File name:

WormGPT.exe

Full analysis: https://app.any.run/tasks/0b90c3cb-320b-4ac7-bd03-08cf1c8d59c0
Verdict: Malicious activity
Analysis date: August 30, 2024, 21:26:20
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
pyinstaller
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (console) x86-64, for MS Windows
MD5:

1C2128B3AD0A5DC32F938362E16F6B07

SHA1:

EECB906F664FF6A5FC4CDED35C274CBCC342FEC8

SHA256:

2B093E0B16481FF4D090E4502C6EF4D547FB7003A6A07E43FC042A1550F9BB9C

SSDEEP:

98304:NXEAaLomb3zO96eKNhRgbJnIB+p74S5JeOHmHI6jdoRpl89a/ylTdN7dyITYnq/F:SX4nvobrLI4Fae

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • The process drops C-runtime libraries

      • WormGPT.exe (PID: 4804)

    • Process drops python dynamic module

      • WormGPT.exe (PID: 4804)

    • Process drops legitimate windows executable

      • WormGPT.exe (PID: 4804)

    • Drops the executable file immediately after the start

      • WormGPT.exe (PID: 4804)

    • Executable content was dropped or overwritten

      • WormGPT.exe (PID: 4804)

    • Application launched itself

      • WormGPT.exe (PID: 4804)

    • Starts CMD.EXE for commands execution

      • WormGPT.exe (PID: 6020)

    • Loads Python modules

      • WormGPT.exe (PID: 6020)

  • INFO

    • Create files in a temporary directory

      • WormGPT.exe (PID: 4804)

    • Checks supported languages

      • WormGPT.exe (PID: 4804)
      • WormGPT.exe (PID: 6020)

    • Reads the computer name

      • WormGPT.exe (PID: 4804)

    • PyInstaller has been detected (YARA)

      • WormGPT.exe (PID: 4804)
      • WormGPT.exe (PID: 6020)

    • Reads the machine GUID from the registry

      • WormGPT.exe (PID: 6020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (57.6)
.exe | Win64 Executable (generic) (36.9)
.exe | Generic Win/DOS Executable (2.6)
.exe | DOS Executable Generic (2.6)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2023:09:07 19:45:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.34
CodeSize: 166400
InitializedDataSize: 102400
UninitializedDataSize: -
EntryPoint: 0xa6a0
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
125
Monitored processes
5
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start THREAT wormgpt.exe conhost.exe no specs THREAT wormgpt.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2612C:\WINDOWS\system32\cmd.exe /c clsC:\Windows\System32\cmd.exeWormGPT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4440\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWormGPT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4804"C:\Users\admin\Desktop\WormGPT.exe" C:\Users\admin\Desktop\WormGPT.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\wormgpt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6020"C:\Users\admin\Desktop\WormGPT.exe" C:\Users\admin\Desktop\WormGPT.exe
WormGPT.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\wormgpt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
6912C:\WINDOWS\system32\cmd.exe /c C:\Windows\System32\cmd.exeWormGPT.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
Total events
423
Read events
423
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
3
Text files
920
Unknown types
0

Dropped files

PID
Process
Filename
Type
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_lzma.pydexecutable
MD5:0A94C9F3D7728CF96326DB3AB3646D40
SHA256:0A70E8546FA6038029F2A3764E721CEEBEA415818E5F0DF6B90D6A40788C3B31
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_socket.pydexecutable
MD5:0F5E64E33F4D328EF11357635707D154
SHA256:8AF6D70D44BB9398733F88BCFB6D2085DD1A193CD00E52120B96A651F6E35EBE
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_ctypes.pydexecutable
MD5:CA4CEF051737B0E4E56B7D597238DF94
SHA256:E60A2B100C4FA50B0B144CF825FE3CDE21A8B7B60B92BFC326CB39573CE96B2B
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_hashlib.pydexecutable
MD5:D856A545A960BF2DCA1E2D9BE32E5369
SHA256:CD33F823E608D3BDA759AD441F583A20FC0198119B5A62A8964F172559ACB7D3
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\VCRUNTIME140.dllexecutable
MD5:870FEA4E961E2FBD00110D3783E529BE
SHA256:76FDB83FDE238226B5BEBAF3392EE562E2CB7CA8D3EF75983BF5F9D6C7119644
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\select.pydexecutable
MD5:C119811A40667DCA93DFE6FAA418F47A
SHA256:8F27CD8C5071CB740A2191B3C599E99595B121F461988166F07D9F841E7116B7
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\python310.dllexecutable
MD5:DEAF0C0CC3369363B800D2E8E756A402
SHA256:156CF2B64DD0F4D9BDB346B654A11300D6E9E15A65EF69089923DAFC1C71E33D
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\libffi-7.dllexecutable
MD5:EEF7981412BE8EA459064D3090F4B3AA
SHA256:F60DD9F2FCBD495674DFC1555EFFB710EB081FC7D4CAE5FA58C438AB50405081
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_tkinter.pydexecutable
MD5:470364D8ABDC5C22828DF8E22C095ED2
SHA256:4262CABAC7E97220D0E4BD72DEB337FFD9DF429860AB298B3E2D5C9223874705
4804WormGPT.exeC:\Users\admin\AppData\Local\Temp\_MEI48042\_ssl.pydexecutable
MD5:9DDB64354EF0B91C6999A4B244A0A011
SHA256:E33B7A4AA5CDD5462EE66830636FDD38048575A43D06EB7E2F688358525DDEAB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
4
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:138
whitelisted
6232
svchost.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6412
RUXIMICS.exe
20.72.205.209:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
52.137.106.217:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2120
MoUsoCoreWorker.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
6232
svchost.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4324
svchost.exe
52.167.17.97:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.72.205.209
  • 52.137.106.217
  • 52.167.17.97
whitelisted
google.com
  • 172.217.18.14
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WormGPT.exe