Malware analysis sysarddrvs.exe Malicious activity | ANY.RUN

Add for printing

File name:	sysarddrvs.exe
Full analysis:	https://app.any.run/tasks/2f6bea61-191b-4677-9c86-61e374b207cb
Verdict:	Malicious activity
Threats:	Phorpiex is a malicious software that has been a significant threat in the cybersecurity landscape since 2016. It is a modular malware known for its ability to maintain an extensive botnet. Unlike other botnets, Phorpiex does not concentrate on DDoS attacks. Instead, it has been involved in numerous large-scale spam email campaigns and the distribution of other malicious payloads, such as LockBit. Malware Trends Tracker >>>
Analysis date:	July 18, 2024, 11:36:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	phorpiex
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	A7F8236EB39605D51964BF50FD015332
SHA1:	C627B0F52FA94BFEFA7A7D17056F82F00737876C
SHA256:	1B5B8D4000174658B280D11CE9143D60AC3DB44B9885F35545C3B6C9AEB5AC13
SSDEEP:	3072:yr/hMNfDU6NP/mAyp/8+62bSKI2agi1+iv5kHJoSEvD4jsBb9d4otpNtATg46K8Q:7tnToIKYZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - sysarddrvs.exe (PID: 2484)
  - 1070530602.exe (PID: 7252)
  - 3358622172.exe (PID: 1164)
- Adds path to the Windows Defender exclusion list
  - sysarddrvs.exe (PID: 2484)
  - cmd.exe (PID: 2220)
- Changes appearance of the Explorer extensions
  - sysarddrvs.exe (PID: 2484)
- Changes Security Center notification settings
  - sysarddrvs.exe (PID: 2484)
- Changes the Windows auto-update feature
  - sysarddrvs.exe (PID: 2484)
- Connects to the CnC server
  - sysarddrvs.exe (PID: 2484)
- Changes the autorun value in the registry
  - 1070530602.exe (PID: 7252)
- Scans artifacts that could help determine the target
  - sysarddrvs.exe (PID: 2484)
  - 3358622172.exe (PID: 1164)
SUSPICIOUS
- Reads the date of Windows installation
  - sysarddrvs.exe (PID: 2484)
  - 3358622172.exe (PID: 1164)
- Reads security settings of Internet Explorer
  - sysarddrvs.exe (PID: 2484)
  - winblrsnrcs.exe (PID: 6204)
  - 3358622172.exe (PID: 1164)
- Starts CMD.EXE for commands execution
  - sysarddrvs.exe (PID: 2484)
- Starts POWERSHELL.EXE for commands execution
  - cmd.exe (PID: 2220)
- Script adds exclusion path to Windows Defender
  - cmd.exe (PID: 2220)
- Connects to the server without a host name
  - sysarddrvs.exe (PID: 2484)
  - winblrsnrcs.exe (PID: 6204)
  - 3358622172.exe (PID: 1164)
- Executable content was dropped or overwritten
  - 1070530602.exe (PID: 7252)
  - 3358622172.exe (PID: 1164)
- Starts itself from another location
  - 1070530602.exe (PID: 7252)
- Connects to unusual port
  - sysarddrvs.exe (PID: 2484)
- Process requests binary or script from the Internet
  - 3358622172.exe (PID: 1164)
- Potential Corporate Privacy Violation
  - 3358622172.exe (PID: 1164)
INFO
- Reads the computer name
  - sysarddrvs.exe (PID: 2484)
  - winblrsnrcs.exe (PID: 6204)
  - 3358622172.exe (PID: 1164)
- Checks supported languages
  - sysarddrvs.exe (PID: 2484)
  - 1070530602.exe (PID: 7252)
  - 3358622172.exe (PID: 1164)
  - winblrsnrcs.exe (PID: 6204)
- Process checks computer location settings
  - sysarddrvs.exe (PID: 2484)
  - 3358622172.exe (PID: 1164)
- Checks proxy server information
  - sysarddrvs.exe (PID: 2484)
  - winblrsnrcs.exe (PID: 6204)
  - 3358622172.exe (PID: 1164)
- Creates files or folders in the user directory
  - sysarddrvs.exe (PID: 2484)
  - 3358622172.exe (PID: 1164)
- Create files in a temporary directory
  - sysarddrvs.exe (PID: 2484)
  - 3358622172.exe (PID: 1164)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 5720)
- Reads the machine GUID from the registry
  - winblrsnrcs.exe (PID: 6204)
  - sysarddrvs.exe (PID: 2484)
- Failed to create an executable file in Windows directory
  - 1070530602.exe (PID: 7252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (64.6)
.dll	\|	Win32 Dynamic Link Library (generic) (15.4)
.exe	\|	Win32 Executable (generic) (10.5)
.exe	\|	Generic Win/DOS Executable (4.6)
.exe	\|	DOS Executable Generic (4.6)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:07:17 14:05:21+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	59904
InitializedDataSize:	24576
UninitializedDataSize:	-
EntryPoint:	0x7510
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

