File name: | 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe |
Full analysis: | https://app.any.run/tasks/9e57a5e0-caa4-4f6c-a4ab-9355f78c94b7 |
Verdict: | Malicious activity |
Analysis date: | May 19, 2024, 21:09:54 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 00992FD8D299EE5026503F4AEE06E340 |
SHA1: | 90D3547CFCF202C24644D437FEF9B81E071867E2 |
SHA256: | 2575493220598C4387F938B4254B58E356B13DA101C1F1B7BA98EAD9965E8646 |
SSDEEP: | 1536:okKRJOd/kibf2bR7m+vbODE7hZegUzNVDtXLGCgtIKlL:o/Cdcibf2bRdvSrzlLGtRlL |
.exe | | | Win32 Executable (generic) (52.9) |
---|---|---|
.exe | | | Generic Win/DOS Executable (23.5) |
.exe | | | DOS Executable Generic (23.5) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | 10 |
OSVersion: | 4 |
EntryPoint: | 0x11d0 |
UninitializedDataSize: | - |
InitializedDataSize: | 20480 |
CodeSize: | 61440 |
LinkerVersion: | 7.1 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 2003:08:06 18:34:23+00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6476 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6484 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6892 | "C:\Users\admin\Desktop\2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe" | C:\Users\admin\Desktop\2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | powershell.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
6996 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
7048 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SVCHOST.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
7068 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | SVCHOST.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
7100 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SPOOLSV.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
7120 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | — | SPOOLSV.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
7144 | C:\recycled\CTFMON.EXE :agent | C:\Recycled\CTFMON.EXE | SPOOLSV.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
1208 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
|
(PID) Process: | (6476) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6476) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6476) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6476) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install |
Operation: | delete key | Name: | (default) |
Value: | |||
(PID) Process: | (6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | Key: | HKEY_CLASSES_ROOT\* |
Operation: | write | Name: | QuickTip |
Value: prop:Type;Size | |||
(PID) Process: | (6892) 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | Key: | HKEY_CLASSES_ROOT\* |
Operation: | write | Name: | TileInfo |
Value: prop:Type;Size |
PID | Process | Filename | Type | |
---|---|---|---|---|
6476 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V5XQQQ1DZGH2FPHO222U.temp | — | |
MD5:— | SHA256:— | |||
7144 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF295B2BC617E3E2D0.TMP | — | |
MD5:— | SHA256:— | |||
6476 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF1139d9.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
6892 | 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | C:\Recycled\CTFMON.EXE | executable | |
MD5:BB048DE2416F8C8BA00FB585FBA06073 | SHA256:A7B88801128426E15ACB2D7BC787301B647E69C14D5CEFF2B7C40ED1B6BEA71F | |||
7048 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DFE68FAE5F2D44B9AF.TMP | binary | |
MD5:E7358D3B3B250A87328EC947A411071D | SHA256:B1E087173C329CABEF353EF74EC9EE71A7C4DC499BA533500CD03113505E847C | |||
6476 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:0803563FB8DAC27D61BDF00031CD6D09 | SHA256:C9A1D1E6F6E5CF733029CD4D66772E8C51F73B4E167E4E1C4F850A6F1FBC0581 | |||
6892 | 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | C:\Recycled\SVCHOST.EXE | executable | |
MD5:2BC3A51D81D651C8716F105CAEC8CB91 | SHA256:306B83B65E5808AF1E398E0E78FFD8D007AAB29F46E0CBEE5223A61F8F144D0A | |||
6892 | 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | C:\Program Files\Microsoft Office\Root\VFS\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\docicon.exe | executable | |
MD5:1E0D349A570E5F0CB9403B2DB3398D10 | SHA256:3FAC9EFB91A11063403C05D8A9ED83DB3686C598952D58D8B1BFEE13ED60A3C8 | |||
6892 | 2575493220598c4387f938b4254b58e356b13da101c1f1b7ba98ead9965e8646.exe | C:\Recycled\desktop.ini | ini | |
MD5:AD0B0B4416F06AF436328A3C12DC491B | SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416 | |||
6476 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lt5o41yu.11o.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4264 | svchost.exe | GET | 200 | 23.214.95.215:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
1324 | RUXIMICS.exe | GET | 200 | 23.48.10.36:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 23.214.95.215:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 23.48.10.36:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1324 | RUXIMICS.exe | GET | 200 | 23.214.95.215:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
4264 | svchost.exe | GET | 200 | 23.48.10.36:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
4704 | WINWORD.EXE | GET | 200 | 52.113.194.132:443 | https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bB9479A2B-457E-4C95-AF00-B26CE521D60E%7d&LabMachine=false | unknown | tss | 375 Kb | — |
4704 | WINWORD.EXE | GET | 200 | 52.111.236.4:443 | https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7BB9479A2B-457E-4C95-AF00-B26CE521D60E%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D | unknown | text | 542 b | — |
4704 | WINWORD.EXE | GET | 200 | 23.214.95.207:443 | https://binaries.templates.cdn.office.net/support/templates/en-us/tp01840907.cab | unknown | compressed | 42.6 Kb | — |
4704 | WINWORD.EXE | GET | 200 | 23.214.95.207:443 | https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab | unknown | compressed | 32.8 Kb | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4364 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
4264 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
1324 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5140 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4264 | svchost.exe | 23.214.95.215:80 | crl.microsoft.com | AKAMAI-AS | BR | unknown |
1324 | RUXIMICS.exe | 23.214.95.215:80 | crl.microsoft.com | AKAMAI-AS | BR | unknown |
5140 | MoUsoCoreWorker.exe | 23.214.95.215:80 | crl.microsoft.com | AKAMAI-AS | BR | unknown |
4264 | svchost.exe | 23.48.10.36:80 | www.microsoft.com | Akamai International B.V. | US | unknown |
1324 | RUXIMICS.exe | 23.48.10.36:80 | www.microsoft.com | Akamai International B.V. | US | unknown |
5140 | MoUsoCoreWorker.exe | 23.48.10.36:80 | www.microsoft.com | Akamai International B.V. | US | unknown |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
metadata.templates.cdn.office.net |
| unknown |
binaries.templates.cdn.office.net |
| whitelisted |
Process | Message |
---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|