38AA948C7D49A12A0FD01991E6D5403019EB9
5920	python-installer.exe	C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\core_JustForMe		executable
		MD5:C98916B26ADEB981BE257033FF149B47	SHA256:217835A7AFE449A9F835EFE19FFD36E9191C9ECA66826DF8E813B4CCCE2AEBBC
5920	python-installer.exe	C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.ba\PythonBA.dll		executable
		MD5:BAA3C76CCA5BD6AB209D88FC7C840077	SHA256:505F8DFB7E99AD904609D7F0E06E5A247BA83C0BE11359C9929F10A71E56EA0F
5920	python-installer.exe	C:\Users\admin\AppData\Local\Temp\{5A02E259-23F4-4B4D-BA9D-9E226B3E0D1B}\.be\python-3.10.0rc2-amd64.exe		executable
		MD5:833D7B73767607CD76C0C81DCC1C5F75	SHA256:ABB2E915CAE562E527CD773E5B399D993634331AD29BEA029CC2048AE239FBDA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5704	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEAQJGBtf1btmdVNDtW%2BVUAg%3D	US	binary	471 b	unknown
5704	msiexec.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnR4FoxLLkI7vkvsUIFlZt%2BlGH3gQUWsS5eyoKo6XqcQPAYPkt9mV1DlgCEAM%2B1e2gZdG4yR38%2BSpsm9g%3D	US	binary	471 b	unknown
—	—	GET	200	95.100.146.16:443	https://www.bing.com/manifest/threshold.appcache	unknown	text	3.36 Kb	unknown
—	—	POST	204	95.100.146.19:443	https://www.bing.com/threshold/xls.aspx	unknown	—	—	unknown
—	—	GET	200	95.100.146.16:443	https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w	unknown	s	21.3 Kb	unknown
—	—	POST	200	51.116.253.168:443	https://self.events.data.microsoft.com/OneCollector/1.0/	GB	binary	9 b	unknown
—	—	GET	200	95.100.146.33:443	https://r.bing.com/rb/17/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DygxeIQBhwGKAYEBe369AcABMbABMcMB&or=w	unknown	s	21.3 Kb	unknown
—	—	GET	304	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	NL	—	—	unknown
5060	SIHClient.exe	GET	200	40.68.123.157:443	https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL	NL	compressed	23.9 Kb	unknown
5060	SIHClient.exe	GET	200	2.19.217.218:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	NL	binary	813 b	unknown

PID	Process	IP	Domain	ASN	CN	Reputation
4936	curl.exe	146.75.116.223:443	www.python.org	FASTLY	US	unknown
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5704	msiexec.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	unknown
4680	SearchApp.exe	104.126.37.171:443	—	Akamai International B.V.	DE	unknown
4680	SearchApp.exe	104.126.37.177:443	—	Akamai International B.V.	DE	unknown
2908	OfficeClickToRun.exe	52.168.112.66:443	self.events.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4680	SearchApp.exe	95.100.146.32:443	r.bing.com	Akamai International B.V.	CZ	unknown
5060	SIHClient.exe	20.12.23.50:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
5060	SIHClient.exe	2.19.217.218:80	www.microsoft.com	Akamai International B.V.	NL	unknown

Domain	IP	Reputation
www.python.org	146.75.116.223	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
self.events.data.microsoft.com	52.168.112.66	whitelisted
r.bing.com	95.100.146.32 95.100.146.19 95.100.146.25 95.100.146.33	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted
www.microsoft.com	2.19.217.218	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
fe3cr.delivery.mp.microsoft.com	20.3.187.198	whitelisted
rentry.co	104.26.2.16 172.67.75.40 104.26.3.16	unknown
settings-win.data.microsoft.com	4.231.128.59	whitelisted

PID	Process	Class	Message
2184	svchost.exe	Misc activity	ET INFO Pastebin Service Domain in DNS Lookup (rentry .co)
4216	curl.exe	Misc activity	ET INFO Observed Pastebin Service Domain (rentry .co in TLS SNI)

General Info

WEXTRACT (Stage 1).EXE

C836D9F939E17837428F185F0FC8003F

119BE5EBA7EB367593BB5314AB52E00B0A54E638

0C22DDA19FBE3FDF12E8664C87CC1EF161A2B76D828DF88B025952750985FD51

3072:jGiyr95MfxewjwVGkk125W2PScVgkl7T25Tz7unJrOXjmOVV++:jdyr95MfxewjwVDw2LnT25qndIjjVVX

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Starts CMD.EXE for commands execution

Application launched itself

Executing commands from a ".bat" file

Uses WMIC.EXE

Executable content was dropped or overwritten

The executable file from the user directory is run by the CMD process

Reads security settings of Internet Explorer

Searches for installed software

Reads the date of Windows installation

Starts itself from another location

Creates a software uninstall entry

Executes as Windows Service

The process drops C-runtime libraries

Creates/Modifies COM task schedule object

Reads the Windows owner or organization settings

Checks Windows Trust Settings

Process drops python dynamic module

Loads Python modules

The process executes via Task Scheduler

INFO

Create files in a temporary directory

Checks supported languages

Reads the computer name

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Reads the machine GUID from the registry

Executable content was dropped or overwritten

Reads the software policy settings

Creates files in the program directory

Checks operating system version

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events