File name: | 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84 |
Full analysis: | https://app.any.run/tasks/6c430642-302d-4b63-93ed-00efe814f2f0 |
Verdict: | Malicious activity |
Analysis date: | January 10, 2025, 23:13:47 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/vnd.microsoft.portable-executable |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 4 sections |
MD5: | D991AB582EC38871DA084961DFAE31C4 |
SHA1: | 86051736B631F31150668F815B6D0CCB08E56D38 |
SHA256: | 4553EC7A5E4461AEEBB90F66ACC75D434A72A84314A9014563C2F61CA0A1CB84 |
SSDEEP: | 768:RmCTPPL4MbUgJFpNZzFv8q78nEEOvV2xB0Hxz+S6iqJKG:RnTFbUgXf3Uq78TY16iOp |
.exe | | | UPX compressed Win32 Executable (38.2) |
---|---|---|
.exe | | | Win32 EXE Yoda's Crypter (37.5) |
.dll | | | Win32 Dynamic Link Library (generic) (9.2) |
.exe | | | Win32 Executable (generic) (6.3) |
.exe | | | Clipper DOS Executable (2.8) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 4 |
ImageVersion: | - |
OSVersion: | 4 |
EntryPoint: | 0x10024 |
UninitializedDataSize: | 32768 |
InitializedDataSize: | 4096 |
CodeSize: | 25088 |
LinkerVersion: | 7 |
PEType: | PE32 |
ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
TimeStamp: | 0000:00:00 00:00:00 |
MachineType: | Intel 386 or later, and compatibles |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
5432 | "C:\Users\admin\Desktop\4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe" | C:\Users\admin\Desktop\4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
5548 | "C:\Users\admin\AppData\Local\Temp\services.exe" | C:\Users\admin\AppData\Local\Temp\services.exe | 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
|
(PID) Process: | (5432) 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | JavaVM |
Value: C:\Users\admin\AppData\Local\Temp\java.exe | |||
(PID) Process: | (5548) services.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
Operation: | write | Name: | Services |
Value: C:\Users\admin\AppData\Local\Temp\services.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
5432 | 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe | C:\Users\admin\AppData\Local\Temp\zincite.log | binary | |
MD5:F0A7A98CF349817543CDC435897D720C | SHA256:DF4161641367FD4E0B48FBEE06247A9E9C11F3CF74FAD81EFAE0FFEE66E1465D | |||
5548 | services.exe | C:\Users\admin\AppData\Local\Temp\nscom.log | binary | |
MD5:8BCF262CE732610F2DA5B11A57B8F616 | SHA256:C89A2713635B99D7DCD8EB196692578371113887C8E85B6B6EDA6E63ABCE8BD7 | |||
5432 | 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe | C:\Users\admin\AppData\Local\Temp\services.exe | executable | |
MD5:B0FE74719B1B647E2056641931907F4A | SHA256:BF316F51D0C345D61EAEE3940791B64E81F676E3BCA42BAD61073227BEE6653C | |||
5432 | 4553ec7a5e4461aeebb90f66acc75d434a72a84314a9014563c2f61ca0a1cb84.exe | C:\Users\admin\AppData\Local\Temp\java.exe | executable | |
MD5:D991AB582EC38871DA084961DFAE31C4 | SHA256:4553EC7A5E4461AEEBB90F66ACC75D434A72A84314A9014563C2F61CA0A1CB84 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4300 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4300 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.171:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5548 | services.exe | 10.156.133.4:1034 | — | — | — | unknown |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4300 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |