Malware analysis SirHurt V5.rar Malicious activity | ANY.RUN

Add for printing

File name:	SirHurt V5.rar
Full analysis:	https://app.any.run/tasks/70a6c58d-b6d2-46a3-9cfd-e75e4e889802
Verdict:	Malicious activity
Analysis date:	January 30, 2025, 01:06:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	arch-exec arch-doc opendir
Indicators:
MIME:	application/x-rar
File info:	RAR archive data, v5
MD5:	5E5C8624B24808787BF0CDA399AFC608
SHA1:	C73C48D40C7BD2349CE72B3A99C6D697DD2078E7
SHA256:	59D4C0C86AB83476AAAFFAB20C1CC684394BE3B09424885A65B33DFF57346A30
SSDEEP:	98304:XVAFfjiC3NwIlu6SJyRLNdafiW86KgB0VfDqfJgL1M6lVrj0PvLGlftjiP9xykFF:3KuoIS69mLpAtqB+0EutGYcwBkT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - WinRAR.exe (PID: 4724)
SUSPICIOUS
- Reads the BIOS version
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 2940)
  - sirhurt.exe (PID: 4308)
- Executable content was dropped or overwritten
  - sirhurt.exe (PID: 1580)
- Process drops legitimate windows executable
  - sirhurt.exe (PID: 1580)
- Hides command output
  - cmd.exe (PID: 2940)
  - cmd.exe (PID: 2512)
  - cmd.exe (PID: 6196)
- Executing commands from a ".bat" file
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 2940)
  - sirhurt.exe (PID: 4308)
- Starts CMD.EXE for commands execution
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 2940)
  - sirhurt.exe (PID: 4308)
- Uses REG/REGEDIT.EXE to modify registry
  - cmd.exe (PID: 2940)
  - sirhurt.exe (PID: 1580)
  - cmd.exe (PID: 2512)
  - cmd.exe (PID: 6196)
  - sirhurt.exe (PID: 2940)
- Adds/modifies Windows certificates
  - regedit.exe (PID: 556)
  - regedit.exe (PID: 6304)
- Changes settings of the software policy
  - regedit.exe (PID: 556)
  - regedit.exe (PID: 6304)
- Reads security settings of Internet Explorer
  - ShellExperienceHost.exe (PID: 3664)
INFO
- Manual execution by a user
  - sirhurt.exe (PID: 5300)
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 2572)
  - sirhurt.exe (PID: 3260)
  - sirhurt.exe (PID: 2940)
  - sirhurt.exe (PID: 4308)
  - rundll32.exe (PID: 6592)
  - Certmgr.exe (PID: 6648)
  - notepad.exe (PID: 6772)
  - firefox.exe (PID: 6876)
- The sample compiled with english language support
  - WinRAR.exe (PID: 4724)
  - sirhurt.exe (PID: 1580)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 4724)
- Process checks whether UAC notifications are on
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 2940)
  - sirhurt.exe (PID: 4308)
- Checks supported languages
  - sirhurt.exe (PID: 1580)
  - mode.com (PID: 3988)
  - sirhurt.exe (PID: 4308)
  - sirhurt.exe (PID: 2940)
  - mode.com (PID: 6148)
  - mode.com (PID: 6248)
  - Certmgr.exe (PID: 6648)
  - ShellExperienceHost.exe (PID: 3664)
- Reads the machine GUID from the registry
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 4308)
  - sirhurt.exe (PID: 2940)
- Reads the computer name
  - sirhurt.exe (PID: 1580)
  - sirhurt.exe (PID: 2940)
  - sirhurt.exe (PID: 4308)
  - Certmgr.exe (PID: 6648)
  - ShellExperienceHost.exe (PID: 3664)
- Create files in a temporary directory
  - sirhurt.exe (PID: 1580)
- Creates files in the program directory
  - sirhurt.exe (PID: 1580)
  - dllhost.exe (PID: 5560)
- Starts MODE.COM to configure console settings
  - mode.com (PID: 3988)
  - mode.com (PID: 6148)
  - mode.com (PID: 6248)
- Reads security settings of Internet Explorer
  - rundll32.exe (PID: 6592)
  - notepad.exe (PID: 6772)
  - dllhost.exe (PID: 5560)
  - dllhost.exe (PID: 5828)
- Reads the software policy settings
  - rundll32.exe (PID: 6592)
- Application launched itself
  - firefox.exe (PID: 6896)
  - firefox.exe (PID: 6876)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.rar	\|	RAR compressed archive (v5.0) (61.5)
.rar	\|	RAR compressed archive (gen) (38.4)

EXIF

ZIP

FileVersion:	RAR v5
CompressedSize:	1515037
UncompressedSize:	4970120
OperatingSystem:	Win32
ArchivedFileName:	sirhurt.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

168

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

420

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sirhurt.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

556

regedit.exe /s "C:\Program Files (x86)\rsTrust\Scripts\CA-INSTALL.reg"

C:\Windows\regedit.exe

—

sirhurt.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Registry Editor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1580

"C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe"

C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\desktop\sirhurt v5\sirhurt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2424

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

sirhurt.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

2512

cmd.exe /C "C:\Program Files (x86)\rsTrust\Scripts\CA-INSTALL.bat" >nul 2>&1

C:\Windows\System32\cmd.exe

—

sirhurt.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll

2572

"C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe"

C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\sirhurt v5\sirhurt.exe
c:\windows\system32\ntdll.dll

2940

cmd.exe /C "C:\Program Files (x86)\rsTrust\Scripts\CA-INSTALL.bat" >nul 2>&1

C:\Windows\System32\cmd.exe

—

sirhurt.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll

2940

"C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe"

C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Exit code:

3221225786

Modules

Images
c:\users\admin\desktop\sirhurt v5\sirhurt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

2976

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4864 -parentBuildID 20240213221259 -sandboxingKind 0 -prefsHandle 4944 -prefMapHandle 4860 -prefsLen 36588 -prefMapSize 244583 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c27ccda4-64b4-4819-b1a3-d7d184ddac8c} 6896 "\\.\pipe\gecko-crash-server-pipe.6896" 2b39636b510 utility

C:\Program Files\Mozilla Firefox\firefox.exe

—

firefox.exe

User:

admin

Company:

Mozilla Corporation

Integrity Level:

MEDIUM

Description:

Firefox

Exit code:

Version:

123.0

Modules

Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\vcruntime140_1.dll

3260

"C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe"

C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

3221226540

Modules

Images
c:\users\admin\desktop\sirhurt v5\sirhurt.exe
c:\windows\system32\ntdll.dll

Add for printing

Total events

22 415

Read events

22 363

Write events

Delete events

Modification events


(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\SirHurt V5.rar
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(4724) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80

Add for printing

Executable files

Suspicious files

211

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4724	WinRAR.exe	C:\Users\admin\Desktop\SirHurt V5\sirhurt.dll		executable
		MD5:4640394983E2F1E5555A687665D25BC1	SHA256:016CDE43A2FEF967B7E14BBB346A2AF3ADBDC06C972F869B36D037A61470772C
4724	WinRAR.exe	C:\Users\admin\Desktop\SirHurt V5\bootstrapper.exe		executable
		MD5:36080AE944ECC9AC301C128E8CB696A4	SHA256:F8C112998BAE986FDF5DD33CB8FB819F963B50C0F5A3F406F5333B242124793A
4724	WinRAR.exe	C:\Users\admin\Desktop\SirHurt V5\sirhurt.exe		executable
		MD5:FD2EFF183BF443715AED9E08F67B367A	SHA256:397E1422413B38E64BAD8E150A57C923FD49F37B1F6F5A3E4BB1878DCD5F35E2
1580	sirhurt.exe	C:\Users\admin\AppData\Local\Temp\rstrust_temp.zip		compressed
		MD5:E10D9C8A96EC507F2CE6BF74AF9D4D4D	SHA256:3ACF202A25C28FEC3001A3A0E3345121DA75C6D92C4F287B0B0634610FE883F2
1580	sirhurt.exe	C:\Program Files (x86)\rsTrust\Scripts\0-Pikachu_Test_CA_RSA.crt		text
		MD5:C6B82192E9F8FCF65608A1A5640F706B	SHA256:D49701E4F6B57229FE7623A7355EA1B2AC14AD3D5A387D30387A3A82E403553E
4724	WinRAR.exe	C:\Users\admin\Desktop\SirHurt V5\VMProtectSDK64.dll		executable
		MD5:8952450F3D98016016682A6B0B716518	SHA256:A56239B26392A8EC49A47D27B0632B65A3F98A2735BF60DCE66139A71FF804FC
4724	WinRAR.exe	C:\Users\admin\Desktop\SirHurt V5\zip.dll		executable
		MD5:D18F84C69C2931986B3284AC0E0BEE00	SHA256:A7EC733AF1BA0172ED54F9A714C5DC4E6901CC1FD7DC8D3B17D195FACA69C22F
4724	WinRAR.exe	C:\Users\admin\Desktop\SirHurt V5\SirHurt V5.exe		executable
		MD5:6A06AF324DAF89CE137F3959A4C4DA20	SHA256:BA9B5EE8F7DFDEF785D87A9884BED1AB10AEE870E415ED9263454143A227C557
1580	sirhurt.exe	C:\Program Files (x86)\rsTrust\Scripts\2-Pikachu_Time_Sub_CA-G2.crl		text
		MD5:AEE260B1675E4E2C28EAA9D5BA8DAA53	SHA256:7373E065047C75F671FA75BAC5A65E78FAD71ECB59FF2CC7E1DE89D4C7207884
1580	sirhurt.exe	C:\Program Files (x86)\rsTrust\Scripts\0-Pikachu_Test_CA_RSA-G1.crl		text
		MD5:51F968C58DCD358393EA98DE5B0D340E	SHA256:1C83C4B49A985BA87BA0CD1BD0D65DB972F1F3FF5C4772744C16A093F7824EC5

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

107

DNS requests

135

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6896	firefox.exe	POST	200	2.19.120.159:80	http://r10.o.lencr.org/	unknown	—	—	whitelisted
6896	firefox.exe	POST	200	172.217.16.195:80	http://o.pki.goog/wr2	unknown	—	—	whitelisted
6896	firefox.exe	POST	200	172.217.16.195:80	http://o.pki.goog/wr2	unknown	—	—	whitelisted
6896	firefox.exe	POST	200	172.217.16.195:80	http://o.pki.goog/wr2	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	95.101.78.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
3416	svchost.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.209.214.100:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6364	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	95.101.78.42:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
3416	svchost.exe	95.101.78.42:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
3416	svchost.exe	23.209.214.100:80	www.microsoft.com	PT. Telekomunikasi Selular	ID	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
5064	SearchApp.exe	2.21.65.132:443	www.bing.com	Akamai International B.V.	NL	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	95.101.78.42 95.101.78.32	whitelisted
google.com	142.250.185.78	whitelisted
www.microsoft.com	23.209.214.100 2.23.246.101	whitelisted
settings-win.data.microsoft.com	40.127.240.158 20.73.194.208	whitelisted
www.bing.com	2.21.65.132 2.21.65.154	whitelisted
ocsp.digicert.com	184.30.131.245 2.23.77.188	whitelisted
login.live.com	40.126.31.73 40.126.31.131 40.126.31.67 40.126.31.130 20.190.159.130 20.190.159.71 20.190.159.23 20.190.159.68	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
www.sirhurt.net	104.21.95.242 172.67.149.166	unknown
sirhurt.net	172.67.149.166 104.21.95.242	unknown

Threats

No threats detected

Add for printing

Process	Message
regedit.exe	REGEDIT: CreateFile failed, GetLastError() = 2
regedit.exe	REGEDIT: CreateFile failed, GetLastError() = 2
regedit.exe	REGEDIT: CreateFile failed, GetLastError() = 2

General Info

SirHurt V5.rar

5E5C8624B24808787BF0CDA399AFC608

C73C48D40C7BD2349CE72B3A99C6D697DD2078E7

59D4C0C86AB83476AAAFFAB20C1CC684394BE3B09424885A65B33DFF57346A30

98304:XVAFfjiC3NwIlu6SJyRLNdafiW86KgB0VfDqfJgL1M6lVrj0PvLGlftjiP9xykFF:3KuoIS69mLpAtqB+0EutGYcwBkT

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SUSPICIOUS

Reads the BIOS version

Executable content was dropped or overwritten

Process drops legitimate windows executable

Hides command output

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses REG/REGEDIT.EXE to modify registry

Adds/modifies Windows certificates

Changes settings of the software policy

Reads security settings of Internet Explorer

INFO

Manual execution by a user

The sample compiled with english language support

Executable content was dropped or overwritten

Process checks whether UAC notifications are on

Checks supported languages

Reads the machine GUID from the registry

Reads the computer name

Create files in a temporary directory

Creates files in the program directory

Starts MODE.COM to configure console settings

Reads security settings of Internet Explorer

Reads the software policy settings

Application launched itself

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings