| File name: | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe |
| Full analysis: | https://app.any.run/tasks/ce86fa17-2f8d-4093-bb55-635412f76a67 |
| Verdict: | Malicious activity |
| Analysis date: | November 22, 2024, 07:20:55 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections |
| MD5: | 69D823DBB18C9207A970832A3DB4D594 |
| SHA1: | DB2D895B920915D528C64CEB494C05408AE83A21 |
| SHA256: | 403ABADE2D85B73A9341E1D2794C8360FF17579337A9839E8987627BDBE3042C |
| SSDEEP: | 49152:yH7Ax9Gv/FNIAn8NlPbaTgQknJpMn3hGhQKiaNg3grAEqX9JEcSqHIRMC1NyXykV:icC9vQlP+TgQkJKnAhHhg3grAES9J7H/ |
MALICIOUS
Registers / Runs the DLL via REGSVR32.EXE
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
SUSPICIOUS
Executable content was dropped or overwritten
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe (PID: 6060)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe (PID: 4208)
Process drops legitimate windows executable
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
Reads the Windows owner or organization settings
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 1792)
Starts POWERSHELL.EXE for commands execution
- regsvr32.exe (PID: 2072)
- regsvr32.exe (PID: 2392)
- regsvr32.exe (PID: 2996)
Connects to unusual port
- regsvr32.exe (PID: 2072)
The process checks if it is being run in the virtual environment
- regsvr32.exe (PID: 2072)
The process executes via Task Scheduler
- regsvr32.exe (PID: 2392)
- regsvr32.exe (PID: 2996)
Starts CMD.EXE for commands execution
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
INFO
Create files in a temporary directory
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe (PID: 6060)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe (PID: 4208)
Checks supported languages
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe (PID: 6060)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe (PID: 4208)
Reads the computer name
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 2096)
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
Creates files or folders in the user directory
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
Creates a software uninstall entry
- 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp (PID: 5656)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:05:29 11:51:48+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 86016 |
| InitializedDataSize: | 53760 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16478 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | Alert Window Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | Alert Window |
| ProductVersion: | 10.38.65.1278 |
Total processes
137
Monitored processes
19
Malicious processes
4
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 364 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 848 | "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/S /i:INSTALL C:\Users\admin\AppData\Roaming\DelightfulCard.dll' }) { exit 0 } else { exit 1 }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | regsvr32.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1488 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1792 | "cmd.exe" /C timeout /T 3 & "C:\Users\admin\Desktop\403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe" /VERYSILENT /SUPPRESSMSGBOXES | C:\Windows\SysWOW64\cmd.exe | — | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2072 | /s /i:INSTALL "C:\Users\admin\AppData\Roaming\\DelightfulCard.dll" | C:\Windows\System32\regsvr32.exe | regsvr32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2096 | "C:\Users\admin\AppData\Local\Temp\is-BM1I1.tmp\403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp" /SL5="$501F8,1097818,140800,C:\Users\admin\Desktop\403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe" | C:\Users\admin\AppData\Local\Temp\is-BM1I1.tmp\403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2392 | "C:\WINDOWS\system32\regsvr32.EXE" /S /i:INSTALL C:\Users\admin\AppData\Roaming\DelightfulCard.dll | C:\Windows\System32\regsvr32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2860 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2996 | "C:\WINDOWS\system32\regsvr32.EXE" /S /i:INSTALL C:\Users\admin\AppData\Roaming\DelightfulCard.dll | C:\Windows\System32\regsvr32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 4 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3772 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
26 384
Read events
26 357
Write events
21
Delete events
6
Modification events
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | Owner |
Value: 18160000776CF118AF3CDB01 | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | SessionHash |
Value: 0564920984772F405C0F59CDA5FF3A47D88FAD6789E39B5777FC60D87460C584 | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Roaming\DelightfulCard.dll | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | RegFilesHash |
Value: FAFE93D5C5F60845521383EAD87D487424274371A84833431815CF7D36E0FC58 | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.5.0 (u) | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Users\admin\AppData\Local | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\ | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: (Default) | |||
| (PID) Process: | (5656) 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Alert Window_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
10
Suspicious files
2
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5656 | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | C:\Users\admin\AppData\Local\unins000.exe | executable | |
MD5:A6837B868F2058E91AAD605F9FDC67C6 | SHA256:77C0125A8D22903148B96E6CCB75D955155867D4F66E5A291232F394FEFE6AAE | |||
| 3884 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:4C9B724E8C0DAB1278509B5F585E918E | SHA256:6CC2D0F67B16921C0239EA7600767A3AA5EC0E08A09F522BA7439CECE4878C09 | |||
| 6060 | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.exe | C:\Users\admin\AppData\Local\Temp\is-BM1I1.tmp\403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | executable | |
MD5:14C6FA8E50B4147075EB922BD0C8B28D | SHA256:90C4A61AF494B63ECFE1226714175675A4E49E57D50718491B3BC8FE29DD8FC7 | |||
| 2096 | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | C:\Users\admin\AppData\Local\Temp\is-K59SN.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 3884 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_1sougorx.5hr.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 848 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_beid11hw.jgz.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 848 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vynqhkji.nx0.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3884 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_giu3e3wf.444.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5404 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q2i1wby2.hjr.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5656 | 403abade2d85b73a9341e1d2794c8360ff17579337a9839e8987627bdbe3042c.tmp | C:\Users\admin\AppData\Roaming\DelightfulCard.dll | executable | |
MD5:985FEF2B6872A1A94726DC3B7F1439DE | SHA256:78EF7EACFFABA55E653195FE37846375AEB51B164D80AD312AFDA54163DA0622 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
44
DNS requests
6
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4932 | svchost.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5544 | RUXIMICS.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4932 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5544 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4932 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5544 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5544 | RUXIMICS.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4932 | svchost.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
5544 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4932 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2072 | regsvr32.exe | Misc Attack | ET DROP Spamhaus DROP Listed Traffic Inbound group 33 |