File name:

wSpam1.1.exe

Full analysis: https://app.any.run/tasks/fdc219af-9bd9-4a03-92e0-f14e23bdd791
Verdict: Malicious activity
Analysis date: July 27, 2024, 10:58:59
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
python
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

0A6CFC7C55A66793DD61734E855948AB

SHA1:

88FBA9035DCD422B12610F12D6DBE2C3B0164A5C

SHA256:

48A1672EEF39C1F4D3330BEB8737C13C0630066B7E7F6C803CFB6E5CDD903645

SSDEEP:

196608:qMc6x6mQTqvueYgB6R7yUPS0G3lCMCBcMKzHgrjTQeq7PM:bpx6mQTguXgOPiL1HgrjTQeq7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • wSpam1.1.exe (PID: 6872)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • wSpam1.1.exe (PID: 6872)

    • Process drops python dynamic module

      • wSpam1.1.exe (PID: 6872)

    • Executable content was dropped or overwritten

      • wSpam1.1.exe (PID: 6872)

    • The process drops C-runtime libraries

      • wSpam1.1.exe (PID: 6872)

    • Application launched itself

      • wSpam1.1.exe (PID: 6872)

    • Loads Python modules

      • wSpam1.1.exe (PID: 4468)

    • There is functionality for taking screenshot (YARA)

      • wSpam1.1.exe (PID: 4468)

  • INFO

    • Reads the computer name

      • wSpam1.1.exe (PID: 6872)
      • wSpam1.1.exe (PID: 4468)

    • Checks supported languages

      • wSpam1.1.exe (PID: 6872)
      • wSpam1.1.exe (PID: 4468)

    • Create files in a temporary directory

      • wSpam1.1.exe (PID: 6872)

    • Reads the machine GUID from the registry

      • wSpam1.1.exe (PID: 4468)

    • Checks proxy server information

      • slui.exe (PID: 5696)

    • Reads the software policy settings

      • slui.exe (PID: 5696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2020:08:08 12:28:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14
CodeSize: 133120
InitializedDataSize: 180224
UninitializedDataSize: -
EntryPoint: 0x8808
OSVersion: 5.2
ImageVersion: -
SubsystemVersion: 5.2
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wspam1.1.exe THREAT wspam1.1.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4468"C:\Users\admin\Desktop\wSpam1.1.exe" C:\Users\admin\Desktop\wSpam1.1.exe
wSpam1.1.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\wspam1.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
5696C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6872"C:\Users\admin\Desktop\wSpam1.1.exe" C:\Users\admin\Desktop\wSpam1.1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\wspam1.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
3 811
Read events
3 811
Write events
0
Delete events
0

Modification events

No data
Executable files
43
Suspicious files
5
Text files
915
Unknown types
0

Dropped files

PID
Process
Filename
Type
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\PIL\_webp.cp39-win_amd64.pydexecutable
MD5:D3727DAAA57A89A271B4C1F98F2FB52B
SHA256:7037B1F581796D9F44319BA8D25DAB598E0D87EB5B6E34ADF37E02456599948F
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_elementtree.pydexecutable
MD5:048EA61F0C0F7FD42DFE8CA3203D5E99
SHA256:9B9ABF5672BEC167B854A106EB25701433B34A0C877ED5E363202247E5BADA58
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_ctypes.pydexecutable
MD5:29DA9B022C16DA461392795951CE32D9
SHA256:3B4012343EF7A266DB0B077BBB239833779192840D1E2C43DFCBC48FFD4C5372
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\libopenblas.QVLO2T66WEPI7JZ63PS3HMOHFEY472BC.gfortran-win_amd64.dll
MD5:
SHA256:
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_lzma.pydexecutable
MD5:B5355DD319FB3C122BB7BF4598AD7570
SHA256:B9BC7F1D8AA8498CB8B5DC75BB0DBB6E721B48953A3F295870938B27267FB5F5
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_overlapped.pydexecutable
MD5:BF495600C3D758141BED531FAABF2A4F
SHA256:AF74C3FC4BC87E1ED70E11A700A073DF77C4C891B6FAD17A9F019DF0D32C18FC
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_queue.pydexecutable
MD5:4AB2CEB88276EBA7E41628387EACB41E
SHA256:D82AB111224C54BAB3EEFDCFEB3BA406D74D2884518C5A2E9174E5C6101BD839
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_hashlib.pydexecutable
MD5:F377A418ADDEEB02F223F45F6F168FE6
SHA256:9551431425E9680660C6BAF7B67A262040FD2EFCEB241E4C9430560C3C1FAFAC
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_bz2.pydexecutable
MD5:6C7565C1EFFFE44CB0616F5B34FAA628
SHA256:FE63361F6C439C6AA26FD795AF3FD805FF5B60B3B14F9B8C60C50A8F3449060A
6872wSpam1.1.exeC:\Users\admin\AppData\Local\Temp\_MEI68722\_multiprocessing.pydexecutable
MD5:E06C0C8EC05EADBEECB3083F8EC26BE6
SHA256:91ADAC3AF53EEDB4508F554E48DFEE6E17252C28B017534124B43DF856EA84EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
22
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
POST
200
13.89.178.26:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3392
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6012
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
184.86.251.4:443
www.bing.com
Akamai International B.V.
DE
unknown
6716
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1340
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
  • 51.104.136.2
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 184.86.251.4
  • 184.86.251.21
  • 184.86.251.27
  • 184.86.251.13
  • 184.86.251.22
  • 184.86.251.17
  • 184.86.251.19
  • 184.86.251.9
  • 184.86.251.7
whitelisted
google.com
  • 142.250.181.238
whitelisted
self.events.data.microsoft.com
  • 20.189.173.16
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
wSpam1.1.exe