| File name: | 798_abroad.exe |
| Full analysis: | https://app.any.run/tasks/62650e17-c232-45da-b338-8954821d5adf |
| Verdict: | Malicious activity |
| Analysis date: | March 02, 2025, 14:21:17 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections |
| MD5: | F88E9B7446A6E57943728CCE3CC70720 |
| SHA1: | 0030E2B87ACEBAA040E3F872C13E39AF88B733B9 |
| SHA256: | 2FD5B075AB9DFFE8B421A4942ECDAC322D8F0FCECA597A644A6A9E631901E8BC |
| SSDEEP: | 49152:Mj9RLlyen9j1zZCDx+9W5J4vYQ8nrJJGVY8AVNwARu+0JF2vmze51SoTgAvO/k7V:MRTyKjQxcW74vUnrTGVYtXwAu+0P2sep |
MALICIOUS
Executing a file with an untrusted certificate
- 798_abroad.exe (PID: 7288)
- 798_abroad.exe (PID: 7212)
- ailiao.exe (PID: 7352)
SUSPICIOUS
The process creates files with name similar to system file names
- 798_abroad.exe (PID: 7288)
Malware-specific behavior (creating "System.dll" in Temp)
- 798_abroad.exe (PID: 7288)
Creates a software uninstall entry
- 798_abroad.exe (PID: 7288)
Executable content was dropped or overwritten
- 798_abroad.exe (PID: 7288)
Reads security settings of Internet Explorer
- ailiao.exe (PID: 7416)
- 798_abroad.exe (PID: 7288)
There is functionality for taking screenshot (YARA)
- ailiao.exe (PID: 7416)
There is functionality for communication over UDP network (YARA)
- ailiao.exe (PID: 7416)
INFO
Checks supported languages
- 798_abroad.exe (PID: 7288)
- ailiao.exe (PID: 7352)
- identity_helper.exe (PID: 6392)
Create files in a temporary directory
- 798_abroad.exe (PID: 7288)
Creates files in the program directory
- 798_abroad.exe (PID: 7288)
Reads the computer name
- ailiao.exe (PID: 7352)
- 798_abroad.exe (PID: 7288)
- identity_helper.exe (PID: 6392)
The sample compiled with chinese language support
- 798_abroad.exe (PID: 7288)
Process checks computer location settings
- 798_abroad.exe (PID: 7288)
Manual execution by a user
- msedge.exe (PID: 7904)
Application launched itself
- msedge.exe (PID: 7904)
Reads security settings of Internet Explorer
- BackgroundTransferHost.exe (PID: 5508)
- BackgroundTransferHost.exe (PID: 1188)
- BackgroundTransferHost.exe (PID: 7776)
- BackgroundTransferHost.exe (PID: 7196)
- BackgroundTransferHost.exe (PID: 7932)
Compiled with Borland Delphi (YARA)
- ailiao.exe (PID: 7416)
Creates files or folders in the user directory
- BackgroundTransferHost.exe (PID: 1188)
Checks proxy server information
- BackgroundTransferHost.exe (PID: 1188)
Reads the software policy settings
- BackgroundTransferHost.exe (PID: 1188)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2009:06:18 21:33:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 23552 |
| InitializedDataSize: | 119808 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3121 |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
174
Monitored processes
39
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 736 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6068 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 1188 | "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1 | C:\Windows\System32\BackgroundTransferHost.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Download/Upload Host Exit code: 1 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1660 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4676 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4188 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=5212 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4208 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4636 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4776 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4880 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5240 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 4988 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6160 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 5072 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5360 | "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6040 --field-trial-handle=2336,i,12015064101597655361,3188917107827260339,262144 --variations-seed-version /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.59\identity_helper.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: PWA Identity Proxy Host Exit code: 3221226029 Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
5 394
Read events
5 346
Write events
48
Delete events
0
Modification events
