File name:

WormGPT.exe

Full analysis: https://app.any.run/tasks/0b90c3cb-320b-4ac7-bd03-08cf1c8d59c0
Verdict: Malicious activity
Analysis date: August 30, 2024, 21:26:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

1C2128B3AD0A5DC32F938362E16F6B07

SHA1:

EECB906F664FF6A5FC4CDED35C274CBCC342FEC8

SHA256:

2B093E0B16481FF4D090E4502C6EF4D547FB7003A6A07E43FC042A1550F9BB9C

SSDEEP:

98304:NXEAaLomb3zO96eKNhRgbJnIB+p74S5JeOHmHI6jdoRpl89a/ylTdN7dyITYnq/F:SX4nvobrLI4Fae

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • WormGPT.exe (PID: 6020)

    • Process drops python dynamic module

      • WormGPT.exe (PID: 4804)

    • Loads Python modules

      • WormGPT.exe (PID: 6020)

    • The process drops C-runtime libraries

      • WormGPT.exe (PID: 4804)

    • Process drops legitimate windows executable

      • WormGPT.exe (PID: 4804)

    • Drops the executable file immediately after the start

      • WormGPT.exe (PID: 4804)

    • Application launched itself

      • WormGPT.exe (PID: 4804)

    • Executable content was dropped or overwritten

      • WormGPT.exe (PID: 4804)

  • INFO

    • Reads the computer name

      • WormGPT.exe (PID: 4804)

    • Checks supported languages

      • WormGPT.exe (PID: 4804)
      • WormGPT.exe (PID: 6020)

    • Create files in a temporary directory

      • WormGPT.exe (PID: 4804)

    • Reads the machine GUID from the registry

      • WormGPT.exe (PID: 6020)

    • PyInstaller has been detected (YARA)

      • WormGPT.exe (PID: 4804)
      • WormGPT.exe (PID: 6020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:09:07 19:45:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.34
CodeSize: 166400
InitializedDataSize: 102400
UninitializedDataSize: -
EntryPoint: 0xa6a0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT wormgpt.exe conhost.exe no specs THREAT wormgpt.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2612C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeWormGPT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWormGPT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4804"C:\Users\admin\Desktop\WormGPT.exe" C:\Users\admin\Desktop\WormGPT.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\wormgpt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6020"C:\Users\admin\Desktop\WormGPT.exe" C:\Users\admin\Desktop\WormGPT.exe
WormGPT.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\wormgpt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6912C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\cmd.exeWormGPT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
423
Read events
423
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
3
Text files
920
Unknown types
0

Dropped files

PID
Process
Filename
Type
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_socket.pydexecutable
MD5:0F5E64E33F4D328EF11357635707D154
SHA256:8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\VCRUNTIME140.dllexecutable
MD5:870FEA4E961E2FBD00110D3783E529BE
SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_ctypes.pydexecutable
MD5:CA4CEF051737B0E4E56B7D597238DF94
SHA256:E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_bz2.pydexecutable
MD5:BBE89CF70B64F38C67B7BF23C0EA8A48
SHA256:775FBC6E9A4C7E9710205157350F3D6141B5A9E8F44CB07B3EAC38F2789C8723
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\libcrypto-1_1.dllexecutable
MD5:6F4B8EB45A965372156086201207C81F
SHA256:976CE72EFD0A8AEEB6E21AD441AA9138434314EA07F777432205947CDB149541
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_lzma.pydexecutable
MD5:0A94C9F3D7728CF96326DB3AB3646D40
SHA256:0A70E8546FA6038029F2A3764E721CEEBEA415818E5F0DF6B90D6A40788C3B31
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\unicodedata.pydexecutable
MD5:4C8AF8A30813E9380F5F54309325D6B8
SHA256:4B6E3BA734C15EC789B5D7469A5097BD082BDFD8E55E636DED0D097CF6511E05
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_hashlib.pydexecutable
MD5:D856A545A960BF2DCA1E2D9BE32E5369
SHA256:CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_ssl.pydexecutable
MD5:9DDB64354EF0B91C6999A4B244A0A011
SHA256:E33B7A4AA5CDD5462EE66830636FDD38048575A43D06EB7E2F688358525DDEAB
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\tcl86t.dllexecutable
MD5:75909678C6A79CA2CA780A1CEB00232E
SHA256:FBFD065F861EC0A90DD513BC209C56BBC23C54D2839964A0EC2DF95848AF7860
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
6232
svchost.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6412
RUXIMICS.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
52.137.106.217:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6232
svchost.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4324
svchost.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.72.205.209
  • 52.137.106.217
  • 52.167.17.97
whitelisted
google.com
  • 172.217.18.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WormGPT.exe