Malware analysis 2024.12.31止尾款结算对账核对表xlsx.exe Malicious activity

Add for printing

File name:	2024.12.31止尾款结算对账核对表xlsx.exe
Full analysis:	https://app.any.run/tasks/7e8360c9-63ad-4dad-a112-134a53e6c63c
Verdict:	Malicious activity
Threats:	AsyncRAT is a RAT that can monitor and remotely control infected systems. This malware was introduced on Github as a legitimate open-source remote administration software, but hackers use it for its many powerful malicious functions. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	January 12, 2025, 11:52:04
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rat asyncrat remote
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	33961801DF7DF4040FB2282D6103286C
SHA1:	1C0B29FA3A333974788A71C896E30F38E2BF3769
SHA256:	782D0356109CD4BDBF0C69932DD6F753754A426927C26F7DB60BFF7344C46C1A
SSDEEP:	49152:jH7++z4WMFjlc5BwUr90JjpQLr30rXhq9gf2aIixw33BaDwDlVuMMI/bG9jxf83N:n+pRFjlc5CUr92jpQLTKYgOaIixw3Bas

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Registers / Runs the DLL via REGSVR32.EXE
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- ASYNCRAT has been detected (SURICATA)
  - regsvr32.exe (PID: 6840)
SUSPICIOUS
- Reads the Windows owner or organization settings
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Executable content was dropped or overwritten
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6344)
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6772)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Process drops legitimate windows executable
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Starts CMD.EXE for commands execution
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
- Uses TIMEOUT.EXE to delay execution
  - cmd.exe (PID: 6500)
- The executable file from the user directory is run by the CMD process
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6772)
- The process checks if it is being run in the virtual environment
  - regsvr32.exe (PID: 6840)
- Starts POWERSHELL.EXE for commands execution
  - regsvr32.exe (PID: 6840)
- Contacting a server suspected of hosting an CnC
  - regsvr32.exe (PID: 6840)
- Connects to unusual port
  - regsvr32.exe (PID: 6840)
- Searches for installed software
  - regsvr32.exe (PID: 6840)
INFO
- Reads the computer name
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Checks supported languages
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6344)
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6772)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Create files in a temporary directory
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6344)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.exe (PID: 6772)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- The sample compiled with english language support
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6364)
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Creates files or folders in the user directory
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Creates a software uninstall entry
  - 2024.12.31止尾款结算对账核对表xlsx.tmp (PID: 6792)
- Checks if a key exists in the options dictionary (POWERSHELL)
  - powershell.exe (PID: 6948)
  - powershell.exe (PID: 5448)
- Reads the software policy settings
  - regsvr32.exe (PID: 6840)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Inno Setup installer (81.5)
.exe	\|	Win32 Executable Delphi generic (10.5)
.exe	\|	Win32 Executable (generic) (3.3)
.exe	\|	Win16/32 Executable Delphi generic (1.5)
.exe	\|	Generic Win/DOS Executable (1.4)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2006:09:22 06:44:32+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	86016
InitializedDataSize:	116736
UninitializedDataSize:	-
EntryPoint:	0x16478
OSVersion:	5
ImageVersion:	6
SubsystemVersion:	5
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:
FileDescription:	Funny Alligator Setup
FileVersion:
LegalCopyright:
ProductName:	Funny Alligator
ProductVersion:	8.30.48.6545

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

140

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1864

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

5448

"powershell" "Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute \"regsvr32\" -Argument \"/S /i:INSTALL C:\Users\admin\AppData\Roaming\UptightChicken.dat\") -Trigger (New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(1) -RepetitionInterval (New-TimeSpan -Minutes 1)) -TaskName 'MicrosoftEdgeUpdateTaskMachineUA{D25324A6-2F69-4269-9521-8913F17DCD80}' -Description 'Default' -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries -ExecutionTimeLimit 0)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

—

regsvr32.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\atl.dll

6344

"C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe"

C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe

explorer.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Funny Alligator Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\2024.12.31止尾款结算对账核对表xlsx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

6364

"C:\Users\admin\AppData\Local\Temp\is-7L8R8.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp" /SL5="$902C0,702433,203776,C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe"

C:\Users\admin\AppData\Local\Temp\is-7L8R8.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp

2024.12.31止尾款结算对账核对表xlsx.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-7l8r8.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

6500

"cmd.exe" /C timeout /T 3 & "C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Windows\SysWOW64\cmd.exe

—

2024.12.31止尾款结算对账核对表xlsx.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows Command Processor

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll

6512

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6604

timeout /T 3

C:\Windows\SysWOW64\timeout.exe

—

cmd.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

timeout - pauses command processing

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

6772

"C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe

cmd.exe

User:

admin

Company:

Integrity Level:

MEDIUM

Description:

Funny Alligator Setup

Exit code:

Version:

Modules

Images
c:\users\admin\appdata\local\temp\2024.12.31止尾款结算对账核对表xlsx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

6792

"C:\Users\admin\AppData\Local\Temp\is-RSHTN.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp" /SL5="$4020E,702433,203776,C:\Users\admin\AppData\Local\Temp\2024.12.31止尾款结算对账核对表xlsx.exe" /VERYSILENT /SUPPRESSMSGBOXES

C:\Users\admin\AppData\Local\Temp\is-RSHTN.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp

2024.12.31止尾款结算对账核对表xlsx.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-rshtn.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\oleaut32.dll

6812

"regsvr32.exe" /s /i:INSTALL "C:\Users\admin\AppData\Roaming\\UptightChicken.dat"

C:\Windows\SysWOW64\regsvr32.exe

—

2024.12.31止尾款结算对账核对表xlsx.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft(C) Register Server

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

16 623

Read events

16 600

Write events

Delete events

Modification events


(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Owner
Value: 881A00006DA14A6BE864DB01
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	SessionHash
Value: A1F2DFA64AFE273AB6EED5FB8CC0E6EC84D79CF60A701069D6548269D946BBF5
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0001
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 5.5.0 (u)
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Users\admin\AppData\Local
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	InstallLocation
Value: C:\Users\admin\AppData\Local\
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	Inno Setup: Icon Group
Value: (Default)
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	Inno Setup: User
Value: admin
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	Inno Setup: Language
Value: default
(PID) Process:	(6792) 2024.12.31止尾款结算对账核对表xlsx.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Funny Alligator_is1
Operation:	write	Name:	DisplayName
Value: Funny Alligator version 8.30.48.6545

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6792	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Roaming\is-GNRV4.tmp		executable
		MD5:F7AF43EE4B917ECC5051C5CB3A0FFE5C	SHA256:A43E88349C0757C3F122657E6696BECDE5316F9C31764EAEE04E722A87F4B15B
6792	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Local\is-FSHES.tmp		executable
		MD5:E830252CBDE0740AD4D0A668257A2EB5	SHA256:25A398BB265DF03DF86B09B77F5B682263BA30484A039B816A1CD993E12AB0CF
6344	2024.12.31止尾款结算对账核对表xlsx.exe	C:\Users\admin\AppData\Local\Temp\is-7L8R8.tmp\2024.12.31止尾款结算对账核对表xlsx.tmp		executable
		MD5:75C6FBC94F75010AEBB8C0C11A646FCC	SHA256:BA9099F858DA9B41BAE8A46CA4B8A61B099A18CDBF43BCD3A2C31C0B8E30BEDE
6792	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Local\Temp\is-9B6LM.tmp\_isetup\_setup64.tmp		executable
		MD5:4FF75F505FDDCC6A9AE62216446205D9	SHA256:A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
6792	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Local\Temp\is-9B6LM.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
6364	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Local\Temp\is-2OJNG.tmp\_isetup\_shfoldr.dll		executable
		MD5:92DC6EF532FBB4A5C3201469A5B5EB63	SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
6792	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Local\unins000.dat		binary
		MD5:8BB473992B572A68AAACD8E0582DEA3F	SHA256:8F615FA3C87B57D0C7E9559A07A3825BB49C796298CF12B038E99FB2F20F616A
6948	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_a0kgc1qv.pep.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6948	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_cs2fc04y.bdz.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6792	2024.12.31止尾款结算对账核对表xlsx.tmp	C:\Users\admin\AppData\Roaming\UptightChicken.dat		executable
		MD5:F7AF43EE4B917ECC5051C5CB3A0FFE5C	SHA256:A43E88349C0757C3F122657E6696BECDE5316F9C31764EAEE04E722A87F4B15B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.194:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.48.23.194:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
—	—	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.218.209.163:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2744	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6432	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
2744	SIHClient.exe	GET	200	2.23.246.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.194:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.48.23.194:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
—	—	23.218.209.163:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.218.209.163:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	104.126.37.129:443	www.bing.com	Akamai International B.V.	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4712	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 51.124.78.146	whitelisted
crl.microsoft.com	23.48.23.194 23.48.23.164 23.48.23.173 23.48.23.158 23.48.23.177 23.48.23.159 23.48.23.162 23.48.23.145	whitelisted
www.microsoft.com	23.218.209.163 2.23.246.101	whitelisted
google.com	142.250.74.206	whitelisted
www.bing.com	104.126.37.129 104.126.37.145 104.126.37.160 104.126.37.130 104.126.37.123 104.126.37.144 104.126.37.155 104.126.37.153 104.126.37.139	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.64 40.126.31.71 40.126.31.67 20.190.159.68 40.126.31.73 20.190.159.0 40.126.31.69 20.190.159.4	whitelisted
go.microsoft.com	23.35.238.131	whitelisted
arc.msn.com	20.223.35.26	whitelisted
fd.api.iris.microsoft.com	20.103.156.88	whitelisted

Threats

Found threats are available for the paid subscriptions

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

2024.12.31止尾款结算对账核对表xlsx.exe

33961801DF7DF4040FB2282D6103286C

1C0B29FA3A333974788A71C896E30F38E2BF3769

782D0356109CD4BDBF0C69932DD6F753754A426927C26F7DB60BFF7344C46C1A

49152:jH7++z4WMFjlc5BwUr90JjpQLr30rXhq9gf2aIixw33BaDwDlVuMMI/bG9jxf83N:n+pRFjlc5CUr92jpQLTKYgOaIixw3Bas

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Registers / Runs the DLL via REGSVR32.EXE

ASYNCRAT has been detected (SURICATA)

SUSPICIOUS

Reads the Windows owner or organization settings

Executable content was dropped or overwritten

Process drops legitimate windows executable

Starts CMD.EXE for commands execution

Uses TIMEOUT.EXE to delay execution

The executable file from the user directory is run by the CMD process

The process checks if it is being run in the virtual environment

Starts POWERSHELL.EXE for commands execution

Contacting a server suspected of hosting an CnC

Connects to unusual port

Searches for installed software

INFO

Reads the computer name

Checks supported languages

Create files in a temporary directory

The sample compiled with english language support

Creates files or folders in the user directory

Creates a software uninstall entry

Checks if a key exists in the options dictionary (POWERSHELL)

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings