| File name: | Client.exe |
| Full analysis: | https://app.any.run/tasks/6dfd82c5-6238-482b-b6d9-1e3a73572a84 |
| Verdict: | Malicious activity |
| Threats: | Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. |
| Analysis date: | October 15, 2024, 14:06:03 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows |
| MD5: | 2D8B62A3C80564246FB137A03C46C695 |
| SHA1: | 6B6ECE02F2023B54377FD84212899384C660FE38 |
| SHA256: | 5BF28BAFFBC63B7FF0DF28A03A7B19687B7D101493361B8007243059DD11FB64 |
| SSDEEP: | 12288:uR3UgfYp/+qHcIqZkZzQ/QoELMkQOSMU8:utUTom/qZkZ4QoELMxbd |
MALICIOUS
Uses Task Scheduler to autorun other applications
- cmd.exe (PID: 920)
SHEETRAT has been detected (SURICATA)
- Client.exe (PID: 4692)
Connects to the CnC server
- Client.exe (PID: 4692)
Uses Task Scheduler to run other applications
- cmd.exe (PID: 7004)
- cmd.exe (PID: 7452)
SUSPICIOUS
Executes as Windows Service
- WmiApSrv.exe (PID: 7076)
Executable content was dropped or overwritten
- Client.exe (PID: 4692)
Application launched itself
- Client.exe (PID: 2692)
Starts CMD.EXE for commands execution
- Client.exe (PID: 4692)
Connects to unusual port
- Client.exe (PID: 4692)
Contacting a server suspected of hosting an CnC
- Client.exe (PID: 4692)
Executes application which crashes
- Client.exe (PID: 4692)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (72.2) |
|---|---|---|
| .scr | | | Windows screen saver (12.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.4) |
| .exe | | | Win32 Executable (generic) (4.4) |
| .exe | | | Generic Win/DOS Executable (1.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2100:10:13 03:20:15+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 577536 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x8ef5e |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.21.0.0 |
| ProductVersionNumber: | 3.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | Solara |
| FileDescription: | Solara Bootstrapper |
| FileVersion: | 1.21.0.0 |
| InternalName: | Bootstrapper |
| LegalCopyright: | WeAreDews Community |
| LegalTrademarks: | - |
| OriginalFileName: | Bootstrapper |
| ProductName: | Solara |
| ProductVersion: | 3.0.0.0 |
| AssemblyVersion: | 3.0.0.0 |
Total processes
148
Monitored processes
15
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 920 | "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bloxstrap.exe" /tr "C:\Users\admin\AppData\Local\explorer.exe" & exit | C:\Windows\System32\cmd.exe | Client.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2172 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2420 | SchTaSKs /create /f /sc minute /mo -1 /tn "explorer.exe" /tr "C:\Users\admin\AppData\Local\explorer.exe" /RL HIGHEST | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 2147500037 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2692 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | — | explorer.exe | |||||||||||
User: admin Company: Solara Integrity Level: MEDIUM Description: Solara Bootstrapper Exit code: 0 Version: 1.21.0.0 Modules
| |||||||||||||||
| 4692 | "C:\Users\admin\Desktop\Client.exe" | C:\Users\admin\Desktop\Client.exe | Client.exe | ||||||||||||
User: admin Company: Solara Integrity Level: HIGH Description: Solara Bootstrapper Exit code: 3762504530 Version: 1.21.0.0 Modules
| |||||||||||||||
| 5744 | "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Search application Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5788 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6704 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6756 | SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Bloxstrap.exe" /tr "C:\Users\admin\AppData\Local\explorer.exe" | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7004 | "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "explorer.exe" /tr "C:\Users\admin\AppData\Local\explorer.exe" /RL HIGHEST & exit | C:\Windows\System32\cmd.exe | — | Client.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 2147500037 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
24 392
Read events
24 279
Write events
102
Delete events
11
Modification events
| (PID) Process: | (2692) Client.exe | Key: | HKEY_CURRENT_USER\SOFTWARE |
| Operation: | write | Name: | hwid |
Value: MUFFQ0EyRTVDODhDMzgzNkJFQkZBM0M= | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\.NET Memory Cache 4.0\Linkage |
| Operation: | write | Name: | Export |
Value: .NET Memory Cache 4.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 3.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: MSDTC Bridge 3.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSDTC Bridge 4.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: MSDTC Bridge 4.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelEndpoint 3.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: ServiceModelEndpoint 3.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelOperation 3.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: ServiceModelOperation 3.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\ServiceModelService 3.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: ServiceModelService 3.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 3.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: SMSvcHost 3.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SMSvcHost 4.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: SMSvcHost 4.0.0.0 | |||
| (PID) Process: | (4692) Client.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Windows Workflow Foundation 3.0.0.0\Linkage |
| Operation: | write | Name: | Export |
Value: Windows Workflow Foundation 3.0.0.0 | |||
Executable files
6
Suspicious files
11
Text files
29
Unknown types
29
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133734748215161560.txt~RF99500.TMP | — | |
MD5:— | SHA256:— | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c48c214c-6f3d-4b87-9ea8-57525cf4ec37}\0.1.filtertrie.intermediate.txt | text | |
MD5:34BD1DFB9F72CF4F86E6DF6DA0A9E49A | SHA256:8E1E6A3D56796A245D0C7B0849548932FEE803BBDB03F6E289495830E017F14C | |||
| 4692 | Client.exe | C:\Users\admin\AppData\Local\explorer.exe | executable | |
MD5:2D8B62A3C80564246FB137A03C46C695 | SHA256:5BF28BAFFBC63B7FF0DF28A03A7B19687B7D101493361B8007243059DD11FB64 | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133734748215161560.txt | text | |
MD5:EBA9D627AEFA0148EA256382E454768F | SHA256:85F02886D53B7427792E54BCEE97D366AD46F78CF90AA25DCC3FAE29ED7FA7F8 | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\_BjeFNPDJ-N9umMValublyrbq4Y[1].css | text | |
MD5:15DC838A1A66277F9F4D915124DFFBBC | SHA256:9C947D5F732431197DA9DB1F159CB3D4CDC5DBFE55FDC0A9513E571FF31236A1 | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c48c214c-6f3d-4b87-9ea8-57525cf4ec37}\0.2.filtertrie.intermediate.txt | text | |
MD5:C204E9FAAF8565AD333828BEFF2D786E | SHA256:D65B6A3BF11A27A1CED1F7E98082246E40CF01289FD47FE4A5ED46C221F2F73F | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\bBHwcntRZloMEpvbWTbdZICG1aQ[1].css | text | |
MD5:5AC1CE7D977C035B132640DDD3E41842 | SHA256:1846FE0726589F51551E8E53BFC8507AD08E9919037951933D382B834145ECEF | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c48c214c-6f3d-4b87-9ea8-57525cf4ec37}\Apps.index | binary | |
MD5:FE9A819377870FA6FDD677E5D3AA1A07 | SHA256:C43D46A72D282151F56E09F15CD47DB4414ECA02B536D41D26D5560AA5ADEC78 | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\QNBBNqWD9F_Blep-UqQSqnMp-FI[1].css | text | |
MD5:77373397A17BD1987DFCA2E68D022ECF | SHA256:A319AF2E953E7AFDA681B85A62F629A5C37344AF47D2FCD23AB45E1D99497F13 | |||
| 5744 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\63\6aa-EF2IAVwnTTOiwAbhwI_VmCw[1].js | s | |
MD5:B2C3CBF8A1D940D6C83D59A67486675C | SHA256:08EA9109346E9018ED50567503D2C141F7A84CFDE80EB25E97FDDCFE270BAA67 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
41
TCP/UDP connections
51
DNS requests
12
Threats
16
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1252 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.48.23.173:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1252 | RUXIMICS.exe | GET | 200 | 23.48.23.173:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.173:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 92.123.104.32:443 | https://www.bing.com/fd/ls/l?IG=12D4DA20593B441E9948ECCCCB117A2E&Type=Event.ClientInst&DATA=[{%22T%22:%22CI.ClientInst%22,%22FID%22:%22CI%22,%22Name%22:%22max%20errors%20reached%22}] | unknown | — | — | — |
— | — | GET | 200 | 92.123.104.34:443 | https://r.bing.com/rp/-UAIppANYxiGpRWJy2NDph4qOEw.gz.js | unknown | text | 20.3 Kb | whitelisted |
— | — | POST | 204 | 92.123.104.33:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
— | — | GET | 200 | 92.123.104.33:443 | https://r.bing.com/rb/6j/cir3,ortl,cc,nc/bBHwcntRZloMEpvbWTbdZICG1aQ.css?bu=M8IKvArICrwKrAu8CrILvAq8CrwKvQu8CsQLvArKC7wK0Au8CtYLvAraCrwK4Aq8CtQKvAq8CqMLvArvCrwK9Qq8CukKvAr7CoULiAu8CrwKoAuOC7wKlAuXC7wKggy8CtwLvAqwDA&or=w | unknown | text | 441 Kb | whitelisted |
— | — | GET | 200 | 92.123.104.34:443 | https://r.bing.com/rb/1a/cir3,ortl,cc,nc/CYGXBN1kkA_ojDY5vKbCoG4Zy0E.css?bu=C8oJnwPBBKYKiwn1CPsGWlpaWg&or=w | unknown | text | 19.9 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5488 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 92.123.104.61:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1252 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.48.23.173:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.48.23.173:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1252 | RUXIMICS.exe | 23.48.23.173:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1252 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
cash-hispanic.gl.at.ply.gg |
| unknown |
r.bing.com |
| whitelisted |
raw.githubusercontent.com |
| shared |
watson.events.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2172 | svchost.exe | Potentially Bad Traffic | ET INFO playit .gg Tunneling Domain in DNS Lookup |
2172 | svchost.exe | Misc activity | ET INFO Tunneling Service in DNS Lookup (* .ply .gg) |
4692 | Client.exe | Malware Command and Control Activity Detected | REMOTE [ANY.RUN] SheetRat (Ping) |
2172 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
12 ETPRO signatures available at the full report