564

"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop DoSvc & sc stop BITS

C:\Windows\SysWOW64\cmd.exe

—

sysarddrvs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

1164

C:\Users\admin\AppData\Local\Temp\3358622172.exe

sysarddrvs.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\3358622172.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

2220

"C:\Windows\System32\cmd.exe" /c powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

C:\Windows\SysWOW64\cmd.exe

—

sysarddrvs.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2268

sc stop BITS

C:\Windows\SysWOW64\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

2356

C:\WINDOWS\System32\slui.exe -Embedding

C:\Windows\System32\slui.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Activation Client

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

2484

"C:\Users\admin\Desktop\sysarddrvs.exe"

C:\Users\admin\Desktop\sysarddrvs.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\desktop\sysarddrvs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll

4976

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5720

powershell -Command "Add-MpPreference -ExclusionPath $env:windir; Add-MpPreference -ExclusionPath $env:TEMP; Add-MpPreference -ExclusionPath $env:USERPROFILE"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6204

C:\Users\admin\winblrsnrcs.exe

1070530602.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\winblrsnrcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll

7072

sc stop WaaSMedicSvc

C:\Windows\SysWOW64\sc.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Service Control Manager Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\sc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

Add for printing

Total events

16 987

Read events

16 935

Write events

Delete events

Modification events


(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
Operation:	write	Name:	CheckedValue
Value: 0
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Operation:	write	Name:	DisableWindowsUpdateAccess
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
Operation:	write	Name:	NoAutoUpdate
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	FirewallOverride
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	FirewallDisableNotify
Value: 1
(PID) Process:	(2484) sysarddrvs.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center
Operation:	write	Name:	AntiSpywareOverride
Value: 1

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5720	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_n1cfjxl3.1im.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5720	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_iygtnxu2.12b.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5720	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_g0bwmfcv.m10.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2484	sysarddrvs.exe	C:\Users\admin\AppData\Local\Temp\1070530602.exe		binary
		MD5:EB4AAD3C9B854252F959F63E9D7376C9	SHA256:F6BA4FDC045C6FCCCCD1A08C5141CDBDA4C2B1E3F01266D255EA9A7FE476C1FB
2484	sysarddrvs.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\1[1]		binary
		MD5:EB4AAD3C9B854252F959F63E9D7376C9	SHA256:F6BA4FDC045C6FCCCCD1A08C5141CDBDA4C2B1E3F01266D255EA9A7FE476C1FB
5720	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nnksdoqz.s0q.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2484	sysarddrvs.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\3[1]		binary
		MD5:FE1E93F12CCA3F7C0C897EF2084E1778	SHA256:2EBC4A92F4FDC27D4AB56E57058575A8B18ADB076CBD30FEEA2ECDC8B7FCD41F
2484	sysarddrvs.exe	C:\Users\admin\AppData\Local\Temp\2144631873.exe		binary
		MD5:FE1E93F12CCA3F7C0C897EF2084E1778	SHA256:2EBC4A92F4FDC27D4AB56E57058575A8B18ADB076CBD30FEEA2ECDC8B7FCD41F
1164	3358622172.exe	C:\Users\admin\AppData\Local\Temp\2040927795.exe		executable
		MD5:9614944E7C54AEB15FC007889DFF94FB	SHA256:9359BB27B80F84D8781EC29827D202C997219D4BF9F394B5A9AD7A582DE507E4
1164	3358622172.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\nxmr[1].exe		executable
		MD5:9614944E7C54AEB15FC007889DFF94FB	SHA256:9359BB27B80F84D8781EC29827D202C997219D4BF9F394B5A9AD7A582DE507E4

