File name:	6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe
Full analysis:	https://app.any.run/tasks/c816b1d2-a170-4988-8f2f-f93f29f4077a
Verdict:	Malicious activity
Analysis date:	January 11, 2025, 00:38:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	basun
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:	30BF100816B8E9EB3A162C5938B3D7B1
SHA1:	1C0585CFE34178EFE8F18EA2E27C63ECFEC96B8E
SHA256:	6ED482C9367142B9D934B2F28B5E32FBEF0668BED3CA3A653BEC95DC301567E7
SSDEEP:	768:rgPN1mD1ld3N6IRKBe5vmps4GfSs7sOjHmtwjq/UXSL:rgPN1mD1ld9jRK0+GKs7sOjHmqjOZ

.exe	\|	Win32 Executable (generic) (42.6)
.exe	\|	Clipper DOS Executable (19.1)
.exe	\|	Generic Win/DOS Executable (18.9)
.exe	\|	DOS Executable Generic (18.9)
.vxd	\|	VXD Driver (0.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2000:01:01 12:00:00+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	31744
InitializedDataSize:	512
UninitializedDataSize:	-
EntryPoint:	0x1180
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode

PID	CMD	Path	Parent process
3140	"C:\Users\admin\admin.exe"	C:\Users\admin\admin.exe	6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe
User: admin Integrity Level: MEDIUM
5720	"C:\Users\admin\Desktop\6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe"	C:\Users\admin\Desktop\6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe	explorer.exe
User: admin Integrity Level: MEDIUM

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3884	svchost.exe	GET	200	23.48.23.156:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3884	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
3884	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3884	svchost.exe	23.48.23.156:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
3884	svchost.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
3884	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	23.48.23.156 23.48.23.143	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
ns1.theimageparlour.net	206.189.185.75	whitelisted
self.events.data.microsoft.com	52.182.143.213	whitelisted

General Info

6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe

30BF100816B8E9EB3A162C5938B3D7B1

1C0585CFE34178EFE8F18EA2E27C63ECFEC96B8E

6ED482C9367142B9D934B2F28B5E32FBEF0668BED3CA3A653BEC95DC301567E7

768:rgPN1mD1ld3N6IRKBe5vmps4GfSs7sOjHmtwjq/UXSL:rgPN1mD1ld9jRK0+GKs7sOjHmqjOZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

BASUN has been detected

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

INFO

Checks supported languages

The sample compiled with english language support

Process checks computer location settings

Reads the computer name

The process uses the downloaded file

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings