Malware analysis 65b6f5d673368591f3e71a1d3eba4794.exe Malicious activity

Add for printing

File name:	65b6f5d673368591f3e71a1d3eba4794.exe
Full analysis:	https://app.any.run/tasks/1bb772a3-6d39-45d5-934f-9865c25a15b9
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Crypto mining malware is a resource-intensive threat that infiltrates computers with the purpose of mining cryptocurrencies. This type of threat can be deployed either on an infected machine or a compromised website. In both cases the miner will utilize the computing power of the device and its network bandwidth. Malware Trends Tracker >>>
Analysis date:	December 07, 2023, 17:04:28
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Tags:	miner phonk loader
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
MD5:	65B6F5D673368591F3E71A1D3EBA4794
SHA1:	C3201A17F96756D54776CE7CC640AFA4A983AB09
SHA256:	5D661F253381BA16FA2A19689385C7DA09621561F2BAD0B805FA4D158AA33DC1
SSDEEP:	98304:H0zetH+s3utP1VlEFH5fZTLB7c4d8f8uIrBil3xz82o7NODsKJWwNUWJVBxn:F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.0.9600.18860 KB4052978
Adobe Acrobat Reader DC MUI (15.007.20033)
Adobe Flash Player 27 ActiveX (27.0.0.187)
Adobe Flash Player 27 NPAPI (27.0.0.187)
Adobe Flash Player 27 PPAPI (27.0.0.187)
CCleaner (5.35)
Google Chrome (109.0.5414.120)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (64-bit) (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft .NET Framework 4.8 (4.8.03761)
Microsoft Edge (109.0.1518.115)
Microsoft Edge Update (1.3.177.11)
Microsoft Office Access MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Access MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Excel MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Groove MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Groove MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Japanese) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office IME (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (French) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (German) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office InfoPath MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Language Pack 2010 - French/Français (14.0.4763.1000)
Microsoft Office Language Pack 2010 - German/Deutsch (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Italian/Italiano (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Japanese/日本語 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Korean/한국어 (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Portuguese/Português (Brasil) (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Russian/русский (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Spanish/Español (14.0.4763.1000)
Microsoft Office Language Pack 2010 - Turkish/Türkçe (14.0.4763.1013)
Microsoft Office O MUI (French) 2010 (14.0.4763.1000)
Microsoft Office O MUI (German) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office O MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Office 32-bit Components 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (French) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (German) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office OneNote MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Outlook MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Outlook MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (French) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (German) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office PowerPoint MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Professional 2010 (14.0.4763.1000)
Microsoft Office Proof (Arabic) 2010 (14.0.4763.1000)
Microsoft Office Proof (Basque) 2010 (14.0.4763.1000)
Microsoft Office Proof (Catalan) 2010 (14.0.4763.1000)
Microsoft Office Proof (Dutch) 2010 (14.0.4763.1000)
Microsoft Office Proof (English) 2010 (14.0.4763.1000)
Microsoft Office Proof (French) 2010 (14.0.4763.1000)
Microsoft Office Proof (Galician) 2010 (14.0.4763.1000)
Microsoft Office Proof (German) 2010 (14.0.4763.1000)
Microsoft Office Proof (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proof (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proof (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proof (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proof (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Proof (Ukrainian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (English) 2010 (14.0.4763.1000)
Microsoft Office Proofing (French) 2010 (14.0.4763.1000)
Microsoft Office Proofing (German) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Italian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Korean) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Russian) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Proofing (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Publisher MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Publisher MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office SharePoint Designer MUI (French) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (German) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office SharePoint Designer MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared 32-bit MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared 32-bit MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Shared MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Single Image 2010 (14.0.4763.1000)
Microsoft Office Word MUI (English) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (French) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (German) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office Word MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Office X MUI (French) 2010 (14.0.4763.1000)
Microsoft Office X MUI (German) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Italian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Japanese) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Korean) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Portuguese (Brazil)) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Russian) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Spanish) 2010 (14.0.4763.1000)
Microsoft Office X MUI (Turkish) 2010 (14.0.4763.1013)
Microsoft Visual C++ 2005 Redistributable (x64) (8.0.61000)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x64 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (11.0.61030.0)
Microsoft Visual C++ 2012 x64 Additional Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2012 x64 Minimum Runtime - 11.0.61030 (11.0.61030)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (115.0.2)
Mozilla Maintenance Service (115.0.2)
Notepad++ (64-bit x64) (7.5.1)
PowerShell 7-x64 (7.2.11.0)
Skype version 8.100 (8.100)
Update for Microsoft .NET Framework 4.8 (KB4503575) (1)
VLC media player (2.2.6)
WinRAR 5.60 (64-bit) (5.60.0)

