File name:

better_sso_v1.exe

Full analysis: https://app.any.run/tasks/15c00cba-5ee1-433a-8a58-df8ee29df2be
Verdict: Malicious activity
Analysis date: July 26, 2024, 23:47:05
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (GUI) x86-64, for MS Windows
MD5:

6A60F6FBD451BFB11D0C943706CEDA0A

SHA1:

15AFE57C61DC29DB351B04F64FD494796EF07E37

SHA256:

82C2F0AF2F595FF2656F3C418246FFD7F8DAA22D0CC38605977DEF4E42FD32BD

SSDEEP:

98304:jMKPc+QjvFRvN8UJjBxQFI8LbadAe4PqmMRL+O+y6TjWmtX9ZWWXLkvdG171UIrz:jMKLo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • better_sso_v1.exe (PID: 2188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • better_sso_v1.exe (PID: 2188)

    • Connects to unusual port

      • bsso_tor.exe (PID: 3056)

  • INFO

    • Create files in a temporary directory

      • better_sso_v1.exe (PID: 2188)

    • Checks supported languages

      • better_sso_v1.exe (PID: 2188)
      • bsso_tor.exe (PID: 3056)

    • Reads the computer name

      • better_sso_v1.exe (PID: 2188)
      • bsso_tor.exe (PID: 3056)

    • Reads the machine GUID from the registry

      • bsso_tor.exe (PID: 3056)

    • Checks proxy server information

      • slui.exe (PID: 7076)

    • Creates files or folders in the user directory

      • bsso_tor.exe (PID: 3056)

    • Reads the software policy settings

      • slui.exe (PID: 7076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:07:25 22:57:13+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 66560
InitializedDataSize: 2619904
UninitializedDataSize: -
EntryPoint: 0x5800
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start better_sso_v1.exe slui.exe bsso_tor.exe conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2188"C:\Users\admin\Desktop\better_sso_v1.exe" C:\Users\admin\Desktop\better_sso_v1.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\better_sso_v1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
3056"C:\Users\admin\AppData\Local\Temp\\bsso_tor.exe"C:\Users\admin\AppData\Local\Temp\bsso_tor.exe
better_sso_v1.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\bsso_tor.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcp_win.dll
6740\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exebsso_tor.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7076C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 527
Read events
4 527
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2188better_sso_v1.exeC:\Users\admin\AppData\Local\Temp\bsso_tor.exeexecutable
MD5:A46913AB31875CF8152C96BD25027B4D
SHA256:66FD723D0DD219807C6D7DCC331E25C8D05ADCCF4A66312928FBE1D0E45670ED
3056bsso_tor.exeC:\Users\admin\AppData\Roaming\tor\state.tmptext
MD5:390A77FEF27AB8A744C031324C1808CC
SHA256:ABA2A1CAB7382D8EF00E9B0FCA515AC29B60A934187255A4B237AB5682C89BFD
3056bsso_tor.exeC:\Users\admin\AppData\Roaming\tor\statetext
MD5:390A77FEF27AB8A744C031324C1808CC
SHA256:ABA2A1CAB7382D8EF00E9B0FCA515AC29B60A934187255A4B237AB5682C89BFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
31
DNS requests
8
Threats
13

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
POST
200
51.132.193.105:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
131.253.33.254:443
a-ring-fallback.msedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
2.20.142.154:443
www.bing.com
Akamai International B.V.
DE
unknown
4380
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6012
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
1996
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3952
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:137
whitelisted
1620
slui.exe
40.91.76.224:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
t-ring-fdv2.msedge.net
  • 13.107.237.254
unknown
a-ring-fallback.msedge.net
  • 131.253.33.254
unknown
www.bing.com
  • 2.20.142.154
  • 92.122.215.65
  • 92.122.215.53
  • 2.20.142.180
  • 92.122.215.57
  • 2.20.142.187
whitelisted
google.com
  • 142.250.184.238
whitelisted
self.events.data.microsoft.com
  • 20.189.173.9
whitelisted

Threats

PID
Process
Class
Message
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 216
Misc Attack
ET TOR Known Tor Exit Node Traffic group 97
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 97
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 715
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 405
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 300
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 780
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 323
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 398
Misc Attack
ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 145
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
better_sso_v1.exe