File name:

6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe

Full analysis: https://app.any.run/tasks/c816b1d2-a170-4988-8f2f-f93f29f4077a
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:38:10
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
basun
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:

30BF100816B8E9EB3A162C5938B3D7B1

SHA1:

1C0585CFE34178EFE8F18EA2E27C63ECFEC96B8E

SHA256:

6ED482C9367142B9D934B2F28B5E32FBEF0668BED3CA3A653BEC95DC301567E7

SSDEEP:

768:rgPN1mD1ld3N6IRKBe5vmps4GfSs7sOjHmtwjq/UXSL:rgPN1mD1ld9jRK0+GKs7sOjHmqjOZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • BASUN has been detected

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)
      • admin.exe (PID: 3140)

    • Changes the autorun value in the registry

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)
      • admin.exe (PID: 3140)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)

    • Executable content was dropped or overwritten

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)

  • INFO

    • The process uses the downloaded file

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)

    • Process checks computer location settings

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)

    • Reads the computer name

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)
      • admin.exe (PID: 3140)

    • Checks supported languages

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)
      • admin.exe (PID: 3140)

    • The sample compiled with english language support

      • 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe (PID: 5720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (42.6)
.exe | Clipper DOS Executable (19.1)
.exe | Generic Win/DOS Executable (18.9)
.exe | DOS Executable Generic (18.9)
.vxd | VXD Driver (0.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:01:01 12:00:00+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 6
CodeSize: 31744
InitializedDataSize: 512
UninitializedDataSize: -
EntryPoint: 0x1180
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #BASUN 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe #BASUN admin.exe

Process information

PID
CMD
Path
Indicators
Parent process
5720"C:\Users\admin\Desktop\6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe" C:\Users\admin\Desktop\6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
3140"C:\Users\admin\admin.exe" C:\Users\admin\admin.exe
6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\admin.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
1 245
Read events
660
Write events
585
Delete events
0

Modification events

(PID) Process:(5720) 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:admin
Value:
C:\Users\admin\admin.exe
(PID) Process:(5720) 6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:SlowContextMenuEntries
Value:
6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:(3140) admin.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:admin
Value:
C:\Users\admin\admin.exe
Executable files
1
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
57206ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exeC:\Users\admin\admin.exeexecutable
MD5:E804BE674C631CA652EE0FD1B0C4DF1E
SHA256:65381974B76DD002B3B51E25894DD16765D257015C58846BCD58E1180F98068C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
18
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3884
svchost.exe
GET
200
23.48.23.156:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3884
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
3884
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3884
svchost.exe
23.48.23.156:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3884
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3884
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 23.48.23.156
  • 23.48.23.143
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
ns1.theimageparlour.net
  • 206.189.185.75
whitelisted
self.events.data.microsoft.com
  • 52.182.143.213
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
6ed482c9367142b9d934b2f28b5e32fbef0668bed3ca3a653bec95dc301567e7.exe