| File name: | cho_mea64.exe |
| Full analysis: | https://app.any.run/tasks/d9643873-767d-4d41-9f4e-4b384dd8dbd5 |
| Verdict: | Malicious activity |
| Analysis date: | November 20, 2024, 19:02:35 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 11 sections |
| MD5: | 044F51347E293AC77DE4CD47BDCCBACF |
| SHA1: | 4C67777228575AC317C62855E6D9DD0A6DA48C2D |
| SHA256: | 4CA9DA66D04A5F68DEB0BAB55ACA5D64B8D8307C58F2943D6A67A3B584855EE2 |
| SSDEEP: | 196608:y4CdRd2dzuq//EggacdhQSqSR3Wvy6wZSMDAEi8RYRs:yB2djchQoR3WvybSMDAi3 |
MALICIOUS
No malicious indicators.SUSPICIOUS
Drops 7-zip archiver for unpacking
- cho_mea64.tmp (PID: 5540)
Executable content was dropped or overwritten
- 20decf5c428.exe (PID: 2940)
- 62b24530.exe (PID: 3692)
- soiucosxz.exe (PID: 2680)
- cho_mea64.tmp (PID: 5540)
- cho_mea64.exe (PID: 644)
Executes as Windows Service
- cmd.exe (PID: 1816)
- soiucosxz.exe (PID: 2876)
- cmd.exe (PID: 2544)
Application launched itself
- soiucosxz.exe (PID: 188)
Starts itself from another location
- soiucosxz.exe (PID: 2876)
Reads the Windows owner or organization settings
- cho_mea64.tmp (PID: 5540)
INFO
Checks supported languages
- cho_mea64.exe (PID: 644)
- cho_mea64.tmp (PID: 5540)
Create files in a temporary directory
- cho_mea64.exe (PID: 644)
- cho_mea64.tmp (PID: 5540)
Reads the computer name
- cho_mea64.exe (PID: 644)
- cho_mea64.tmp (PID: 5540)
Creates files or folders in the user directory
- cho_mea64.tmp (PID: 5540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (65.1) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (24.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (3.9) |
| .exe | | | Win32 Executable (generic) (2.6) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:07:12 07:26:53+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 685056 |
| InitializedDataSize: | 141312 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa83bc |
| OSVersion: | 6.1 |
| ImageVersion: | - |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | 611641ae7b4c35da Setup |
| FileVersion: | |
| LegalCopyright: | |
| OriginalFileName: | |
| ProductName: | 611641ae7b4c35da |
| ProductVersion: | 6.686.144.329 |
Total processes
135
Monitored processes
19
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 188 | "C:\WINDOWS\pV9DOzcJdPDL\app-0.89.2\app-0.89.2\soiucosxz.exe" | C:\Windows\pV9DOzcJdPDL\app-0.89.2\app-0.89.2\soiucosxz.exe | — | soiucosxz.exe | |||||||||||
User: SYSTEM Company: Duality Software Integrity Level: SYSTEM Description: DS Clock Version: 5.1.2.0 Modules
| |||||||||||||||
| 492 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | 20decf5c428.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 644 | "C:\Users\admin\Desktop\cho_mea64.exe" | C:\Users\admin\Desktop\cho_mea64.exe | explorer.exe | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: 611641ae7b4c35da Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 1816 | cmd /c start "" "C:\WINDOWS\pV9DOzcJdPDL\app-0.89.2\app-0.89.2\soiucosxz.exe" 6c376dd8a 5664 "C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\" | C:\Windows\System32\cmd.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2544 | cmd /c start "" "C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\soiucosxz.exe" 3aede031690535070f390095f2d2 5664 "C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\" | C:\Windows\System32\cmd.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2680 | "C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\soiucosxz.exe" 3aede031690535070f390095f2d2 5664 "C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\" | C:\Users\admin\AppData\Local\Temp\1721925263562869079834313\soiucosxz.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Duality Software Integrity Level: SYSTEM Description: DS Clock Exit code: 0 Version: 5.1.2.0 Modules
| |||||||||||||||
| 2768 | "C:\Users\admin\Desktop\cho_mea64.exe" | C:\Users\admin\Desktop\cho_mea64.exe | — | explorer.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: 611641ae7b4c35da Setup Exit code: 3221226540 Version: Modules
| |||||||||||||||
| 2876 | "C:\WINDOWS\pV9DOzcJdPDL\soiucosxz.exe" | C:\Windows\pV9DOzcJdPDL\soiucosxz.exe | — | services.exe | |||||||||||
User: SYSTEM Company: KOOK Integrity Level: SYSTEM Description: KOOK Exit code: 0 Version: 0.89.2 Modules
| |||||||||||||||
| 2940 | "C:\Users\admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe" -pc0873f648e06c724 -y -o"C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\" | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\20decf5c428.exe | cho_mea64.tmp | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Console SFX Exit code: 0 Version: 24.08 Modules
| |||||||||||||||
| 3692 | "C:\Users\admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe" -p7fe04917 -y -o"C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\..\1721925263562869079834313\" | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe | cho_mea64.tmp | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7z Console SFX Exit code: 0 Version: 24.08 Modules
| |||||||||||||||
Total events
1 678
Read events
1 678
Write events
0
Delete events
0
Modification events
Executable files
16
Suspicious files
4
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3692 | 62b24530.exe | C:\Users\admin\AppData\Local\Temp\1721925263562869079834313\8FF3EF380313034D8D84BAF59.cat | — | |
MD5:— | SHA256:— | |||
| 2680 | soiucosxz.exe | C:\Windows\pV9DOzcJdPDL\app-0.89.2\app-0.89.2\8FF3EF380313034D8D84BAF59.cat | — | |
MD5:— | SHA256:— | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\is-LJQ28.tmp | executable | |
MD5:545274EA5D70FF8BEB929CDA02BE53DE | SHA256:480C2895CAEE1029ED1160B69C68CA2838CA4FE113466D84DC8064AD28C012C2 | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Local\Temp\is-0RUGB.tmp\_isetup\_isdecmp.dll | executable | |
MD5:C6AE924AD02500284F7E4EFA11FA7CFC | SHA256:31D04C1E4BFDFA34704C142FA98F80C0A3076E4B312D6ADA57C4BE9D9C7DCF26 | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\is-JIQRG.tmp | image | |
MD5:00A5C7EA56A5721D89CBF2A9CD387693 | SHA256:FD31FFC3ECD2B2A4BA39E8C49597EBE9E5EB8D6AE5C8A28B9DC1A5B1DE696D71 | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\is-AD1QO.tmp | executable | |
MD5:CB8267B4B34F49626EAF67B562DC4C87 | SHA256:FA7FE6C1DEC39E41F15135ABB057AAA81D8C8AEEE56DFFDA46ABD2C0D9269643 | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\62b24530.exe | executable | |
MD5:CB8267B4B34F49626EAF67B562DC4C87 | SHA256:FA7FE6C1DEC39E41F15135ABB057AAA81D8C8AEEE56DFFDA46ABD2C0D9269643 | |||
| 3692 | 62b24530.exe | C:\Users\admin\AppData\Local\Temp\1721925263562869079834313\zlibwapi.dll | executable | |
MD5:4D05D940FA3851C6322F11463F76FB85 | SHA256:01F062FA5F11AEBF8C2CD57FC148C3B4B1A64E97DCF68194C0545361973D6E94 | |||
| 5540 | cho_mea64.tmp | C:\Users\admin\AppData\Roaming\611641ae7b4c35da\b2b01.ico | image | |
MD5:00A5C7EA56A5721D89CBF2A9CD387693 | SHA256:FD31FFC3ECD2B2A4BA39E8C49597EBE9E5EB8D6AE5C8A28B9DC1A5B1DE696D71 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
9
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5100 | RUXIMICS.exe | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4932 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4932 | svchost.exe | GET | 200 | 23.48.23.166:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5100 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 204 | 23.212.110.170:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5100 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4932 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4932 | svchost.exe | 23.48.23.166:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.166:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5100 | RUXIMICS.exe | 23.48.23.166:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4932 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
boss.google.tw.cn |
| unknown |
self.events.data.microsoft.com |
| whitelisted |