File name: | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe |
Full analysis: | https://app.any.run/tasks/8c02c0eb-a9f6-42bb-b8ad-216631dad807 |
Verdict: | Malicious activity |
Analysis date: | May 21, 2024, 02:16:49 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 20B71D9DA27BEC702E901AAF7F44FFB0 |
SHA1: | B613AA8E8E022FC4BFFEFAE9419CAF35A5E8CA2F |
SHA256: | 3CC86FFA9CBDA978789C4CC22E7F93FFAB62EB5B7F77C0A94D3771FA2F3EDCD0 |
SSDEEP: | 6144://JZVQ83chNfrlWjHhbCl7nq/q8s3FE0668:/dfiliA7q/EJ668 |
.exe | | | Win64 Executable (generic) (49.4) |
---|---|---|
.scr | | | Windows screen saver (23.4) |
.dll | | | Win32 Dynamic Link Library (generic) (11.7) |
.exe | | | Win32 Executable (generic) (8) |
.exe | | | Generic Win/DOS Executable (3.5) |
MachineType: | Intel 386 or later, and compatibles |
---|---|
TimeStamp: | 1976:08:18 05:39:38+00:00 |
ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit |
PEType: | PE32 |
LinkerVersion: | 2.55 |
CodeSize: | 53248 |
InitializedDataSize: | 18944 |
UninitializedDataSize: | 125440 |
EntryPoint: | 0x33000 |
OSVersion: | 1 |
ImageVersion: | - |
SubsystemVersion: | 4 |
Subsystem: | Windows GUI |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
708 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
5244 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
1604 | "C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe" | C:\Users\admin\Desktop\3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
5752 | C:\WINDOWS\system32\Fngdik32.exe | C:\Windows\SysWOW64\Fngdik32.exe | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
5824 | C:\WINDOWS\system32\Fealeeon.exe | C:\Windows\SysWOW64\Fealeeon.exe | Fngdik32.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
2528 | C:\WINDOWS\system32\Fgphaqnb.exe | C:\Windows\SysWOW64\Fgphaqnb.exe | Fealeeon.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
4280 | C:\WINDOWS\system32\Fmlajgli.exe | C:\Windows\SysWOW64\Fmlajgli.exe | Fgphaqnb.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
2600 | C:\WINDOWS\system32\Fecikeml.exe | C:\Windows\SysWOW64\Fecikeml.exe | Fmlajgli.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
5996 | C:\WINDOWS\system32\Flnahodh.exe | C:\Windows\SysWOW64\Flnahodh.exe | Fecikeml.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
4852 | C:\WINDOWS\system32\Fajjpfbp.exe | C:\Windows\SysWOW64\Fajjpfbp.exe | Flnahodh.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
|
(PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (708) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (1604) 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
(PID) Process: | (1604) 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
(PID) Process: | (5752) Fngdik32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
(PID) Process: | (5752) Fngdik32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} | |||
(PID) Process: | (5824) Fealeeon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FAA099-1BAE-816E-D711-115290CEE717}\InProcServer32 |
Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
(PID) Process: | (5824) Fealeeon.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad |
Operation: | write | Name: | Web Event Logger |
Value: {79FAA099-1BAE-816E-D711-115290CEE717} |
PID | Process | Filename | Type | |
---|---|---|---|---|
708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
1604 | 3cc86ffa9cbda978789c4cc22e7f93ffab62eb5b7f77c0a94d3771fa2f3edcd0.exe | C:\WINDOWS\SysWOW64\Bpneombf.dll | executable | |
MD5:E1DA5996CF59A607066BE28907D2AF8E | SHA256:A6E87F06997219A77A3CC79983AFD8FC67F57C4155E3C3D13846169A57D9E9E3 | |||
2528 | Fgphaqnb.exe | C:\WINDOWS\SysWOW64\Ekohkbhc.dll | executable | |
MD5:719DBFD16CB138422419F74FB8300DE1 | SHA256:7D512D9FFEF1CDAAF33DE13BFAFF224C9A0182B1DADA62D42CDFE5F916AD2251 | |||
708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ydy321ab.wt5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ywsxllbd.dpj.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
5824 | Fealeeon.exe | C:\WINDOWS\SysWOW64\Nioohggo.dll | executable | |
MD5:470FFDB9CA997DC1E3EC5CE9EA69DB22 | SHA256:3A144A9BF325CDFE7D8C9206247E4606ADD1AC435E5194D1C10D5AAA88857974 | |||
2600 | Fecikeml.exe | C:\WINDOWS\SysWOW64\Flnahodh.exe | executable | |
MD5:0E26CDD05726E2BA5454B49B15E53671 | SHA256:2E7E405A82F07B19D9DE3FB20F4548B154872457621AAC22228293A7A5A159FF | |||
2600 | Fecikeml.exe | C:\WINDOWS\SysWOW64\Dofhjc32.dll | executable | |
MD5:958CD2E78269C31803DE344E55925C1B | SHA256:55FD935D397F29E3C23D06977036F8A71366C1B2366085A0882D748AA9EA77E2 | |||
708 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RF114b5e.TMP | binary | |
MD5:D040F64E9E7A2BB91ABCA5613424598E | SHA256:D04E0A6940609BD6F3B561B0F6027F5CA4E8C5CF0FB0D0874B380A0374A8D670 | |||
4280 | Fmlajgli.exe | C:\WINDOWS\SysWOW64\Dppfkj32.dll | executable | |
MD5:3280FDCCCF72A050197E46B65225703A | SHA256:015E5E92CED3C3BEA0503B348005A1CF2A6D1F9AC938CED6B3797B951051C720 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5548 | svchost.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5548 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5996 | RUXIMICS.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5996 | RUXIMICS.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2908 | OfficeClickToRun.exe | POST | 200 | 52.168.112.67:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
5548 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5996 | RUXIMICS.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5140 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5548 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5996 | RUXIMICS.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5140 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5548 | svchost.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5996 | RUXIMICS.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | unknown |
5140 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |