File name:

h.exe

Full analysis: https://app.any.run/tasks/1c296d3e-658c-49dd-9c68-3d64ed1bedce
Verdict: Malicious activity
Analysis date: October 27, 2023, 05:39:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:
sinkhole
Indicators:
MIME: application/x-dosexec
File info: MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

564451E54FA0196ACD2FD7F771E5ED1C

SHA1:

FD0A26FEA635276BC7B54D572F2DBEB7BFD2E1FC

SHA256:

3E4A9ECDC59EBCF0941AA0C37A6704DDFE15EADCC3F16D1023132445736DF30F

SSDEEP:

768:1TZNi1XxlRCAASK8IUmjJz7n+zQr+oB1hVeS0rRqyBLZRhtyp6J48lqepCU:1VI1hHM8IU+RDT9exNqiNnplXp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • h.exe (PID: 1612)

    • Application was dropped or rewritten from another process

      • omsecor.exe (PID: 2304)

    • Connects to the CnC server

      • omsecor.exe (PID: 2304)

  • SUSPICIOUS

    • Reads the Internet Settings

      • omsecor.exe (PID: 2304)

  • INFO

    • Reads the computer name

      • omsecor.exe (PID: 2304)

    • Creates files or folders in the user directory

      • h.exe (PID: 1612)
      • omsecor.exe (PID: 2304)

    • Checks supported languages

      • h.exe (PID: 1612)
      • omsecor.exe (PID: 2304)

    • Checks proxy server information

      • omsecor.exe (PID: 2304)

    • Reads the machine GUID from the registry

      • omsecor.exe (PID: 2304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:11:25 21:34:29+01:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 52736
InitializedDataSize: 103424
UninitializedDataSize: -
EntryPoint: 0xb346
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start h.exe no specs omsecor.exe

Process information

PID
CMD
Path
Indicators
Parent process
1612"C:\Users\admin\AppData\Local\Temp\h.exe" C:\Users\admin\AppData\Local\Temp\h.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\h.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\wininet.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64.dll
2304C:\Users\admin\AppData\Roaming\omsecor.exeC:\Users\admin\AppData\Roaming\omsecor.exe
h.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\omsecor.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\system32\kernel32.dll
c:\windows\syswow64\normaliz.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\wininet.dll
Total events
286
Read events
274
Write events
12
Delete events
0

Modification events

(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000C1000000010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2304) omsecor.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
1612h.exeC:\Users\admin\AppData\Roaming\omsecor.exeexecutable
MD5:77F1965059059CE58EC10CCA09F566D1
SHA256:FD4E86ECBBD5EC2A8CA8DB25FDDF253B554C7AC741A157E55D13BD71804FF1BF
2304omsecor.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\VTPWE5P7.txttext
MD5:58519E3338CF8EE595F7AAF644CAF579
SHA256:10A2EA557B695C2917F3BA12EFC6812A4359E1FAAD98E8E10AE58EF63D9E34F6
2304omsecor.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\LAYB8G3I.txttext
MD5:F33A5E021B25EBCBEE6FCCB772E9CE4F
SHA256:8DB873C607542C3AA2950A5B8D2AD75A096C9ACC2637B5F638CB7140B62433D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
13
DNS requests
5
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2304
omsecor.exe
GET
193.166.255.171:80
http://lousta.net/75/235.html
unknown
unknown
2304
omsecor.exe
GET
200
34.41.229.245:80
http://ow5dirasuek.com/810/818.html
unknown
unknown
2304
omsecor.exe
GET
200
64.225.91.73:80
http://mkkuei4kdsz.com/802/875.html
unknown
html
593 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2304
omsecor.exe
193.166.255.171:80
lousta.net
Tieteen tietotekniikan keskus Oy
FI
unknown
324
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1956
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2304
omsecor.exe
64.225.91.73:80
mkkuei4kdsz.com
DIGITALOCEAN-ASN
US
unknown
2304
omsecor.exe
34.41.229.245:80
ow5dirasuek.com
GOOGLE-CLOUD-PLATFORM
US
unknown

DNS requests

Domain
IP
Reputation
lousta.net
  • 193.166.255.171
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
mkkuei4kdsz.com
  • 64.225.91.73
unknown
ow5dirasuek.com
  • 34.41.229.245
unknown

Threats

PID
Process
Class
Message
2304
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
2304
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
2304
omsecor.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
2304
omsecor.exe
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
2304
omsecor.exe
Malware Command and Control Activity Detected
ET MALWARE Ransom.Win32.Birele.gsg Checkin
No debug info