File name:

Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe

Full analysis: https://app.any.run/tasks/92c76a8a-5ffa-4252-8496-b958ed6fa2a8
Verdict: Malicious activity
Analysis date: June 04, 2024, 13:02:53
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phantomdl
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

15333D5315202EA428DE43655B598EDA

SHA1:

B6212DA07DC3A4F39A33BC0F0242C86A0F4433E6

SHA256:

201F8DD57BCE6FD70A0E1242B07A17F489C5F873278475AF2EAF82A751C24FA8

SSDEEP:

98304:IPgK0uJdoTvaOhF6bAAVWe+n6viZqDrZSC6bBe3s3kP5TLSg0O4qPV5UDGZub+Sf:IhsdV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe (PID: 6320)

    • PHANTOMDL has been detected (YARA)

      • Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe (PID: 6320)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe (PID: 6320)

  • INFO

    • Checks supported languages

      • Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe (PID: 6320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 2412032
InitializedDataSize: 218624
UninitializedDataSize: -
EntryPoint: 0x6d820
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
116
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PHANTOMDL договор_ №367кх_от_29.04.2024_и_доп_соглашение_ртсс 022_контракт.pdf .exe cmd.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6320"C:\Users\admin\Desktop\Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe" C:\Users\admin\Desktop\Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\договор_ №367кх_от_29.04.2024_и_доп_соглашение_ртсс 022_контракт.pdf .exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
6348cmd /c "echo %USERDOMAIN%"C:\Windows\System32\cmd.exeДоговор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
6356\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 784
Read events
1 538
Write events
246
Delete events
0

Modification events

(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-462
Value:
Afghanistan Standard Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-461
Value:
Afghanistan Daylight Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-222
Value:
Alaskan Standard Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-221
Value:
Alaskan Daylight Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2392
Value:
Aleutian Standard Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2391
Value:
Aleutian Daylight Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2162
Value:
Altai Standard Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-2161
Value:
Altai Daylight Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-392
Value:
Arab Standard Time
(PID) Process:(6320) Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3c\52C64B7E
Operation:writeName:C:\WINDOWS\system32\,@tzres.dll,-391
Value:
Arab Daylight Time
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
10
DNS requests
2
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5632
svchost.exe
GET
200
23.40.146.45:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
6320
Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
POST
91.219.151.47:80
http://91.219.151.47:80/ping
unknown
unknown
6320
Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
POST
91.219.151.47:80
http://91.219.151.47:80/ping
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5632
svchost.exe
23.40.146.45:80
www.microsoft.com
AKAMAI-AS
MX
unknown
4
System
192.168.100.255:138
unknown
4364
svchost.exe
239.255.255.250:1900
unknown
5632
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5140
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6320
Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
91.219.151.47:80
RU
malicious
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
www.microsoft.com
  • 23.40.146.45
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted

Threats

PID
Process
Class
Message
6320
Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
6320
Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe
Misc activity
ET USER_AGENTS Go HTTP Client User-Agent
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Договор_ №367КХ_от_29.04.2024_и_доп_соглашение_РТСС 022_контракт.pdf .exe