| File name: | 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe |
| Full analysis: | https://app.any.run/tasks/255d6285-99af-47fa-aeea-dc8ee2c0a979 |
| Verdict: | Malicious activity |
| Analysis date: | February 15, 2025, 23:43:59 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | AE6330D29B5B2B867AEB2FB6B1F1605B |
| SHA1: | 689651BBCF762EB25624F2D71389724C69C4FB5E |
| SHA256: | 4E97A2E80DE2C1B4F3E228D97E0875EE3A8C806AA8578201559466AA5708B0DE |
| SSDEEP: | 768:vXvEV9LcQm/JQe7laODTbiasD6h5Nz5/8cLcxb5YCgEGInKR2S/:v0kiepdDSasufb0cIGCgtIKl/ |
MALICIOUS
Changes the login/logoff helper path in the registry
- CTFMON.EXE (PID: 6436)
- SPOOLSV.EXE (PID: 6356)
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
- SVCHOST.EXE (PID: 6304)
SUSPICIOUS
Starts a Microsoft application from unusual location
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
The process creates files with name similar to system file names
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
Executable content was dropped or overwritten
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
Write to the desktop.ini file (may be used to cloak folders)
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
Starts itself from another location
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
- SVCHOST.EXE (PID: 6304)
- SPOOLSV.EXE (PID: 6356)
- CTFMON.EXE (PID: 6436)
Application launched itself
- SVCHOST.EXE (PID: 6304)
- SPOOLSV.EXE (PID: 6356)
- CTFMON.EXE (PID: 6436)
Reads security settings of Internet Explorer
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
Reads the Windows owner or organization settings
- WINWORD.EXE (PID: 6712)
INFO
Create files in a temporary directory
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
- SVCHOST.EXE (PID: 6304)
- SVCHOST.EXE (PID: 6336)
- SPOOLSV.EXE (PID: 6356)
- SVCHOST.EXE (PID: 6392)
- SPOOLSV.EXE (PID: 6412)
- CTFMON.EXE (PID: 6436)
- SVCHOST.EXE (PID: 6512)
- CTFMON.EXE (PID: 6556)
- SPOOLSV.EXE (PID: 6532)
- CTFMON.EXE (PID: 6588)
- SPOOLSV.EXE (PID: 6608)
- CTFMON.EXE (PID: 6632)
Failed to create an executable file in Windows directory
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
- SVCHOST.EXE (PID: 6304)
- SPOOLSV.EXE (PID: 6356)
- CTFMON.EXE (PID: 6436)
Checks supported languages
- SVCHOST.EXE (PID: 6304)
- SVCHOST.EXE (PID: 6336)
- SPOOLSV.EXE (PID: 6356)
- SVCHOST.EXE (PID: 6392)
- SPOOLSV.EXE (PID: 6412)
- CTFMON.EXE (PID: 6436)
- SPOOLSV.EXE (PID: 6532)
- SVCHOST.EXE (PID: 6512)
- CTFMON.EXE (PID: 6556)
- CTFMON.EXE (PID: 6588)
- CTFMON.EXE (PID: 6632)
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
- SPOOLSV.EXE (PID: 6608)
Reads the computer name
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
Process checks computer location settings
- 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe (PID: 6276)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2003:08:06 18:34:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 7.1 |
| CodeSize: | 61440 |
| InitializedDataSize: | 20480 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x15001 |
| OSVersion: | 4 |
| ImageVersion: | 10 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
139
Monitored processes
15
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 4704 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "9995F17E-F5DA-43CA-9082-4A5DF2A21F66" "5AD82739-B01F-49EF-9E97-6AA33A6C9E4D" "6712" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
| 6276 | "C:\Users\admin\Desktop\4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe" | C:\Users\admin\Desktop\4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 6304 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 6336 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SVCHOST.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 6356 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | SVCHOST.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 6392 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SPOOLSV.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 6412 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | — | SPOOLSV.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 6436 | C:\recycled\CTFMON.EXE :agent | C:\Recycled\CTFMON.EXE | SPOOLSV.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 6512 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 6532 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
Total events
17 052
Read events
16 343
Write events
670
Delete events
39
Modification events
| (PID) Process: | (6436) CTFMON.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6436) CTFMON.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6436) CTFMON.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6436) CTFMON.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6356) SPOOLSV.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Operation: | write | Name: | Shell |
