Malware analysis n.exe Malicious activity | ANY.RUN

Add for printing

File name:	n.exe
Full analysis:	https://app.any.run/tasks/07641c40-c598-4134-8b17-fb49a385f3e9
Verdict:	Malicious activity
Analysis date:	August 14, 2024, 21:18:16
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	python pyinstaller
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (console) x86-64, for MS Windows
MD5:	720C7F71DC90ABCCF1716683F14F217B
SHA1:	2A69C1190BCD09850214B5AC7C0AFCA8CD6FFA02
SHA256:	8076E15A7ED4A567E778FE2C66E03FD2D6634E5FB7D7E8FEF3C9DC0AA278A82E
SSDEEP:	98304:kXEtod5RT4wiyrMtlu1lhZdam6+KLTAHNMl/v0TqKJtT9IFLdZJULG8/Gkmu/ndM:F8pPuLnSUzyaJA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Drops the executable file immediately after the start
  - n.exe (PID: 6452)
- Process drops legitimate windows executable
  - n.exe (PID: 6452)
- Creates file in the systems drive root
  - n.exe (PID: 6520)
- The process drops C-runtime libraries
  - n.exe (PID: 6452)
- Executable content was dropped or overwritten
  - n.exe (PID: 6452)
- Process drops python dynamic module
  - n.exe (PID: 6452)
- Application launched itself
  - n.exe (PID: 6452)
- Loads Python modules
  - n.exe (PID: 6520)
INFO
- Checks supported languages
  - n.exe (PID: 6452)
  - n.exe (PID: 6520)
- Create files in a temporary directory
  - n.exe (PID: 6452)
  - n.exe (PID: 6520)
- Reads the computer name
  - n.exe (PID: 6452)
  - n.exe (PID: 6520)
- Reads the machine GUID from the registry
  - n.exe (PID: 6520)
- PyInstaller has been detected (YARA)
  - n.exe (PID: 6520)
  - n.exe (PID: 6452)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (87.3)
.exe	\|	Generic Win/DOS Executable (6.3)
.exe	\|	DOS Executable Generic (6.3)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2023:07:28 08:06:35+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.34
CodeSize:	166400
InitializedDataSize:	363520
UninitializedDataSize:	-
EntryPoint:	0xa6a0
OSVersion:	5.2
ImageVersion:	-
SubsystemVersion:	5.2
Subsystem:	Windows command line
FileVersionNumber:	1.3.3.7
ProductVersionNumber:	1.3.3.7
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Cheat Checker by rovert
FileVersion:	1.3.3.7
ProductName:	rovert_checker
ProductVersion:	1.3.3.7
OriginalFileName:	rovertchecker.exe
LegalCopyright:	© rovert. All rights refused.

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

130

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6452

"C:\Users\admin\AppData\Local\Temp\n.exe"

C:\Users\admin\AppData\Local\Temp\n.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Cheat Checker by rovert

Version:

1.3.3.7

Modules

Images
c:\users\admin\appdata\local\temp\n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

6460

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

n.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

6520

"C:\Users\admin\AppData\Local\Temp\n.exe"

C:\Users\admin\AppData\Local\Temp\n.exe

n.exe

User:

admin

Integrity Level:

MEDIUM

Description:

Cheat Checker by rovert

Version:

1.3.3.7

Modules

Images
c:\users\admin\appdata\local\temp\n.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

3 500

Read events

3 500

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\Pythonwin\mfc140u.dll		executable
		MD5:03A161718F1D5E41897236D48C91AE3C	SHA256:E06C4BD078F4690AA8874A3DEB38E802B2A16CCB602A7EDC2E077E98C05B5807
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\_bz2.pyd		executable
		MD5:A4B636201605067B676CC43784AE5570	SHA256:F178E29921C04FB68CC08B1E5D1181E5DF8CE1DE38A968778E27990F4A69973C
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\VCRUNTIME140_1.dll		executable
		MD5:75E78E4BF561031D39F86143753400FF	SHA256:1758085A61527B427C4380F0C976D29A8BEE889F2AC480C356A3F166433BF70E
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\_decimal.pyd		executable
		MD5:10F7B96C666F332EC512EDADE873EECB	SHA256:6314C99A3EFA15307E7BDBE18C0B49BC841C734F42923A0B44AAB42ED7D4A62D
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\_ctypes.pyd		executable
		MD5:87596DB63925DBFE4D5F0F36394D7AB0	SHA256:92D7954D9099762D81C1AE2836C11B6BA58C1883FDE8EEEFE387CC93F2F6AFB4
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\Pythonwin\win32ui.pyd		executable
		MD5:B505E88EB8995C2EC46129FB4B389E6C	SHA256:BE7918B4F7E7DE53674894A4B8CFADCACB4726CEA39B7DB477A6C70231C41790
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\libssl-1_1.dll		executable
		MD5:DE72697933D7673279FB85FD48D1A4DD	SHA256:ED1C8769F5096AFD000FC730A37B11177FCF90890345071AB7FBCEAC684D571F
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\_elementtree.pyd		executable
		MD5:B9537EBD7EFC39C77F0505D9FFB84CDD	SHA256:940D360744414399037257431492853565B17F83D7D7D25FB0209EF6F7C260C2
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\VCRUNTIME140.dll		executable
		MD5:F12681A472B9DD04A812E16096514974	SHA256:D66C3B47091CEB3F8D3CC165A43D285AE919211A0C0FCB74491EE574D8D464F8
6452	n.exe	C:\Users\admin\AppData\Local\Temp\_MEI64522\pyexpat.pyd		executable
		MD5:6BC89EBC4014A8DB39E468F54AAAFA5E	SHA256:DBE6E7BE3A7418811BD5987B0766D8D660190D867CD42F8ED79E70D868E8AA43

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
5924	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
5924	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6796	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6848	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4016	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3268	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
5336	SearchApp.exe	92.123.104.31:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
5924	svchost.exe	20.190.159.73:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5924	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 51.124.78.146 20.73.194.208	whitelisted
google.com	142.250.185.206	whitelisted
www.bing.com	92.123.104.31 92.123.104.47 92.123.104.19 92.123.104.63 92.123.104.32 92.123.104.59 92.123.104.34 92.123.104.33 92.123.104.52	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.73 40.126.31.73 40.126.31.69 40.126.31.67 20.190.159.23 20.190.159.75 20.190.159.4 20.190.159.2	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
th.bing.com	92.123.104.19 92.123.104.31 92.123.104.32 92.123.104.33 92.123.104.47 92.123.104.34 92.123.104.63 92.123.104.52 92.123.104.59	whitelisted
fd.api.iris.microsoft.com	20.31.169.57	whitelisted
arc.msn.com	20.103.156.88	whitelisted
slscr.update.microsoft.com	20.12.23.50	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

n.exe

720C7F71DC90ABCCF1716683F14F217B

2A69C1190BCD09850214B5AC7C0AFCA8CD6FFA02

8076E15A7ED4A567E778FE2C66E03FD2D6634E5FB7D7E8FEF3C9DC0AA278A82E

98304:kXEtod5RT4wiyrMtlu1lhZdam6+KLTAHNMl/v0TqKJtT9IFLdZJULG8/Gkmu/ndM:F8pPuLnSUzyaJA

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Drops the executable file immediately after the start

Process drops legitimate windows executable

Creates file in the systems drive root

The process drops C-runtime libraries

Executable content was dropped or overwritten

Process drops python dynamic module

Application launched itself

Loads Python modules

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Reads the machine GUID from the registry

PyInstaller has been detected (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings