File name:

550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12

Full analysis: https://app.any.run/tasks/6868c9f2-30eb-4307-97a8-5e8900ddf370
Verdict: Malicious activity
Analysis date: December 13, 2024, 20:30:52
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

64FE7F4A0BCD9FA4B00C2D26171F9525

SHA1:

8423B0333775CC752F35DF50CE7F1178A34037DD

SHA256:

550C6315DFF85C84CA551E9C4880526F3BF436917CCFA238CF848E8F70E3BD12

SSDEEP:

49152:J++ddAKY5uswTclyLenEtdjUhl0DUDCnhm2my/c94GNzHUcrWjAcDgLxLgzL:JXix5wGG+EtdIhl0DUp94Lef

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts CMD.EXE for self-deleting

      • 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe (PID: 6560)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe (PID: 6560)

    • Executes as Windows Service

      • Gwxph.exe (PID: 6580)

    • Hides command output

      • cmd.exe (PID: 6604)

    • Executable content was dropped or overwritten

      • 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe (PID: 6560)
      • Gwxph.exe (PID: 6616)

    • Drops a system driver (possible attempt to evade defenses)

      • Gwxph.exe (PID: 6616)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 6604)

    • Creates files in the driver directory

      • Gwxph.exe (PID: 6616)

    • Creates or modifies Windows services

      • Gwxph.exe (PID: 6616)

    • Application launched itself

      • Gwxph.exe (PID: 6580)

    • Reads security settings of Internet Explorer

      • Gwxph.exe (PID: 6616)

    • Connects to unusual port

      • Gwxph.exe (PID: 6616)

  • INFO

    • Reads the computer name

      • 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe (PID: 6560)
      • Gwxph.exe (PID: 6580)
      • Gwxph.exe (PID: 6616)

    • Checks supported languages

      • 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe (PID: 6560)
      • Gwxph.exe (PID: 6580)
      • Gwxph.exe (PID: 6616)

    • Reads CPU info

      • Gwxph.exe (PID: 6616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (43.5)
.exe | Win32 Executable (generic) (29.8)
.exe | Generic Win/DOS Executable (13.2)
.exe | DOS Executable Generic (13.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:08:06 16:38:04+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: -
InitializedDataSize: 1312256
UninitializedDataSize: -
EntryPoint: 0x137cc9
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe no specs 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe gwxph.exe no specs cmd.exe no specs gwxph.exe conhost.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6412"C:\Users\admin\Desktop\550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe" C:\Users\admin\Desktop\550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6560"C:\Users\admin\Desktop\550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe" C:\Users\admin\Desktop\550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6580C:\WINDOWS\SysWOW64\Gwxph.exe -autoC:\Windows\SysWOW64\Gwxph.exeservices.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\windows\syswow64\gwxph.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6604C:\WINDOWS\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\admin\Desktop\550C63~1.EXE > nulC:\Windows\SysWOW64\cmd.exe550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6616C:\WINDOWS\SysWOW64\Gwxph.exe -acsiC:\Windows\SysWOW64\Gwxph.exe
Gwxph.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Modules
Images
c:\windows\syswow64\gwxph.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
6628\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6712ping -n 2 127.0.0.1 C:\Windows\SysWOW64\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
Total events
955
Read events
940
Write events
15
Delete events
0

Modification events

(PID) Process:(6560) 550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Select
Operation:writeName:MarkTime
Value:
2024-12-13 20:31
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Type
Value:
2
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Start
Value:
1
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ErrorControl
Value:
0
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:ImagePath
Value:
system32\DRIVERS\QAssist.sys
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DisplayName
Value:
QAssist
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:Group
Value:
FSFilter Activity Monitor
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DependOnService
Value:
FltMgr
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:DebugFlags
Value:
0
(PID) Process:(6616) Gwxph.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\QAssist
Operation:writeName:SupportedFeatures
Value:
3
Executable files
2
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6560550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12.exeC:\Windows\SysWOW64\Gwxph.exeexecutable
MD5:64FE7F4A0BCD9FA4B00C2D26171F9525
SHA256:550C6315DFF85C84CA551E9C4880526F3BF436917CCFA238CF848E8F70E3BD12
6616Gwxph.exeC:\Windows\System32\drivers\QAssist.sysexecutable
MD5:4E34C068E764AD0FF0CB58BC4F143197
SHA256:6CCE28B275D5EC20992BB13790976CAF434AB46DDBFD5CFD431D33424943122B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.37.202.100:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
1016
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6616
Gwxph.exe
123.99.198.201:21553
diandian1237.e1.luyouxia.net
China Mobile communications corporation
CN
malicious
4712
MoUsoCoreWorker.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
23.37.202.100:80
www.microsoft.com
Linknet-Fastnet ASN
ID
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1016
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 172.217.23.110
whitelisted
diandian1237.e1.luyouxia.net
  • 123.99.198.201
malicious
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.37.202.100
whitelisted
self.events.data.microsoft.com
  • 20.42.72.131
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
550c6315dff85c84ca551e9c4880526f3bf436917ccfa238cf848e8f70e3bd12