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
- Uses Task Scheduler to run other applications
  - CUTE.exe (PID: 1796)
- PHONK has been detected (SURICATA)
  - CUTE.exe (PID: 1796)
- Connects to the CnC server
  - CUTE.exe (PID: 1796)
  - ngen.exe (PID: 952)
- MINER has been detected (SURICATA)
  - ngen.exe (PID: 952)
SUSPICIOUS
- Executing commands from a ".bat" file
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
- Starts CMD.EXE for commands execution
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 1412)
- Reads the Internet Settings
  - CUTE.exe (PID: 1796)
- Connects to the server without a host name
  - CUTE.exe (PID: 1796)
- Reads settings of System Certificates
  - CUTE.exe (PID: 1796)
- Connects to unusual port
  - ngen.exe (PID: 952)
INFO
- Checks supported languages
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
  - CUTE.exe (PID: 1796)
  - ngen.exe (PID: 952)
- Reads the computer name
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
  - CUTE.exe (PID: 1796)
  - ngen.exe (PID: 952)
- Creates files in the program directory
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
  - CUTE.exe (PID: 1796)
- Reads the machine GUID from the registry
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
  - CUTE.exe (PID: 1796)
- Create files in a temporary directory
  - 65b6f5d673368591f3e71a1d3eba4794.exe (PID: 3028)
  - CUTE.exe (PID: 1796)
- Reads Environment values
  - CUTE.exe (PID: 1796)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (81.9)
.exe	\|	Win16/32 Executable Delphi generic (6.1)
.exe	\|	Generic Win/DOS Executable (5.9)
.exe	\|	DOS Executable Generic (5.9)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2072:10:21 09:49:46+02:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, Large address aware
PEType:	PE32+
LinkerVersion:	48
CodeSize:	3467264
InitializedDataSize:	219136
UninitializedDataSize:	-
EntryPoint:	0x0000
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	8.34.82.0
ProductVersionNumber:	8.34.82.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win16
ObjectFileType:	Dynamic link library
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Windows, Latin1
Comments:	Created by the Productivity Software team
CompanyName:	Logitech, Inc.
FileDescription:	LogiOptions.exe (UNICODE)
FileVersion:	8.34.82
InternalName:	LogiOptions
OriginalFileName:	LogiOptions.exe
LegalCopyright:	(C) 1998-2020 Logitech. All rights reserved.
Copyright:	(C) 1998-2020 Logitech. All rights reserved.
CopyrightYears:	1991-2020
LegalTrademarks:	Logitech® is a registered trademark of Logitech, Inc.
ProductName:	Logitech Options
ProductVersion:	8.34.82

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

332

timeout 3

C:\Windows\System32\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

timeout - pauses command processing

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ws2_32.dll

952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe -a rx/0 --url=185.172.128.11:3333 -u TESTTEST -p NEWPROXY -R --variant=-1 --max-cpu-usage=70 --donate-level=1 -opencl

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe

CUTE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Common Language Runtime native compiler

Exit code:

Version:

4.8.3761.0 built by: NET48REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\ngen.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\winnsi.dll

1412

C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp4EF0.tmp.bat""

C:\Windows\System32\cmd.exe

—

65b6f5d673368591f3e71a1d3eba4794.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

6.1.7601.17514 (win7sp1_rtm.101119-1850)

Modules

Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll

1796

"C:\ProgramData\Mircosolt\CUTE.exe"

C:\ProgramData\Mircosolt\CUTE.exe

cmd.exe

User:

admin

Company:

Logitech, Inc.

Integrity Level:

MEDIUM

Description:

LogiOptions.exe (UNICODE)

Exit code:

Version:

8.34.82

Modules

Images
c:\programdata\mircosolt\cute.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll

2800

"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 3 /tn "CUTE" /tr "C:\ProgramData\Mircosolt\CUTE.exe" /f

C:\Windows\System32\schtasks.exe

—

CUTE.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll

3028

"C:\Users\admin\AppData\Local\Temp\65b6f5d673368591f3e71a1d3eba4794.exe"

C:\Users\admin\AppData\Local\Temp\65b6f5d673368591f3e71a1d3eba4794.exe

—

explorer.exe

User:

admin

Company:

Logitech, Inc.

