File name:

36fe08fb0794a1bdac2efa3db04ae544c757e5f8

Full analysis: https://app.any.run/tasks/be9f3895-b06b-4176-875e-185b91bcaa77
Verdict: Malicious activity
Analysis date: November 29, 2024, 18:30:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
xor-url
generic
fsg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

FC3F34C08EF7CEB06734C83D67E1384A

SHA1:

36FE08FB0794A1BDAC2EFA3DB04AE544C757E5F8

SHA256:

6D6742D5004033AD7E0A43D42942160287595DF851568A4A545E41B649FC7AB1

SSDEEP:

49152:/zSRL1LzTOkR/CgREAVVgEU1NiiAiJA2Z0GaXKqR68gS4SV6aVJNkIU8BWWKrAl+:rwL1PT1CgREAVVgEU1NiiAiJA2yGaXK5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • 4925.exe (PID: 5712)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)

    • Reads security settings of Internet Explorer

      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)

    • There is functionality for communication over UDP network (YARA)

      • 4925.exe (PID: 5712)

  • INFO

    • Reads mouse settings

      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)

    • Reads the computer name

      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)
      • 4925.exe (PID: 5712)

    • Create files in a temporary directory

      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)

    • Process checks computer location settings

      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)

    • Checks supported languages

      • 4925.exe (PID: 5712)
      • 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe (PID: 1224)

    • FSG packer has been detected

      • 4925.exe (PID: 5712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

xor-url

(PID) Process(5712) 4925.exe
Decrypted-URLs (1)http://theef.lcirc.net/cgi-bin/Logger/New/theef.cgi
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:11:28 06:36:04+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 573440
InitializedDataSize: 956416
UninitializedDataSize: -
EntryPoint: 0x26bf7
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
124
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe #XOR-URL 4925.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1224"C:\Users\admin\Desktop\36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe" C:\Users\admin\Desktop\36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
5712"C:\Users\admin\AppData\Local\Temp\4925\4925.exe" C:\Users\admin\AppData\Local\Temp\4925\4925.exe
36fe08fb0794a1bdac2efa3db04ae544c757e5f8.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\4925\4925.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
xor-url
(PID) Process(5712) 4925.exe
Decrypted-URLs (1)http://theef.lcirc.net/cgi-bin/Logger/New/theef.cgi
Total events
799
Read events
798
Write events
1
Delete events
0

Modification events

(PID) Process:(5712) 4925.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:DirectX Plugin
Value:
C:\WINDOWS\dxreg.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
122436fe08fb0794a1bdac2efa3db04ae544c757e5f8.exeC:\Users\admin\AppData\Local\Temp\4925\4925.exeexecutable
MD5:9F3AA53C43DF8528FAB01592574979A3
SHA256:D96EB5C667446082EBBE9F5AA685F91F42E410EAE24CA9CF09162E593DBDC2C2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
35
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6560
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6956
SIHClient.exe
GET
200
23.37.237.227:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5064
SearchApp.exe
2.23.209.189:443
www.bing.com
Akamai International B.V.
GB
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2.16.241.12:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2396
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 2.23.209.189
  • 2.23.209.130
  • 2.23.209.149
  • 2.23.209.185
  • 2.23.209.187
  • 2.23.209.133
  • 2.23.209.182
  • 2.23.209.140
  • 2.23.209.179
whitelisted
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.78
whitelisted
crl.microsoft.com
  • 2.16.241.12
  • 2.16.241.19
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.37.237.227
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.31.67
  • 20.190.159.2
  • 20.190.159.64
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.4
  • 20.190.159.0
  • 20.190.159.71
whitelisted
go.microsoft.com
  • 23.32.186.57
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
36fe08fb0794a1bdac2efa3db04ae544c757e5f8