| File name: | 4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766 |
| Full analysis: | https://app.any.run/tasks/d270b6c4-76a8-47b3-94aa-2d1b4854d47b |
| Verdict: | Malicious activity |
| Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
| Analysis date: | March 24, 2025, 12:21:38 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections |
| MD5: | 878C87D62B21F7CBD6C4C00294856427 |
| SHA1: | DFBE6431476F0C85A7EE4308DA0B023A6CFDF963 |
| SHA256: | 4B1938FF9C0BA790F1C69EDEB0810EC4D50C82DD067E36ADE530923AC9671766 |
| SSDEEP: | 6144:GH6XcTuXVf+Zta6g6XxYg5xAcTciQc1FvV:o6usIZta6g6XxYg5nT9t1FvV |
MALICIOUS
Executing a file with an untrusted certificate
- 4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe (PID: 5528)
FLOXIF has been detected (YARA)
- 4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe (PID: 5528)
SUSPICIOUS
Process drops legitimate windows executable
- 4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe (PID: 5528)
Starts a Microsoft application from unusual location
- 4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe (PID: 5528)
INFO
Reads the software policy settings
- slui.exe (PID: 4980)
The sample compiled with english language support
- 4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe (PID: 5528)
Checks proxy server information
- slui.exe (PID: 4980)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:21 21:25:50+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.31 |
| CodeSize: | 89600 |
| InitializedDataSize: | 108544 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb7c0 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.3.185.27 |
| ProductVersionNumber: | 1.3.185.27 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Dynamic link library |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft Edge Update |
| FileVersion: | 1.3.185.27 |
| InternalName: | Microsoft Edge Update |
| LegalCopyright: | Copyright Microsoft Corporation |
| OriginalFileName: | msedgeupdate.dll |
| ProductName: | Microsoft Edge Update |
| ProductVersion: | 1.3.185.27 |
| LanguageId: | userdefault |
| UpstreamVersion: | 1.3.99.0 |
Total processes
126
Monitored processes
2
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4980 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5528 | "C:\Users\admin\Desktop\4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe" | C:\Users\admin\Desktop\4b1938ff9c0ba790f1c69edeb0810ec4d50c82dd067e36ade530923ac9671766.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Update Exit code: 3221225534 Version: 1.3.185.27 Modules
| |||||||||||||||
Total events
3 358
Read events
3 358
Write events
0
Delete events
0
Modification events
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0
Dropped files
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2104 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3020 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4980 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |