Malware analysis /Brandon-Everhart/Practical-Malware-Analysis/raw/refs/heads/master/PracticalMalwareAnalysis-Labs.exe Malicious activity

Add for printing

download:	/Brandon-Everhart/Practical-Malware-Analysis/raw/refs/heads/master/PracticalMalwareAnalysis-Labs.exe
Full analysis:	https://app.any.run/tasks/c2d7474c-a7a1-47b0-a53d-8302125a16f9
Verdict:	Malicious activity
Analysis date:	March 24, 2025, 14:38:35
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, RAR self-extracting archive, 5 sections
MD5:	9D9C90870BC46AD65BAF0F3977E7590F
SHA1:	DEC5842D07BBD00EDF564FE27C14118EC9ECC77F
SHA256:	704138BEC89CF9E7F00FBCE100DBC09CF133D16DC0203806392F0E153C43C68C
SSDEEP:	24576:uxaVxr53s2QByK9VHFsZ+Ykyxm7g8LVYD/rh6m6er9wgwGe66hXS:u6QXHFsrxKY70neru/66dS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts NET.EXE for service management
  - cmd.exe (PID: 3192)
  - net.exe (PID: 6036)
SUSPICIOUS
- Reads Microsoft Outlook installation path
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Reads security settings of Internet Explorer
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Drops a system driver (possible attempt to evade defenses)
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Reads Internet Explorer settings
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Executable content was dropped or overwritten
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
  - Lab11-01.exe (PID: 8164)
- There is functionality for taking screenshot (YARA)
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Process drops legitimate windows executable
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Starts CMD.EXE for commands execution
  - Lab11-03.exe (PID: 8000)
INFO
- Checks supported languages
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Checks proxy server information
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Reads the computer name
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- The sample compiled with english language support
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- The sample compiled with chinese language support
  - PracticalMalwareAnalysis-Labs.exe (PID: 5332)
- Reads security settings of Internet Explorer
  - BackgroundTransferHost.exe (PID: 456)
  - BackgroundTransferHost.exe (PID: 7624)
- Creates files or folders in the user directory
  - BackgroundTransferHost.exe (PID: 456)
- Manual execution by a user
  - Lab11-01.exe (PID: 8164)
  - Lab11-03.exe (PID: 8000)
  - Lab12-04.exe (PID: 7052)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2012:01:09 13:44:06+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	72704
InitializedDataSize:	25600
UninitializedDataSize:	-
EntryPoint:	0xb3c1
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

155

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

456

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

1128

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

3192

C:\WINDOWS\system32\cmd.exe /c net start cisvc

C:\Windows\SysWOW64\cmd.exe

—

Lab11-03.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

4448

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

Lab11-03.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5332

"C:\Users\admin\Downloads\PracticalMalwareAnalysis-Labs.exe"

C:\Users\admin\Downloads\PracticalMalwareAnalysis-Labs.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\downloads\practicalmalwareanalysis-labs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

5720

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

6036

net start cisvc

C:\Windows\SysWOW64\net.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Net Command

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6048

C:\WINDOWS\system32\net1 start cisvc

C:\Windows\SysWOW64\net1.exe

—

net.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Net Command

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

6800

"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1

C:\Windows\System32\BackgroundTransferHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Download/Upload Host

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll

7052

"C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_12L\Lab12-04.exe"

C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_12L\Lab12-04.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\downloads\practical malware analysis labs\binarycollection\chapter_12l\lab12-04.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

Add for printing

Total events

2 682

Read events

2 661

Write events

Delete events

Modification events


(PID) Process:	(5332) PracticalMalwareAnalysis-Labs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(5332) PracticalMalwareAnalysis-Labs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(5332) PracticalMalwareAnalysis-Labs.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(8016) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(8016) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(8016) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(456) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(456) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(456) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6800) BackgroundTransferHost.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.contentdeliverymanager_cw5n1h2txyewy\Internet Settings\Cache\Content
Operation:	write	Name:	CachePrefix
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_10L\Lab10-03.exe		executable
		MD5:F72D773F13CEB6B842A9D29C56F8880F	SHA256:D66E15EEA51EBD4BFD13F8C97646253740B1E6A99328D22232FD01AE13EF5D05
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_10L\Lab10-01.exe		executable
		MD5:795F093A536F118FB4C34FCEDFA42165	SHA256:E55CFA92ACC2FAC8B3B41002EBBEF343BFDB61ABF876E9C713F323E143D5E451
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_11L\Lab11-03.dll		executable
		MD5:BBD65FCAD68E5A3CD1457E2EE05D1F2E	SHA256:F11FA868AC3DEE1E5FBD985FE15BA6D34C7EC0ABB47BABE0D34A35514C49C86A
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_12L\Lab12-02.exe		executable
		MD5:E2BF42217A67E46433DA8B6F4507219E	SHA256:AE8A1C7EB64C42EA2A04F97523EBF0844C27029EB040D910048B680F884B9DCE
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_13L\Lab13-03.exe		executable
		MD5:98EA0FE0594F0F373D9791886A01DB8C	SHA256:86054002565C929215B82615477652D24379B9119BC33EF7F41706EE7E125379
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_11L\Lab11-03.exe		executable
		MD5:18EC5BECFA3991FB654E105BAFBD5A4B	SHA256:BF023FF344EFE2DB0E0A963869368F0EF352764666BC368AD61B7A4C1D9F5975
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_11L\Lab11-01.exe		executable
		MD5:A9C55BB87A7C5C3C923C4FA12940E719	SHA256:57D8D248A8741176348B5D12DCF29F34C8F48EDE0CA13C30D12E5BA0384056D7
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_13L\Lab13-01.exe		executable
		MD5:A9A2734D080E3AE0F5ADA35E878DA7C8	SHA256:71A295247BA7419F9F9DEA8098E6867182BB80F53C98EB0F59192A6557A51249
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_13L\Lab13-02.exe		executable
		MD5:B65C4D7CBC4069DDBFF665370201E588	SHA256:598F21F1E6F4D5829BA8CFBA19D361E09DE510493DF8472A605F46DBF7927030
5332	PracticalMalwareAnalysis-Labs.exe	C:\Users\admin\Downloads\Practical Malware Analysis Labs\BinaryCollection\Chapter_12L\Lab12-03.exe		executable
		MD5:A7F21E412022554D187D6A876A3C08AC	SHA256:9B683D2FDA7CA7ADCC043E4412271009A0E115CA55F9A718C385A3F46B57AE6B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6544	svchost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7228	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
7228	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
456	BackgroundTransferHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
7280	backgroundTaskHost.exe	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4220	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3216	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	20.190.160.2:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6544	svchost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
7280	backgroundTaskHost.exe	20.223.35.26:443	arc.msn.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
7280	backgroundTaskHost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted
456	BackgroundTransferHost.exe	92.123.104.37:443	www.bing.com	Akamai International B.V.	DE	whitelisted
456	BackgroundTransferHost.exe	184.30.131.245:80	ocsp.digicert.com	AKAMAI-AS	US	whitelisted

DNS requests

Domain	IP	Reputation
client.wns.windows.com	40.115.3.253	whitelisted
login.live.com	20.190.160.2 40.126.32.76 20.190.160.14 20.190.160.3 40.126.32.140 40.126.32.134 20.190.160.66 40.126.32.74	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
arc.msn.com	20.223.35.26	whitelisted
www.bing.com	92.123.104.37 92.123.104.46 92.123.104.47 92.123.104.41 92.123.104.44 92.123.104.38 92.123.104.34 92.123.104.42 92.123.104.36	whitelisted
settings-win.data.microsoft.com	51.104.136.2	whitelisted
slscr.update.microsoft.com	4.175.87.197	whitelisted
www.microsoft.com	2.23.246.101	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

/Brandon-Everhart/Practical-Malware-Analysis/raw/refs/heads/master/PracticalMalwareAnalysis-Labs.exe

9D9C90870BC46AD65BAF0F3977E7590F

DEC5842D07BBD00EDF564FE27C14118EC9ECC77F

704138BEC89CF9E7F00FBCE100DBC09CF133D16DC0203806392F0E153C43C68C

24576:uxaVxr53s2QByK9VHFsZ+Ykyxm7g8LVYD/rh6m6er9wgwGe66hXS:u6QXHFsrxKY70neru/66dS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts NET.EXE for service management

SUSPICIOUS

Reads Microsoft Outlook installation path

Reads security settings of Internet Explorer

Drops a system driver (possible attempt to evade defenses)

Reads Internet Explorer settings

Executable content was dropped or overwritten

There is functionality for taking screenshot (YARA)

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

INFO

Checks supported languages

Checks proxy server information

Reads the computer name

The sample compiled with english language support

The sample compiled with chinese language support

Reads security settings of Internet Explorer

Creates files or folders in the user directory

Manual execution by a user

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings