| File name: | 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee |
| Full analysis: | https://app.any.run/tasks/450041aa-0c8f-4fa1-aa72-794d336ea95c |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | December 13, 2024, 20:47:52 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows, 10 sections |
| MD5: | D7EC2CBA3D5757A45C4C8E577D2B27AE |
| SHA1: | F5E65DB0BFED954484F3484567C2043CA97B5A9D |
| SHA256: | 4341F2C394FE2930C72475E7F42C626E4747B3DB42B1ED2E97EEEE9159D96AEE |
| SSDEEP: | 384:KWXGaNp+QWAClYR8+JNn7GbUanrUPYDlt:dGa7+QPRTGbtrUQ |
MALICIOUS
COBALTSTRIKE has been detected (YARA)
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
COBALTSTRIKE has been detected (SURICATA)
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
SUSPICIOUS
Reads security settings of Internet Explorer
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
Connects to unusual port
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
Contacting a server suspected of hosting an CnC
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
INFO
Checks proxy server information
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
Reads the computer name
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
Checks supported languages
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
Reads the machine GUID from the registry
- 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe (PID: 5920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.2) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| Subsystem: | Windows GUI |
|---|---|
| SubsystemVersion: | 5.2 |
| ImageVersion: | - |
| OSVersion: | 4 |
| EntryPoint: | 0x14c0 |
| UninitializedDataSize: | 2560 |
| InitializedDataSize: | 23040 |
| CodeSize: | 8704 |
| LinkerVersion: | 2.34 |
| PEType: | PE32+ |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Large address aware, No debug |
| TimeStamp: | 0000:00:00 00:00:00 |
| MachineType: | AMD AMD64 |
Total processes
118
Monitored processes
1
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5920 | "C:\Users\admin\Desktop\4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe" | C:\Users\admin\Desktop\4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
Total events
375
Read events
375
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
20
DNS requests
6
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5920 | 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe | GET | 200 | 82.156.205.61:18672 | http://82.156.205.61:18672/IE9CompatViewList.xml | unknown | — | — | — |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5920 | 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe | GET | 200 | 82.156.205.61:18672 | http://82.156.205.61:18672/IE9CompatViewList.xml | unknown | — | — | — |
5920 | 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe | GET | 200 | 82.156.205.61:18672 | http://82.156.205.61:18672/IE9CompatViewList.xml | unknown | — | — | — |
3508 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3508 | svchost.exe | GET | 200 | 23.32.238.107:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5920 | 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe | GET | 200 | 82.156.205.61:18672 | http://82.156.205.61:18672/XAvN | unknown | — | — | — |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.32.238.107:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
3508 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5920 | 4341f2c394fe2930c72475e7f42c626e4747b3db42b1ed2e97eeee9159d96aee.exe | 82.156.205.61:18672 | — | Shenzhen Tencent Computer Systems Company Limited | CN | malicious |
3508 | svchost.exe | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.32.238.107:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
3508 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET MALWARE Successful Cobalt Strike Shellcode Download (x64) M1 |
— | — | A Network Trojan was detected | BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon |
— | — | Targeted Malicious Activity was Detected | ET MALWARE Cobalt Strike Beacon Observed |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Beacon Observed (MASB UA) |
— | — | Targeted Malicious Activity was Detected | ET MALWARE Cobalt Strike Beacon Observed |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Beacon Observed (MASB UA) |
— | — | A Network Trojan was detected | BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon |
— | — | Targeted Malicious Activity was Detected | ET MALWARE Cobalt Strike Beacon Observed |
— | — | Malware Command and Control Activity Detected | ET MALWARE Cobalt Strike Beacon Observed (MASB UA) |
— | — | A Network Trojan was detected | BACKDOOR [ANY.RUN] Possible Cobalt Strike Beacon |