File name:

2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia

Full analysis: https://app.any.run/tasks/4de26f61-2060-47d3-b4b9-79cf0a5132b6
Verdict: Malicious activity
Analysis date: December 13, 2024, 23:25:12
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

DF333D85D5056D415822997EACEEC252

SHA1:

93DEA5AC23B6888B9EC3BC7857DFC79A7847A46B

SHA256:

1D7438E97E2DF9BAF14C6D7C34771E9C0FE62467767A79C2018488F6E4741D68

SSDEEP:

98304:7kfRU5tBvBf0xYiJPkeH7ymMxchm7+hBJvqBrlxlR56h67sWz9G7dJBGkIWgC4wl:iZx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

  • SUSPICIOUS

    • Executes application which crashes

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

    • Process drops legitimate windows executable

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

    • Executable content was dropped or overwritten

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

  • INFO

    • Create files in a temporary directory

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

    • Checks proxy server information

      • WerFault.exe (PID: 2728)

    • The sample compiled with english language support

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

    • Checks supported languages

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

    • Reads the computer name

      • 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe (PID: 720)

    • Reads the software policy settings

      • WerFault.exe (PID: 2728)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

ProductVersion: 17.12.8.0
ProductName: NVIDIA Backend
OriginalFileName: NvBackend.exe
LegalCopyright: (C) 2015 NVIDIA Corporation. All rights reserved.
InternalName: NVIDIA Backend
FileVersion: 17.12.8.0
FileDescription: NVIDIA Backend
CompanyName: NVIDIA Corporation
CharacterSet: Unicode
LanguageCode: Unknown (0009)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0017
ProductVersionNumber: 17.12.8.0
FileVersionNumber: 17.12.8.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x16035a
UninitializedDataSize: -
InitializedDataSize: 775680
CodeSize: 1801216
LinkerVersion: 10
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2015:01:16 06:29:15+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
720"C:\Users\admin\Desktop\2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe" C:\Users\admin\Desktop\2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe
explorer.exe
User:
admin
Company:
NVIDIA Corporation
Integrity Level:
MEDIUM
Description:
NVIDIA Backend
Exit code:
3221225477
Version:
17.12.8.0
Modules
Images
c:\users\admin\desktop\2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ws2_32.dll
2728C:\WINDOWS\SysWOW64\WerFault.exe -u -p 720 -s 652C:\Windows\SysWOW64\WerFault.exe
2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
5 934
Read events
5 934
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2728WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2024-12-13_df333_371acc86fb5ba4a5b3a0d157f1a36783fe4a143a_2c3c004f_34a6671d-b0af-404b-88b0-37e82daaf7c4\Report.wer
MD5:
SHA256:
7202024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
2728WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia.exe.720.dmpbinary
MD5:468D2DFABF6E4B098524642319CE5D06
SHA256:F6F5B66C2E3F2C539A99C55B38A1AC286D42A9FC321F94AF16C8843873424DE4
2728WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6E6F.tmp.xmlxml
MD5:C32C982C5A1F1B64FE4134739F3CBA71
SHA256:CDF33EC8D139FD4B07BC7625534D02BA03169A36A33EE90E401466662D74D383
2728WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6E3F.tmp.WERInternalMetadata.xmlxml
MD5:6DB579365E376F8BC230363E9E5AF030
SHA256:B544B133784D37CB47E845456E3996F8F3E7D1F6E28FB2A97895E81279FC5350
2728WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6AD3.tmp.dmpbinary
MD5:DF01F62CA0D91FB83A279370458893C9
SHA256:CA7893094D77095DBF395429E14B02B61623800171FDF50C65D6CB3EBEFA6473
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5780
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5964
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5780
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5964
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5780
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5964
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.23.209.133:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.168.100.255:138
whitelisted
2728
WerFault.exe
52.168.117.173:443
watson.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5780
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5964
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.130
  • 2.23.209.187
  • 2.23.209.149
whitelisted
google.com
  • 142.250.185.142
whitelisted
watson.events.data.microsoft.com
  • 52.168.117.173
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
self.events.data.microsoft.com
  • 13.89.179.8
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
2024-12-13_df333d85d5056d415822997eaceec252_floxif_mafia