File name:

259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2

Full analysis: https://app.any.run/tasks/eac2d0f9-b3b4-4346-bf8d-e8031056caa7
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 18:26:40
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

81EE208A058EFEBDDABD4F78FFF047D0

SHA1:

B5855BDFBB89A50BEC871EE72D675063F9B49183

SHA256:

259018C94D2704EA14BD29E2555A2AB62C278160C81AC824A372A7966565D5A2

SSDEEP:

24576:f84s1Nb487uNkqiKjoYNPQmnFV/DivZKXwJ3ddGcIXU5A0ENL+b2T:f8tNb486NkqiKjoYNPQmnFVLiv4XwJ3q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6296)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe (PID: 6260)
      • powershell.exe (PID: 6296)
    • Starts POWERSHELL.EXE for commands execution

      • 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe (PID: 6260)
    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6296)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6296)
    • Reads security settings of Internet Explorer

      • syrians.exe (PID: 3540)
    • Checks Windows Trust Settings

      • syrians.exe (PID: 3540)
  • INFO

    • The sample compiled with english language support

      • 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe (PID: 6260)
      • powershell.exe (PID: 6296)
    • Reads the computer name

      • 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe (PID: 6260)
    • The process uses the downloaded file

      • powershell.exe (PID: 6296)
    • Checks supported languages

      • 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe (PID: 6260)
      • syrians.exe (PID: 3540)
    • Create files in a temporary directory

      • 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe (PID: 6260)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6296)
    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6296)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6296)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6296)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6296)
    • The executable file from the user directory is run by the Powershell process

      • syrians.exe (PID: 3540)
    • Checks proxy server information

      • syrians.exe (PID: 3540)
    • Reads the software policy settings

      • syrians.exe (PID: 3540)
    • Creates files or folders in the user directory

      • syrians.exe (PID: 3540)
    • Reads the machine GUID from the registry

      • syrians.exe (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

ProductName: sykes forlse
LegalTrademarks: outblunder
LegalCopyright: cassoni chirologies uncompliable
InternalName: ryge orkesterets.exe
FileDescription: marg
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.5.0.0
FileVersionNumber: 3.5.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x3532
UninitializedDataSize: 2048
InitializedDataSize: 184832
CodeSize: 27136
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2023:07:02 02:09:48+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
131
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe powershell.exe conhost.exe no specs syrians.exe

Process information

PID
CMD
Path
Indicators
Parent process
6260"C:\Users\admin\AppData\Local\Temp\259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe" C:\Users\admin\AppData\Local\Temp\259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
marg
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6296powershell.exe -windowstyle hidden "$johannine=gc -raw 'C:\Users\admin\AppData\Roaming\erstatningsgraden\Successively.Ton';$Elitism=$johannine.SubString(69953,3);.$Elitism($johannine) "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6304\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3540"C:\Users\admin\AppData\Local\Temp\syrians.exe"C:\Users\admin\AppData\Local\Temp\syrians.exe
powershell.exe
User:
admin
Integrity Level:
MEDIUM
Description:
marg
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\syrians.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
Total events
8 453
Read events
8 450
Write events
3
Delete events
0

Modification events

(PID) Process:(3540) syrians.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3540) syrians.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3540) syrians.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
2
Suspicious files
13
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
6260259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exeC:\Users\admin\AppData\Roaming\erstatningsgraden\Unlatches.Velbinary
MD5:D38759CF2FE7743161740414AF4DB1F6
SHA256:A6B47EA5FAB45625DE71C506F065B74555CBBDBA9A394382C4EB473D863279A4
6260259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exeC:\Users\admin\AppData\Roaming\erstatningsgraden\preappearance.glubinary
MD5:CCE82C77E237537520FBD52B63A51E58
SHA256:0F7DCA6879E497104B6813228391DECF7D6270D90FC887F1B9384B5E5B438221
3540syrians.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDE8B1B7E253A9758EC380BD648952AF_8C0D12F01B5D981AACF8BFC375CA0F2Bbinary
MD5:273E853ECC801AD2A5B2B9B2B158076A
SHA256:B0EA2EE647CC760B34B5ED6B27C27C2D9DAA353859B1CC64B881EA0B5EB7E093
3540syrians.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_252B35A0C9E78A87AECDDBB68FF7B1F0binary
MD5:1AC4B8399602B21A9623D68FBC3EE204
SHA256:8C46BE4C3F15D73ED0E6B3F87B35CF0453526161B8F95D8D7CC968EB4C22A185
6296powershell.exeC:\Users\admin\AppData\Local\Temp\syrians.exeexecutable
MD5:81EE208A058EFEBDDABD4F78FFF047D0
SHA256:259018C94D2704EA14BD29E2555A2AB62C278160C81AC824A372A7966565D5A2
6260259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exeC:\Users\admin\AppData\Roaming\erstatningsgraden\reaktiv.oveabr
MD5:B4BD98AA231F431FA2C0B32C041971DA
SHA256:E34CA004CCB16A80E49010B584428A08AB3D89FCA778567346D26F84FF892962
6296powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rrg3wdze.hs4.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
3540syrians.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDE8B1B7E253A9758EC380BD648952AF_8C0D12F01B5D981AACF8BFC375CA0F2Bbinary
MD5:F9F427ED919044CB4EE9A89329AFC073
SHA256:C5C46BF8F1F305D18F192CFDAB9D57F409F52685EEFCDCC7F2AD3570B7EB6A13
3540syrians.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:A58CDF33F70983EBB41F5D28B8E01D15
SHA256:9CAF06867EF978FA19F41E279985902BC07DFDA81E65056C6516A1506B245E88
6260259018c94d2704ea14bd29e2555a2ab62c278160c81ac824a372a7966565d5a2.exeC:\Users\admin\AppData\Roaming\erstatningsgraden\Ubekymret\storfavoritters.tidbinary
MD5:F28B6FB0CA8AF14D2913C43CBEA08754
SHA256:F1C35573809F92DC65D2EB2EBC3CD9D0C78E75E73ED741E52BAECAE2FC02DD70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
37
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3540
syrians.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
3540
syrians.exe
GET
200
142.250.74.195:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
6392
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
3540
syrians.exe
GET
200
142.250.184.195:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQCtrC6LRgin8QlSmIIYAEvj
unknown
whitelisted
5888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
244
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.48.23.193:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1076
svchost.exe
23.35.238.131:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.48.23.193
  • 23.48.23.159
  • 23.48.23.137
  • 23.48.23.146
  • 23.48.23.147
  • 23.48.23.143
  • 23.48.23.150
  • 23.48.23.138
  • 23.48.23.190
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 2.23.246.101
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.163
  • 104.126.37.129
  • 104.126.37.123
  • 104.126.37.154
  • 104.126.37.155
  • 104.126.37.128
  • 104.126.37.171
  • 104.126.37.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
login.live.com
  • 20.190.160.20
  • 40.126.32.133
  • 40.126.32.74
  • 20.190.160.22
  • 20.190.160.14
  • 40.126.32.134
  • 40.126.32.136
  • 40.126.32.138
whitelisted
arc.msn.com
  • 20.74.47.205
whitelisted
fd.api.iris.microsoft.com
  • 20.74.47.205
whitelisted

Threats

No threats detected
No debug info