analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe

Full analysis: https://app.any.run/tasks/7b6a77c0-6652-4969-9bf1-c26a6ea3e3e1
Verdict: Malicious activity
Analysis date: November 04, 2024, 12:58:38
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
crypto-regex
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

1D2B1644FA37B0ACF1E34ACCEC03AE86

SHA1:

87099A85C748B0EA754A40375765905B34280C66

SHA256:

3512B6BEC64B8C8C680359854769361248137EE7852593B0869C18BB7928D686

SSDEEP:

12288:vcgCzNHJj96xfKJStJkRm3bYXob0AnmFMcaGQx3ZVVVVVVVVVAtVVVUvPV38jPsy:KQKgLIQmFuGQx3lvPV8jPsy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Adds path to the Windows Defender exclusion list

      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6124)
  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6124)
    • Script adds exclusion path to Windows Defender

      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6124)
    • Executable content was dropped or overwritten

      • 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe (PID: 5220)
      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6124)
    • Found regular expressions for crypto-addresses (YARA)

      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6124)
    • Application launched itself

      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6884)
    • Starts itself from another location

      • Goldsvet Pro sports - 1win.pro Clone Script.exe (PID: 6124)
  • INFO

    • Reads the computer name

      • 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe (PID: 5220)
    • Create files in a temporary directory

      • 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe (PID: 5220)
    • Checks supported languages

      • 1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe (PID: 5220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x21d50
UninitializedDataSize: -
InitializedDataSize: 263680
CodeSize: 214528
LinkerVersion: 14.33
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2023:10:03 07:51:19+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 1win clone script nuller - database + composer config files & tables.exe goldsvet pro sports - 1win.pro clone script.exe no specs THREAT goldsvet pro sports - 1win.pro clone script.exe powershell.exe no specs conhost.exe no specs svchostrun.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5220"C:\Users\admin\AppData\Local\Temp\1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe" C:\Users\admin\AppData\Local\Temp\1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\1win clone script nuller - database + composer config files & tables.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll
6884"C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe1Win Clone Script Nuller - Database + Composer Config Files & Tables.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\goldsvet pro sports - 1win.pro clone script.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6124"C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe" C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe
Goldsvet Pro sports - 1win.pro Clone Script.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rarsfx0\goldsvet pro sports - 1win.pro clone script.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
3860"powershell.exe" -Command "Add-MpPreference -ExclusionPath 'C:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exe', 'C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exe', 'C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup'"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeGoldsvet Pro sports - 1win.pro Clone Script.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6256\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7448"C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exe" C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exeGoldsvet Pro sports - 1win.pro Clone Script.exe
User:
admin
Integrity Level:
HIGH
Description:
Version:
0.0.0.0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchostrun.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
6 435
Read events
6 435
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
3
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
3860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_czwznyi4.zr5.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6124Goldsvet Pro sports - 1win.pro Clone Script.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lib.dlltext
MD5:A008CE407AA09445D2C22D04AA82C4E1
SHA256:D5D3877173342F9671781F90B71EA0A9560B77A7A7A311B288675A0E58BEBC89
6124Goldsvet Pro sports - 1win.pro Clone Script.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Settings.encbinary
MD5:217558CC8218D997154D6B5FD5015344
SHA256:43E7B2A39C0180ECB58138E246816F586581B96B110894921B19F5A4A699B2C1
52201Win Clone Script Nuller - Database + Composer Config Files & Tables.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\lib.dlltext
MD5:A008CE407AA09445D2C22D04AA82C4E1
SHA256:D5D3877173342F9671781F90B71EA0A9560B77A7A7A311B288675A0E58BEBC89
52201Win Clone Script Nuller - Database + Composer Config Files & Tables.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Goldsvet Pro sports - 1win.pro Clone Script.exeexecutable
MD5:70BD88D3AB10DBCCABFACF7D930377E7
SHA256:D66D475DC576A50265B21432556873270FC0487AD2073D0A5843ABBE7D3B4F28
52201Win Clone Script Nuller - Database + Composer Config Files & Tables.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Settings.encbinary
MD5:217558CC8218D997154D6B5FD5015344
SHA256:43E7B2A39C0180ECB58138E246816F586581B96B110894921B19F5A4A699B2C1
52201Win Clone Script Nuller - Database + Composer Config Files & Tables.exeC:\Users\admin\AppData\Local\Temp\RarSFX0\Module32.dllexecutable
MD5:041B90750E36E18944765FFD2745D8D2
SHA256:DFA28796E9046F32FDCC9B382EBD0873ED93DC6F411385372B4A68440E26B169
3860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gokamy5c.i3s.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6124Goldsvet Pro sports - 1win.pro Clone Script.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchostrun.exeexecutable
MD5:70BD88D3AB10DBCCABFACF7D930377E7
SHA256:D66D475DC576A50265B21432556873270FC0487AD2073D0A5843ABBE7D3B4F28
3860powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e4ocvajj.zb5.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
42
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2076
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
unknown
7572
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
7572
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5488
MoUsoCoreWorker.exe
GET
200
23.216.77.21:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
3276
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
unknown
3524
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4360
SearchApp.exe
2.16.110.193:443
www.bing.com
Akamai International B.V.
DE
unknown
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
unknown
5488
MoUsoCoreWorker.exe
23.216.77.21:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
5488
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
4020
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
2076
svchost.exe
20.190.160.22:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
unknown
www.bing.com
  • 2.16.110.193
  • 2.16.110.123
  • 2.16.110.195
  • 2.16.110.200
  • 2.16.110.131
  • 2.16.110.171
  • 2.16.110.184
  • 2.16.110.130
  • 2.16.110.121
  • 2.16.110.177
  • 2.16.110.194
  • 2.16.110.176
  • 2.16.110.185
  • 2.16.110.187
  • 2.16.110.186
  • 2.16.110.169
unknown
ocsp.digicert.com
  • 192.229.221.95
unknown
crl.microsoft.com
  • 23.216.77.21
  • 23.216.77.36
unknown
www.microsoft.com
  • 23.35.229.160
unknown
google.com
  • 172.217.18.14
unknown
login.live.com
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.20
  • 40.126.32.72
  • 40.126.32.68
  • 40.126.32.76
  • 40.126.32.140
unknown
go.microsoft.com
  • 23.213.166.81
unknown
th.bing.com
  • 2.16.110.177
  • 2.16.110.194
  • 2.16.110.193
  • 2.16.110.176
  • 2.16.110.185
  • 2.16.110.187
  • 2.16.110.186
  • 2.16.110.169
  • 2.16.110.184
unknown
slscr.update.microsoft.com
  • 20.12.23.50
unknown

Threats

No threats detected
No debug info