File name:

8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995

Full analysis: https://app.any.run/tasks/58c353a9-a1b4-463d-91b4-60c59ed4d354
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: December 13, 2024, 19:14:54
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:

B223191D21DB36D65CF3150091ED7D72

SHA1:

29BEE34FF6D7D701429F68A2BBB019E45AFA12E4

SHA256:

8569AAF2CA2B8BE0E6009CDF3EF63DD46F62B46C1F2D64A96B7E76AA7A6F7995

SSDEEP:

49152:t/kqYCv9+7AXWS/OZrNpkOaiBJ5X0SahooFmpmoIx9JXja2UcWScHLcHjYZIqOMl:t/kqYKChrJNpdaiBJ5EbQI+NtU+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • Checks Windows Trust Settings

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • Executes application which crashes

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

  • INFO

    • Reads the machine GUID from the registry

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • Reads the computer name

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • Reads CPU info

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • The sample compiled with english language support

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • Reads the software policy settings

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)
      • WerFault.exe (PID: 5544)

    • Checks supported languages

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)

    • Checks proxy server information

      • 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe (PID: 5732)
      • WerFault.exe (PID: 5544)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2024:08:20 02:00:47+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 1225728
InitializedDataSize: 1364480
UninitializedDataSize: -
EntryPoint: 0xf4494
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 3.6.0.0
ProductVersionNumber: 3.6.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
FileDescription: SumatraPDF
FileVersion: 3.6
LegalCopyright: Copyright 2006-2024 all authors (GPLv3)
ProductName: SumatraPDF
ProductVersion: 3.6
CompanyName: Krzysztof Kowalczyk
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
5732"C:\Users\admin\Desktop\8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe" C:\Users\admin\Desktop\8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe
explorer.exe
User:
admin
Company:
Krzysztof Kowalczyk
Integrity Level:
MEDIUM
Description:
SumatraPDF
Exit code:
3221225477
Version:
3.6
Modules
Images
c:\users\admin\desktop\8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\uxtheme.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
5544C:\WINDOWS\system32\WerFault.exe -u -p 5732 -s 2020C:\Windows\System32\WerFault.exe
8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
Total events
9 483
Read events
9 483
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
5544WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_8569aaf2ca2b8be0_be6d619110c455128f0df67454638b56060da2d_ba0f1669_ccc6e7ac-a62e-43aa-882f-802f3ec26caa\Report.wer
MD5:
SHA256:
5544WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7B4F.tmp.WERInternalMetadata.xmlxml
MD5:7866C8241616DDB0704B1DCA1D15BCCD
SHA256:9E6CA7365D5B9E72ACDB3918C72910026A77FCF26434A877734B6824AA4DE98C
5544WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER79F6.tmp.dmpbinary
MD5:ADFE4DA79CE214151CC46B4986C3002E
SHA256:3DB546E8F5060318D4CEAA8018D2492DE8290DD14B4CE3470375C2BFAB777F83
5544WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER7B8E.tmp.xmlxml
MD5:2365BFFD8E36F86BE800259BED79CAFB
SHA256:5FA6DE482CB0E34C5A29DF6563821A8A99C8BCD71D3DDA45169A84FB47A41C45
5544WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe.5732.dmpbinary
MD5:31571E247120789248B431FBC971F96F
SHA256:175C8DB69855387BB38D1BD0E9DED2C5B4F382732E9D598339EEA52D75D9D82B
57328569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exeC:\Users\admin\Desktop\SumatraPDF-settings.txttext
MD5:FE07F7FC81852C0B65D42DED0DA72FE4
SHA256:4A617A3A88C945B83FF9DB4E8FD835C6CAD799985B0CA9090728C5679C16CF1E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
24
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
139.180.156.199:443
https://139.180.156.199/jquery-3.3.2.slim.min.js
unknown
244
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1356
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
244
RUXIMICS.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1356
svchost.exe
GET
200
184.24.77.35:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
244
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1356
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
104.126.37.123:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
5732
8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995.exe
139.180.156.199:443
AS-CHOOPA
SG
unknown
244
RUXIMICS.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1356
svchost.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.24.77.35:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.123
  • 104.126.37.137
  • 104.126.37.136
  • 104.126.37.129
  • 104.126.37.147
  • 104.126.37.144
  • 104.126.37.152
  • 104.126.37.145
  • 104.126.37.139
whitelisted
google.com
  • 142.250.186.142
whitelisted
crl.microsoft.com
  • 184.24.77.35
  • 184.24.77.37
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
watson.events.data.microsoft.com
  • 20.42.65.92
whitelisted
self.events.data.microsoft.com
  • 20.189.173.24
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
8569aaf2ca2b8be0e6009cdf3ef63dd46f62b46c1f2d64a96b7e76aa7a6f7995