File name:

6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3

Full analysis: https://app.any.run/tasks/7c990366-9d34-4c3f-bd41-252b73a3458f
Verdict: Malicious activity
Analysis date: January 10, 2025, 19:11:24
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
peristeronic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

CAA2243856E9DCBF400A47D6ADDC2FAC

SHA1:

2B7F5158A233A1B8CF133B8550B3F5547FA465D4

SHA256:

6B600A980628D8065F7D93CED4A3AA81B7DE9402ED78724F3F223357EFEC7EF3

SSDEEP:

49152:yHlGAXWQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZ+:jAGQX21RBt7QjTmcaTH/vU4do9Pcjq1H

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • PERISTERONIC INJECTOR has been detected

      • 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe (PID: 6372)
  • SUSPICIOUS

    • Executes application which crashes

      • 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe (PID: 6372)
  • INFO

    • The sample compiled with english language support

      • 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe (PID: 6372)
    • Checks supported languages

      • 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe (PID: 6372)
    • Create files in a temporary directory

      • 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe (PID: 6372)
    • Reads mouse settings

      • 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe (PID: 6372)
    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6576)
    • Reads the software policy settings

      • WerFault.exe (PID: 6576)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x27dcd
UninitializedDataSize: -
InitializedDataSize: 643072
CodeSize: 581120
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:06 01:02:41+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #PERISTERONIC 6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe svchost.exe no specs werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6372"C:\Users\admin\AppData\Local\Temp\6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe" C:\Users\admin\AppData\Local\Temp\6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6436"C:\Users\admin\AppData\Local\Temp\6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe" C:\Windows\SysWOW64\svchost.exe6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
6576C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6372 -s 820C:\Windows\SysWOW64\WerFault.exe
6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 094
Read events
3 094
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_6b600a980628d806_58b0a5afefbdef911a7cb1e38c56ec21cf557472_185905fb_45c99de3-94df-4695-89d0-223e044a50a4\Report.wer
MD5:
SHA256:
6576WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\37C951188967C8EB88D99893D9D191FEbinary
MD5:FA84E4BCC92AA5DB735AB50711040CDE
SHA256:6D7205E794FDE4219A62D9692ECDDF612663A5CF20399E79BE87B851FCA4CA33
63726b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exeC:\Users\admin\AppData\Local\Temp\peristeronicbinary
MD5:4CA5C2DD9CEB3B714300AADE2DAF2C69
SHA256:9377E5F4681940862005BA0963AD6295E4B6DC6DA6EC73C70EC282F84824444C
6576WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:99855DB67E27F350B4FEB5835871BFDD
SHA256:B2AA0F96511ABD3C641A016EBB0B8AB4536C36D097F7208A7F194BF005BA5F5E
6576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8DBD.tmp.WERInternalMetadata.xmlxml
MD5:95181053CD92F403AE37182759834398
SHA256:A215E33CBE6DEC416522FD85D8095ED3FD457FCFDF3C5E7A304F544247C95648
6576WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\6b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exe.6372.dmpbinary
MD5:B69CD8E1F530AA8BB36D5B31A4B09FCF
SHA256:AB56F0A2AD15EA50A727D0BA700ED3524D1D7BC4E032EBBD6B16E9BCB2BFEBD6
6576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8B6B.tmp.dmpbinary
MD5:59FA0FD8447A997A0FC29C5142A3DDBA
SHA256:BD2FCA2AA9148387C5D02AC8CC7922B43EEB5A47DA8364CD5D2770417C47C981
6576WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER8E0C.tmp.xmlxml
MD5:4A45619E3E8F57B203447D2BCD86D2F5
SHA256:13FA052155F27E7900C65CA83B4FCA5AC23225478F60F92158F51D80A26DDF9A
63726b600a980628d8065f7d93ced4a3aa81b7de9402ed78724f3f223357efec7ef3.exeC:\Users\admin\AppData\Local\Temp\aut5CE8.tmpbinary
MD5:4CA5C2DD9CEB3B714300AADE2DAF2C69
SHA256:9377E5F4681940862005BA0963AD6295E4B6DC6DA6EC73C70EC282F84824444C
6576WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\21253908F3CB05D51B1C2DA8B681A785binary
MD5:90645E7F704070CD78982C7E8F1DE66F
SHA256:51375A0C15B4DB2F78BA431744877C7C2CA470B7DAE8C33A9CEE4DB6E411B1AE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
35
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6576
WerFault.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7148
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6160
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6576
WerFault.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4992
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5064
SearchApp.exe
104.126.37.155:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4712
MoUsoCoreWorker.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1176
svchost.exe
40.126.32.74:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
www.bing.com
  • 104.126.37.155
  • 104.126.37.186
  • 104.126.37.154
  • 104.126.37.161
  • 104.126.37.123
  • 104.126.37.130
  • 104.126.37.129
  • 104.126.37.139
  • 104.126.37.160
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
google.com
  • 172.217.16.206
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.32.74
  • 20.190.160.14
  • 40.126.32.72
  • 40.126.32.133
  • 40.126.32.136
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.134
whitelisted
go.microsoft.com
  • 23.35.238.131
whitelisted
watson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted

Threats

No threats detected
No debug info