| File name: | cloud.exe |
| Full analysis: | https://app.any.run/tasks/b9b99209-4c36-42c4-b5a1-4e3c42c4733c |
| Verdict: | Malicious activity |
| Analysis date: | November 09, 2023, 23:54:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 27A074CD4F7908BBC73EFD5262351449 |
| SHA1: | D38BB4AA05392CAB9DB0576A91B1C70C165A9E20 |
| SHA256: | 6EEC926E1E70542A355A8BE392A4D948610ADCCE4FAA7484E551D4CEA5F8F0B1 |
| SSDEEP: | 49152:x6h4gV2kJgU9hgf5f5XAKig8z96vAEfYF2wt/umw8zcQKCAiszne:x614dhdAXOHfYFRQ8zPmS |
MALICIOUS
Drops the executable file immediately after the start
- cloud.exe (PID: 3416)
- zskcwrwoyh.exe (PID: 3164)
- zskcwrwoyh.exe (PID: 3668)
- pwpsvmcizr.exe (PID: 3544)
Known privilege escalation attack
- dllhost.exe (PID: 3580)
Creates a writable file the system directory
- zskcwrwoyh.exe (PID: 3668)
- SearchIndexer.exe (PID: 3924)
Runs injected code in another process
- SearchUserHost.exe (PID: 3948)
Application was injected by another process
- explorer.exe (PID: 1388)
Starts NET.EXE to view/change shared resources
- cmd.exe (PID: 604)
- net.exe (PID: 2692)
SUSPICIOUS
Reads the Internet Settings
- cloud.exe (PID: 3416)
- zskcwrwoyh.exe (PID: 3164)
- pwpsvmcizr.exe (PID: 3544)
Process drops legitimate windows executable
- cloud.exe (PID: 3416)
- zskcwrwoyh.exe (PID: 3668)
- SearchIndexer.exe (PID: 3924)
Drops a system driver (possible attempt to evade defenses)
- zskcwrwoyh.exe (PID: 3668)
Creates files in the driver directory
- zskcwrwoyh.exe (PID: 3668)
Starts CMD.EXE for commands execution
- SearchUserHost.exe (PID: 3948)
- zskcwrwoyh.exe (PID: 3668)
Starts SC.EXE for service management
- cmd.exe (PID: 3820)
- cmd.exe (PID: 3328)
Executing commands from a ".bat" file
- zskcwrwoyh.exe (PID: 3668)
The process creates files with name similar to system file names
- SearchIndexer.exe (PID: 3924)
Process uses IPCONFIG to discover network configuration
- cmd.exe (PID: 2624)
Get information on the list of running processes
- cmd.exe (PID: 2252)
- SearchUserHost.exe (PID: 3948)
- cmd.exe (PID: 2312)
Uses ROUTE.EXE to obtain the routing table information
- cmd.exe (PID: 2076)
Process uses ARP to discover network configuration
- cmd.exe (PID: 2408)
Uses pipe srvsvc via SMB (transferring data)
- bindsvc.exe (PID: 908)
- SearchUserHost.exe (PID: 3948)
INFO
Checks supported languages
- cloud.exe (PID: 3416)
- wmpnscfg.exe (PID: 3128)
- pwpsvmcizr.exe (PID: 3544)
- zskcwrwoyh.exe (PID: 3164)
- rKKDmxal.exe (PID: 3504)
- zskcwrwoyh.exe (PID: 3668)
- cloud.exe (PID: 3852)
- bindsvc.exe (PID: 908)
Manual execution by a user
- wmpnscfg.exe (PID: 3128)
Reads the computer name
- wmpnscfg.exe (PID: 3128)
- cloud.exe (PID: 3416)
- zskcwrwoyh.exe (PID: 3164)
- rKKDmxal.exe (PID: 3504)
- zskcwrwoyh.exe (PID: 3668)
- pwpsvmcizr.exe (PID: 3544)
- bindsvc.exe (PID: 908)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3128)
- rKKDmxal.exe (PID: 3504)
Create files in a temporary directory
- cloud.exe (PID: 3416)
- pwpsvmcizr.exe (PID: 3544)
- zskcwrwoyh.exe (PID: 3668)
- SearchUserHost.exe (PID: 3948)
Creates files in the program directory
- zskcwrwoyh.exe (PID: 3164)
- SearchIndexer.exe (PID: 3924)
Checks transactions between databases Windows and Oracle
- rKKDmxal.exe (PID: 3504)
Executes as Windows Service
- SearchIndexer.exe (PID: 3924)
Creates files or folders in the user directory
- SearchUserHost.exe (PID: 3948)
- bindsvc.exe (PID: 908)
Drops the executable file immediately after the start
- SearchIndexer.exe (PID: 3924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (30.9) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (27.3) |
| .exe | | | UPX compressed Win32 Executable (26.8) |
| .dll | | | Win32 Dynamic Link Library (generic) (6.5) |
| .exe | | | Win32 Executable (generic) (4.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:03:04 09:51:19+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 50688 |
| InitializedDataSize: | 104960 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x7b1f |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
Total processes
90
Monitored processes
38
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 188 | /c "netstat -ano" | C:\Windows\System32\cmd.exe | — | SearchUserHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 328 | netstat -ano | C:\Windows\System32\NETSTAT.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 604 | /c "net share" | C:\Windows\System32\cmd.exe | — | SearchUserHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 680 | C:\Windows\system32\net1 share | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 732 | arp -a | C:\Windows\System32\ARP.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Arp Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 908 | "C:\Windows\System32\bindsvc.exe" | C:\Windows\System32\bindsvc.exe | — | zskcwrwoyh.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1388 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1528 | sc config msdtc obj= LocalSystem | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1584 | route print | C:\Windows\System32\ROUTE.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1756 | C:\Windows\system32\cmd.exe /c "C:\Users\admin\AppData\Local\Temp\qVQxCh9h.bat" | C:\Windows\System32\cmd.exe | — | zskcwrwoyh.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