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\°®ÁÄ |
| Operation: | write | Name: | DisplayName |
Value: °®ÁÄ | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\°®ÁÄ |
| Operation: | write | Name: | UninstallString |
Value: C:\Program Files (x86)\ailiao\uninst.exe | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\°®ÁÄ |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Program Files (x86)\ailiao\ailiao.exe | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\°®ÁÄ |
| Operation: | write | Name: | DisplayVersion |
Value: | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\°®ÁÄ |
| Operation: | write | Name: | URLInfoAbout |
Value: | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\°®ÁÄ |
| Operation: | write | Name: | Publisher |
Value: ailiao Inc. | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ailiao |
| Operation: | write | Name: | ailiaofilename |
Value: ailiao.exe | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ailiao |
| Operation: | write | Name: | ailiaofiledir |
Value: C:\Program Files (x86)\ailiao | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ailiao |
| Operation: | write | Name: | ailiaosvrname |
Value: | |||
| (PID) Process: | (7288) 798_abroad.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\ailiao |
| Operation: | write | Name: | UpdateVer |
Value: 65538 | |||
Executable files
14
Suspicious files
193
Text files
35
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7904 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10e90a.TMP | — | |
MD5:— | SHA256:— | |||
| 7904 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 7288 | 798_abroad.exe | C:\Program Files (x86)\ailiao\ailiaotp.exe | executable | |
MD5:52DA7522527CC0EB0F648C94CF9BA178 | SHA256:F5CB4F1AD712E03A0381CF106A3C93C319AA14BC4EC4678AFEEE9EC03B576507 | |||
| 7288 | 798_abroad.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\°®ÁÄ\°®ÁÄ.lnk | binary | |
MD5:DB099710B315BD3D5FDCDBF11B2B84B2 | SHA256:B76785EB1AA38F1B8786A58689AD6FB8A445FB7942550541B839B8328A8C188E | |||
| 7288 | 798_abroad.exe | C:\Program Files (x86)\ailiao\ailiaou.exe | executable | |
MD5:98955512DD3A0AB0E8FB882A9362FCB5 | SHA256:CEE7024E1ED190D198976B62E6E8C2A67CD038AC14BC966D83A2AA95BADEFF34 | |||
| 7288 | 798_abroad.exe | C:\Users\admin\AppData\Local\Temp\nsbD276.tmp\System.dll | executable | |
MD5:C17103AE9072A06DA581DEC998343FC1 | SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F | |||
| 7288 | 798_abroad.exe | C:\Program Files (x86)\ailiao\aldesk.exe | executable | |
MD5:84A64ECAB13E9EA3FFEF1E248C55D0A2 | SHA256:BAC3356289E1AFC4B3B3DE94A745EA5C212DD43AFA676526E6F376F75077D53E | |||
| 7904 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF10e8fa.TMP | text | |
MD5:C5C8E14929BCE261B2B5B899CB479AF7 | SHA256:73DBFF8A366CFF6972A38C091782EF62C89E28FDA1423A47448A60343F921754 | |||
| 7904 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old | text | |
MD5:1AF1D1ED27A40F9FDA977B6C353EC48B | SHA256:01B66ED195749BF7909E0B655A6C4C6AFDECD665D7304653D09CD538191CC50A | |||
| 7904 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10e929.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
37
DNS requests
67
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 163.171.146.42:80 | http://www.woxiu.com/index.php?apply=liaoban&action=UserCtrl&do=getUserViewRecord&qq-pf-to=pcqq.c2c | unknown | — | — | unknown |
1188 | BackgroundTransferHost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
4980 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
4980 | SIHClient.exe | GET | 200 | 23.209.214.100:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6544 | svchost.exe | 20.190.159.23:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3216 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 163.171.146.42:80 | www.woxiu.com | QUANTILNETWORKS | US | unknown |
7904 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
6404 | msedge.exe | 13.107.246.76:443 | edge-mobile-static.azureedge.net | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6404 | msedge.exe | 13.107.6.158:443 | business.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6404 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
udp.quzhao.com |
| unknown |
ailiao.liaoban.com |
| unknown |
udpk.ailiao.tv |
| unknown |
tongjik.ailiao.tv |
| unknown |
www.woxiu.com |
| unknown |
shangxianwt.liaoban.com |
| unknown |