Integrity Level:

MEDIUM

Description:

LogiOptions.exe (UNICODE)

Exit code:

Version:

8.34.82

Modules

Images
c:\users\admin\appdata\local\temp\65b6f5d673368591f3e71a1d3eba4794.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework64\v4.0.30319\mscoreei.dll

Add for printing

Total events

1 775

Read events

1 753

Write events

Delete events

Modification events


(PID) Process:	(1796) CUTE.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(1796) CUTE.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(1796) CUTE.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(1796) CUTE.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(1796) CUTE.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\MuiCache\15A\52C64B7E
Operation:	write	Name:	LanguageList
Value: en-US

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1796	CUTE.exe	C:\ProgramData\Mircosolt\uninstall.dat		—
		MD5:—	SHA256:—
1796	CUTE.exe	C:\Users\admin\AppData\Local\Temp\Cab7C3A.tmp		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1796	CUTE.exe	C:\Users\admin\AppData\Local\Temp\Tar7C3B.tmp		binary
		MD5:9C0C641C06238516F27941AA1166D427	SHA256:4276AF3669A141A59388BC56A87F6614D9A9BDDDF560636C264219A7EB11256F
3028	65b6f5d673368591f3e71a1d3eba4794.exe	C:\Users\admin\AppData\Local\Temp\tmp4EF0.tmp.bat		text
		MD5:6D9F77F4A001E7A612BFBFC83834E188	SHA256:A4A073F49F3518111B2DF4771E952155041DEB654E0813DFC2B054E8663CD88C
1796	CUTE.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506		binary
		MD5:4418294A7E4D6270F9BE8C1024DF834B	SHA256:ECF414254B2F5C1AD539FAB2C4DA077F10A656C8BB40176D4ED848AE7C1BE325
3028	65b6f5d673368591f3e71a1d3eba4794.exe	C:\ProgramData\Mircosolt\CUTE.exe		executable
		MD5:65B6F5D673368591F3E71A1D3EBA4794	SHA256:5D661F253381BA16FA2A19689385C7DA09621561F2BAD0B805FA4D158AA33DC1
1796	CUTE.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506		compressed
		MD5:AC05D27423A85ADC1622C714F2CB6184	SHA256:C6456E12E5E53287A547AF4103E0397CB9697E466CF75844312DC296D43D144D
1796	CUTE.exe	C:\ProgramData\F4C181E419223CD37BC7B8E25D1B9E18.jpg		image
		MD5:1774F71DA0C549D653213F86ABC94A4E	SHA256:DA7E15C962EAB843EF810829345DF2EFFF5C7EEFCE1FC33BFF2FF1F5B4F444FE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1796	CUTE.exe	POST	200	89.208.107.12:80	http://89.208.107.12/BEBRIK.php	unknown	—	—	unknown
1796	CUTE.exe	GET	200	93.184.221.240:80	http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?682628d685dec143	unknown	compressed	65.2 Kb	unknown
1796	CUTE.exe	POST	200	89.208.107.12:80	http://89.208.107.12/SOSORRY.php	unknown	binary	5.14 Mb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1956	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
324	svchost.exe	224.0.0.252:5355	—	—	—	unknown
1796	CUTE.exe	89.208.107.12:80	—	AEZA GROUP Ltd	NL	malicious
1796	CUTE.exe	185.172.128.11:443	—	OOO Nadym Svyaz Service	RU	unknown
1796	CUTE.exe	93.184.221.240:80	ctldl.windowsupdate.com	EDGECAST	GB	whitelisted
952	ngen.exe	185.172.128.11:3333	—	OOO Nadym Svyaz Service	RU	unknown

DNS requests

Domain	IP	Reputation
ctldl.windowsupdate.com	93.184.221.240	whitelisted

Threats

PID	Process	Class	Message
1796	CUTE.exe	A Network Trojan was detected	LOADER [ANY.RUN] Phonk Loader Request
1796	CUTE.exe	A Network Trojan was detected	ET MALWARE Phonk Trojan CnC Checkin (POST)
1796	CUTE.exe	Malware Command and Control Activity Detected	LOADER [ANY.RUN] Phonk Loader Activity (Sending ID)
1796	CUTE.exe	Misc activity	ET INFO Suspicious File Extension Inbound (.phonk)
952	ngen.exe	Potential Corporate Privacy Violation	ET POLICY Cryptocurrency Miner Checkin

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

65b6f5d673368591f3e71a1d3eba4794.exe

65B6F5D673368591F3E71A1D3EBA4794

C3201A17F96756D54776CE7CC640AFA4A983AB09

5D661F253381BA16FA2A19689385C7DA09621561F2BAD0B805FA4D158AA33DC1

98304:H0zetH+s3utP1VlEFH5fZTLB7c4d8f8uIrBil3xz82o7NODsKJWwNUWJVBxn:F

Software environment set and analysis options

Launch configuration

Software preset

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Uses Task Scheduler to run other applications

PHONK has been detected (SURICATA)

Connects to the CnC server

MINER has been detected (SURICATA)

SUSPICIOUS

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

Reads the Internet Settings

Connects to the server without a host name

Reads settings of System Certificates

Connects to unusual port

INFO

Checks supported languages

Reads the computer name

Creates files in the program directory

Reads the machine GUID from the registry

Create files in a temporary directory

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings