File name:

KWSuitev2.1.exe

Full analysis: https://app.any.run/tasks/36831fee-ab60-4ead-951f-acf65229d02f
Verdict: Malicious activity
Analysis date: November 23, 2024, 21:52:21
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
pastebin
discord
neshta
ims-api
generic
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

179CEAE64423EC7003EB2B306B3C2171

SHA1:

7834AB73198780FBAF9C241914D8B9F7E0649184

SHA256:

326614198B1DD3AC322524F6A9EAE6D77404F07FE4F455B45B5A0AEA71BF860D

SSDEEP:

98304:xAGuUmvrNWlQM+i/N5tvSswxmUf89tZcMD1hCX6iG8oa1ts+3Ri+sSyu7cO5M760:/A0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • NESHTA mutex has been found

      • KWSuitev2.1.exe (PID: 1192)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • KWSuitev2.1.exe (PID: 1192)

    • Reads the Internet Settings

      • KWSuitev2.1.exe (PID: 1192)

    • Reads security settings of Internet Explorer

      • KWSuitev2.1.exe (PID: 1192)

    • Mutex name with non-standard characters

      • KWSuitev2.1.exe (PID: 1192)

    • There is functionality for taking screenshot (YARA)

      • KWSuitev2.1.exe (PID: 1840)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • KWSuitev2.1.exe (PID: 1840)

    • Checks for external IP

      • KWSuitev2.1.exe (PID: 1840)

  • INFO

    • Create files in a temporary directory

      • KWSuitev2.1.exe (PID: 1192)

    • Checks supported languages

      • KWSuitev2.1.exe (PID: 1192)
      • KWSuitev2.1.exe (PID: 1840)

    • Reads the computer name

      • KWSuitev2.1.exe (PID: 1192)
      • KWSuitev2.1.exe (PID: 1840)

    • The process uses the downloaded file

      • KWSuitev2.1.exe (PID: 1192)

    • Reads the machine GUID from the registry

      • KWSuitev2.1.exe (PID: 1840)

    • Attempting to use instant messaging service

      • KWSuitev2.1.exe (PID: 1840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(1840) KWSuitev2.1.exe
Discord-Webhook-Tokens (1)1304591959792287764/dngxC0ChVAjdyh4tCnkxDLywai8UK0ODEmh4iq2C_ezaA1MJDkdc0Epgk-fuxsivvRDe
Discord-Info-Links
1304591959792287764/dngxC0ChVAjdyh4tCnkxDLywai8UK0ODEmh4iq2C_ezaA1MJDkdc0Epgk-fuxsivvRDe
Get Webhook Infohttps://discord.com/api/webhooks/1304591959792287764/dngxC0ChVAjdyh4tCnkxDLywai8UK0ODEmh4iq2C_ezaA1MJDkdc0Epgk-fuxsivvRDe
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 6 (89.6)
.scr | Windows screen saver (4.4)
.dll | Win32 Dynamic Link Library (generic) (2.2)
.exe | Win32 Executable (generic) (1.5)
.exe | Win16/32 Executable Delphi generic (0.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 29696
InitializedDataSize: 10752
UninitializedDataSize: -
EntryPoint: 0x80e4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #NESHTA kwsuitev2.1.exe kwsuitev2.1.exe

Process information

PID
CMD
Path
Indicators
Parent process
1192"C:\Users\admin\Desktop\KWSuitev2.1.exe" C:\Users\admin\Desktop\KWSuitev2.1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\kwsuitev2.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
1840"C:\Users\admin\AppData\Local\Temp\3582-490\KWSuitev2.1.exe" C:\Users\admin\AppData\Local\Temp\3582-490\KWSuitev2.1.exe
KWSuitev2.1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
KWSuite v2.0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\3582-490\kwsuitev2.1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
ims-api
(PID) Process(1840) KWSuitev2.1.exe
Discord-Webhook-Tokens (1)1304591959792287764/dngxC0ChVAjdyh4tCnkxDLywai8UK0ODEmh4iq2C_ezaA1MJDkdc0Epgk-fuxsivvRDe
Discord-Info-Links
1304591959792287764/dngxC0ChVAjdyh4tCnkxDLywai8UK0ODEmh4iq2C_ezaA1MJDkdc0Epgk-fuxsivvRDe
Get Webhook Infohttps://discord.com/api/webhooks/1304591959792287764/dngxC0ChVAjdyh4tCnkxDLywai8UK0ODEmh4iq2C_ezaA1MJDkdc0Epgk-fuxsivvRDe
Total events
5 634
Read events
5 612
Write events
22
Delete events
0

Modification events

(PID) Process:(1192) KWSuitev2.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1192) KWSuitev2.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1192) KWSuitev2.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1192) KWSuitev2.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1840) KWSuitev2.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\KWSuitev2_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(1840) KWSuitev2.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\KWSuitev2_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(1840) KWSuitev2.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\KWSuitev2_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(1840) KWSuitev2.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\KWSuitev2_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(1840) KWSuitev2.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\KWSuitev2_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(1840) KWSuitev2.1.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\KWSuitev2_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1192KWSuitev2.1.exeC:\Users\admin\AppData\Local\Temp\3582-490\KWSuitev2.1.exeexecutable
MD5:B215D7D984863693CD30D6E0C9310802
SHA256:02C043C7B22CF0A298F4BA1A6AE6575ED2DE506C3C881B4219D82AF15317BA79
1192KWSuitev2.1.exeC:\Users\admin\AppData\Local\Temp\tmp5023.tmpbinary
MD5:61DF0BBD115ED2EA278F6A9C00CC6358
SHA256:60191C2D50827A10C82445AB5E077EF1BFDE6AF77C005901CBC2EF5F336C258E
1840KWSuitev2.1.exeC:\Users\admin\AppData\Local\Temp\screenshot.pngimage
MD5:5B71540DFA6798DC5004E9F3841FB8D6
SHA256:89B5515139D6F9B2CE7DE2DEDA78789CB7CF9B75ADD3411B21A69F072287CD5E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
35
DNS requests
32
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7052
rundll32.exe
GET
304
146.75.122.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?22228dab5fde6f40
unknown
whitelisted
2812
MoUsoCoreWorker.exe
GET
304
146.75.122.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9a56151a1a589f18
unknown
whitelisted
GET
200
23.53.42.66:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
6880
firefox.exe
POST
200
23.53.40.154:80
http://r10.o.lencr.org/
unknown
whitelisted
6880
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
6880
firefox.exe
POST
200
23.53.40.154:80
http://r10.o.lencr.org/
unknown
whitelisted
6880
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
HEAD
200
23.213.164.137:443
https://fs.microsoft.com/fs/windows/config.json
unknown
GET
304
46.228.146.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bdb78aa50ddaee77
unknown
whitelisted
6880
firefox.exe
POST
200
23.53.40.154:80
http://r10.o.lencr.org/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
23.53.42.66:80
Akamai International B.V.
DE
unknown
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
2812
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2812
MoUsoCoreWorker.exe
146.75.122.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
146.75.122.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted

DNS requests

Domain
IP
Reputation
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 142.250.186.46
whitelisted
ctldl.windowsupdate.com
  • 146.75.122.172
  • 46.228.146.0
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
fp2e7a.wpc.phicdn.net
  • 192.229.221.95
  • 2606:2800:233:fa02:67b:9ff6:6107:833
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1656
svchost.exe
Not Suspicious Traffic
INFO [ANY.RUN] Online Pastebin Text Storage
1656
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1840
KWSuitev2.1.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1656
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
1840
KWSuitev2.1.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
KWSuitev2.1.exe