Value: Explorer.exe "C:\recycled\SVCHOST.exe" | |||
| (PID) Process: | (6356) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt |
| Operation: | write | Name: | UncheckedValue |
Value: 1 | |||
| (PID) Process: | (6356) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt |
| Operation: | write | Name: | CheckedValue |
Value: 1 | |||
| (PID) Process: | (6356) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden |
| Operation: | write | Name: | CheckedValue |
Value: 0 | |||
| (PID) Process: | (6356) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden |
| Operation: | write | Name: | UncheckedValue |
Value: 0 | |||
| (PID) Process: | (6304) SVCHOST.EXE | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon |
| Operation: | write | Name: | Shell |
Value: Explorer.exe "C:\recycled\SVCHOST.exe" | |||
Executable files
39
Suspicious files
134
Text files
17
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6276 | 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe | C:\Users\admin\AppData\Local\Temp\Flu Burung.txt | text | |
MD5:1A1DCE35D60D2C70CA8894954FD5D384 | SHA256:2661C05273F33EFA4B7FAA6ED8A6F7E69A13AD86077F69EE285ECE9CBA57E44C | |||
| 6412 | SPOOLSV.EXE | C:\Users\admin\AppData\Local\Temp\~DF62FACBBE3B380F12.TMP | binary | |
MD5:0FEC9D9A6C0BC24C2075585B1EFBD08C | SHA256:DF3A5F8922CCBD9AF75F703B7A6861FE849CBAC4A8B609E35EBEAD67D03E98AB | |||
| 6276 | 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe | C:\Recycled\desktop.ini | text | |
MD5:AD0B0B4416F06AF436328A3C12DC491B | SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416 | |||
| 6588 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF70D91ABD2E688AF6.TMP | binary | |
MD5:A616A71E18489A8A2B479FB200081B66 | SHA256:18453F69622430AE42F0CE4BE1E9BF59DB9E06905C767DC0262B2F100EB1E088 | |||
| 6436 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF91550FECF4EDCEDF.TMP | binary | |
MD5:2FDBD377FC0E48CBD20B09A84965E895 | SHA256:E2688121783DE54C127C72FC602045E5EEB4633966B3F5397E076B938B021968 | |||
| 6608 | SPOOLSV.EXE | C:\Users\admin\AppData\Local\Temp\~DFC87E519EF9538F43.TMP | binary | |
MD5:E54E38270FC08FB97FF67EB4192017BE | SHA256:8EE68AE1446DD0B81FDD11BDD32F8F4DE82602175B8172CBFCE27E31C52B9B52 | |||
| 6632 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF20AFE871D762B515.TMP | binary | |
MD5:26496B14D73ABB098B4370B8ACBD2FE7 | SHA256:E7F2D0A4A86BF20D9D9CD3DB2EC5FBABBC304EBA79345A160BA7BBAB7DECF53E | |||
| 6276 | 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe | C:\Users\admin\AppData\Local\Temp\~DF0377361997D261D7.TMP | binary | |
MD5:A10CAC18FF1FF3C18CC79B6CD7897005 | SHA256:EB43DF83DF36AC724A0C6A4B9EDB0007DBD534B4E481696F6E84A6E4772885DC | |||
| 6532 | SPOOLSV.EXE | C:\Users\admin\AppData\Local\Temp\~DF25299851694A1C79.TMP | binary | |
MD5:C8947D86814EBA94B94643933321ED5E | SHA256:5DB0136A396C329F7221A969603C78F8ADCD05AB34997B3A24CBCD7EF4C5A637 | |||
| 6276 | 4e97a2e80de2c1b4f3e228d97e0875ee3a8c806aa8578201559466aa5708b0de.exe | C:\Recycled\SVCHOST.EXE | executable | |
MD5:D8F668463C4A4918F412F395DEE88A96 | SHA256:565F1E1FE25FE8B1A8DA959312EECFD4468F5E0E21D68CAA3EBA389683F3151A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
72
TCP/UDP connections
84
DNS requests
17
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2164 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1344 | RUXIMICS.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2164 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1344 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 52.109.76.240:443 | https://officeclient.microsoft.com/config16/?lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3 | unknown | xml | 179 Kb | whitelisted |
— | — | POST | 200 | 20.189.173.7:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | whitelisted |
— | — | GET | 200 | 52.123.128.14:443 | https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7bD5580111-CE05-4F0D-B595-A520C3034BEC%7d&LabMachine=false | unknown | binary | 396 Kb | whitelisted |
— | — | GET | 200 | 23.50.131.87:443 | https://omex.cdn.office.net/addinclassifier/officesharedentities | unknown | text | 314 Kb | whitelisted |
— | — | GET | 200 | 184.24.77.20:443 | https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851218.cab | unknown | compressed | 31.0 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2164 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 104.126.37.129:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
1344 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2164 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6712 | WINWORD.EXE | 52.109.32.97:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
1344 | RUXIMICS.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2164 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ecs.office.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|