5 678
Read events
5 597
Write events
75
Delete events
6
Modification events
| (PID) Process: | (1388) explorer.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3128) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{096E2515-5165-456D-9629-1E99CB14B3FC}\{8E321D59-E064-4E1B-80F6-4F98994BB91E} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3128) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{096E2515-5165-456D-9629-1E99CB14B3FC} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3128) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{8500816E-4E7E-429E-8BF1-C15A10022A29} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1388) explorer.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Action Center\Checks\{C8E6F269-B90A-4053-A3BE-499AFCEC98C4}.check.0 |
| Operation: | write | Name: | CheckSetting |
Value: 01000000D08C9DDF0115D1118C7A00C04FC297EB01000000F6D6788197A75D498472ACE88906AC8D000000000200000000001066000000010000200000007F0C5AFCF1AE7F71286A81A9B86E67A7BE47980777E154AD953E683E2064784E000000000E8000000002000020000000C547D0854BEA52CCDED7859B79990A863903B335001ED826D40C3D8E323F237F30000000DF0FBC24E15CFF4FE438F74D8486DFB808CBF3EC9160BD0CF16731298F2800053F0DC9D2737FB85ABF81EDB882A089A94000000011BAC043EAAF96F8497DEE93A36C7829C97427DA018BC7750377DAC2CC3CE4D64139784732F789D57202D54D80C3AAC2B4B5EE990B65AEF23416199647916AD4 | |||
| (PID) Process: | (3416) cloud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3416) cloud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (3416) cloud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (3416) cloud.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (3164) zskcwrwoyh.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
13
Suspicious files
8
Text files
11
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3948 | SearchUserHost.exe | C:\Users\admin\AppData\Roaming\Microsoft\UserSetting\MediaCache\ramdisk.sdb | — | |
MD5:— | SHA256:— | |||
| 3164 | zskcwrwoyh.exe | C:\ProgramData\Temp\rKKDmxal.exe | executable | |
MD5:B2B51A85BDAD70FF19534CD013C07F24 | SHA256:885540B5A42FE845FFADA109B4EF7EB1E07C158255AC315910DFB333EC85D513 | |||
| 3668 | zskcwrwoyh.exe | C:\Windows\System32\wimsvc.exe | executable | |
MD5:2C2029588AD8B86759C17B7AE885EE03 | SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290 | |||
| 3416 | cloud.exe | C:\Users\admin\AppData\Local\Temp\zskcwrwoyh.exe | executable | |
MD5:2C2029588AD8B86759C17B7AE885EE03 | SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290 | |||
| 3668 | zskcwrwoyh.exe | C:\Windows\System32\wideshut.exe | executable | |
MD5:2C2029588AD8B86759C17B7AE885EE03 | SHA256:3AB288C47914E33CC61985E46502158400FAA9D7187B55C19039B8795504A290 | |||
| 3924 | SearchIndexer.exe | C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log | binary | |
MD5:9D7A4C077EDD1B357721404673808564 | SHA256:D7944E6EFAE4F73952C552A515717CCA2E093014304681CA61C870958BE67E88 | |||
| 3668 | zskcwrwoyh.exe | C:\Windows\System32\racfg.exe | executable | |
MD5:DC0222F1E0868C3612A93BA2D83B99BE | SHA256:6BC4497B86DF521B413E4574F4CD4289C986348D2A69DA1945FF1A1784DB05DB | |||
| 3924 | SearchIndexer.exe | C:\Windows\system32\SearchUserHost.exe | executable | |
MD5:88F23CF4A9E57D99199F3761F6A48FD9 | SHA256:79CF96526832DC46A9EF88B7FFC00B8CF3762E2FBE92B42759EAEE2A53E239FD | |||
| 3544 | pwpsvmcizr.exe | C:\Users\admin\AppData\Local\Temp\cloud.exe | executable | |
MD5:46E3E78D92AA3C2152489EF20B7D871F | SHA256:89C9E691059C50D71A0463912874D77B95B01817FE074E5DAF09A694467378B5 | |||
| 3948 | SearchUserHost.exe | C:\Users\admin\AppData\Roaming\Microsoft\UserSetting\version.ini | binary | |
MD5:C9F0F895FB98AB9159F51FD0297E236D | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
19
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.1:445 | — | — | — | unknown |
4 | System | 192.168.100.2:445 | — | — | — | whitelisted |
4 | System | 192.168.100.1:139 | — | — | — | unknown |
4 | System | 192.168.100.76:445 | — | — | — | unknown |
4 | System | 192.168.100.76:139 | — | — | — | unknown |
3948 | SearchUserHost.exe | 192.168.100.1:445 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
rKKDmxal.exe | lpszParam = gQ9VOe5m8zP6
|
rKKDmxal.exe | lpszPath = C:\Users\admin\AppData\Local\Temp\zskcwrwoyh.exe
|
rKKDmxal.exe | We will start with normal mode!
|