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

142

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2484	sysarddrvs.exe	GET	—	185.215.113.66:80	http://185.215.113.66/1	unknown	—	—	unknown
2484	sysarddrvs.exe	GET	200	185.215.113.66:80	http://185.215.113.66/2	unknown	—	—	unknown
2484	sysarddrvs.exe	GET	200	185.215.113.66:80	http://185.215.113.66/1	unknown	—	—	unknown
6204	winblrsnrcs.exe	GET	404	185.215.113.66:80	http://185.215.113.66/_1	unknown	—	—	unknown
2484	sysarddrvs.exe	GET	200	185.215.113.66:80	http://185.215.113.66/2	unknown	—	—	unknown
2484	sysarddrvs.exe	GET	—	185.215.113.66:80	http://185.215.113.66/3	unknown	—	—	unknown
6204	winblrsnrcs.exe	GET	404	185.215.113.66:80	http://185.215.113.66/_2	unknown	—	—	unknown
6204	winblrsnrcs.exe	GET	404	185.215.113.66:80	http://185.215.113.66/_3	unknown	—	—	unknown
2484	sysarddrvs.exe	GET	200	185.215.113.66:80	http://185.215.113.66/3	unknown	—	—	unknown
1164	3358622172.exe	GET	—	185.215.113.84:80	http://185.215.113.84/nxmr.exe	unknown	—	—	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
5460	backgroundTaskHost.exe	20.223.35.26:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4716	svchost.exe	20.190.159.64:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4032	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2760	svchost.exe	40.113.110.67:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
7856	svchost.exe	4.208.221.206:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
2484	sysarddrvs.exe	185.215.113.66:80	—	1337team Limited	SC	unknown
2992	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7856	svchost.exe	4.209.32.198:443	licensing.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	unknown
4716	svchost.exe	20.190.159.0:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

DNS requests

Domain	IP	Reputation
google.com	142.250.186.174	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
licensing.mp.microsoft.com	4.209.32.198	whitelisted
www.update.microsoft.com	20.72.235.82	whitelisted
dns.msftncsi.com	131.107.255.255	whitelisted

Threats

PID	Process	Class	Message
2484	sysarddrvs.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
6204	winblrsnrcs.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 8
6204	winblrsnrcs.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 13
2484	sysarddrvs.exe	A Network Trojan was detected	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
2484	sysarddrvs.exe	A Network Trojan was detected	ET MALWARE Win32/Phorpiex UDP Peer-to-Peer CnC
1164	3358622172.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
1164	3358622172.exe	Misc Attack	ET DROP Spamhaus DROP Listed Traffic Inbound group 33
1164	3358622172.exe	Misc activity	ET INFO Packed Executable Download
1164	3358622172.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
1164	3358622172.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response

8 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

sysarddrvs.exe

A7F8236EB39605D51964BF50FD015332

C627B0F52FA94BFEFA7A7D17056F82F00737876C

1B5B8D4000174658B280D11CE9143D60AC3DB44B9885F35545C3B6C9AEB5AC13

3072:yr/hMNfDU6NP/mAyp/8+62bSKI2agi1+iv5kHJoSEvD4jsBb9d4otpNtATg46K8Q:7tnToIKYZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Adds path to the Windows Defender exclusion list

Changes appearance of the Explorer extensions

Changes Security Center notification settings

Changes the Windows auto-update feature

Connects to the CnC server

Changes the autorun value in the registry

Scans artifacts that could help determine the target

SUSPICIOUS

Reads the date of Windows installation

Reads security settings of Internet Explorer

Starts CMD.EXE for commands execution

Starts POWERSHELL.EXE for commands execution

Script adds exclusion path to Windows Defender

Connects to the server without a host name

Executable content was dropped or overwritten

Starts itself from another location

Connects to unusual port

Process requests binary or script from the Internet

Potential Corporate Privacy Violation

INFO

Reads the computer name

Checks supported languages

Process checks computer location settings

Checks proxy server information

Creates files or folders in the user directory

Create files in a temporary directory

Script raised an exception (POWERSHELL)

Reads the machine GUID from the registry

Failed to create an executable file in Windows directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests