URL:

https://victorleal.com/files/cyb1.exe

Full analysis: https://app.any.run/tasks/c4fc4bf7-3946-4150-bab9-119212ebc011
Verdict: Malicious activity
Analysis date: December 06, 2022, 01:49:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8514E2D2E8BE3FC76B43E9515F2DB668

SHA1:

1F3542018D7059846E7246A7A62943A87B3776EF

SHA256:

85A95D2B6A5DBCFC47E10FE0234CF0C55B6DB665ADD9DD99BE25757992035C10

SSDEEP:

3:N8JRIAgx0KGN:2JuAHN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cyb1.exe (PID: 2356)
      • cyb1.exe (PID: 548)
      • ScreenConnect.ClientService.exe (PID: 2036)
      • ScreenConnect.WindowsClient.exe (PID: 1980)
      • ScreenConnect.WindowsClient.exe (PID: 1232)
    • Loads dropped or rewritten executable

      • rundll32.exe (PID: 4088)
      • ScreenConnect.WindowsClient.exe (PID: 1232)
      • ScreenConnect.WindowsClient.exe (PID: 1980)
      • ScreenConnect.ClientService.exe (PID: 2036)
  • SUSPICIOUS

    • Application launched itself

      • msiexec.exe (PID: 3520)
    • Executable content was dropped or overwritten

      • cyb1.exe (PID: 548)
  • INFO

    • Drops a file that was compiled in debug mode

      • iexplore.exe (PID: 624)
      • msiexec.exe (PID: 3520)
    • Application launched itself

      • iexplore.exe (PID: 624)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 624)
      • rundll32.exe (PID: 4088)
      • msiexec.exe (PID: 3520)
    • Drops the executable file immediately after the start

      • iexplore.exe (PID: 624)
      • msiexec.exe (PID: 3520)
      • rundll32.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
14
Malicious processes
5
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start start iexplore.exe iexplore.exe cyb1.exe no specs cyb1.exe msiexec.exe no specs msiexec.exe msiexec.exe no specs rundll32.exe vssvc.exe no specs msiexec.exe no specs msiexec.exe no specs screenconnect.clientservice.exe screenconnect.windowsclient.exe no specs screenconnect.windowsclient.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
624"C:\Program Files\Internet Explorer\iexplore.exe" "https://victorleal.com/files/cyb1.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
404"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:624 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2356"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cyb1.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cyb1.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\cyb1.exe
c:\windows\system32\ntdll.dll
548"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cyb1.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cyb1.exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\po2hn1x2\cyb1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2168"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\setup.msi"C:\Windows\System32\msiexec.execyb1.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3520C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3692C:\Windows\system32\MsiExec.exe -Embedding 85A5D05203749181310524179FA18BC9 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4088rundll32.exe "C:\Users\admin\AppData\Local\Temp\MSI2BB4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_17247203 1 ScreenConnect.InstallerActions!ScreenConnect.ClientInstallerActions.FixupServiceArgumentsC:\Windows\system32\rundll32.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\lpk.dll
c:\windows\system32\advapi32.dll
312C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3348C:\Windows\system32\MsiExec.exe -Embedding 51ADC2D0E13B43477D0F6EF8B1065686C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
19 054
Read events
18 693
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
18
Text files
11
Unknown types
8

Dropped files

PID
Process
Filename
Type
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\cyb1[1].exeexecutable
MD5:C27712AE6EABF87C735029ACD91EE724
SHA256:7B2BC2C4D71FA31E386BDA9407CEB41A43A884819E7541FB55B5C414BC70D01E
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:D911620FF533F11E0A14CCC585D4E555
SHA256:CF36E20C527FCDB39176D8BB786681BD035D771898E2C5C3940980E47AFEA210
624iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:2FBCCBCA7BA3B4D0587F3D990E294CC0
SHA256:175B2F7C73E8AFA25398E07409165C0FF394423475B234DEF81BCCF17575FCF1
624iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:503AD061073A29CEE4CB12D552F6A5B3
SHA256:D2A97423F8B71CA1DAAC39F8A037DCA022303C1ADFBD49995EFF3B36AFFF33F9
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\cyb1.exe.9obfsyr.partialexecutable
MD5:9B3E6B0ABD0BA32742FE7BB8D3008194
SHA256:0490BCFE5A3887D52A0E6CD523E10426EC1703D05B07D1BF7A0FEA1CD5369F76
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:730B93F52F4FA167D5FEA23AEB48CC6B
SHA256:B7E3B75CB09B7DB1F8C5F628427E6EA16CFB318310F9CFC52C4344AA3DDB083B
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:39DA24B5E11DEB98CA8F3A6FB82C3BF8
SHA256:8F2F4674276D2736528BCF2B25BD67DCB8308EE48B15FF9178FCB0534EFE7D4F
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
404iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabF33.tmpcompressed
MD5:FC4666CBCA561E864E7FDF883A9E6661
SHA256:10F3DEB6C452D749A7451B5D065F4C0449737E5EE8A44F4D15844B503141E65B
624iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3E548BBA9A3FFCBD.TMPgmc
MD5:35230E0822D15F659174931576419A18
SHA256:B5E0FF20C2B640FCF7298FA7C7C0BFA2E7EFF1B17D1A20E60CB6C6EC15DA83CD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
404
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a6345407635414c2
US
compressed
61.4 Kb
whitelisted
404
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
404
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?54162df0b2e02304
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
404
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
624
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
404
iexplore.exe
208.88.6.59:443
CIRRUSTECHLTD
CA
unknown
2036
ScreenConnect.ClientService.exe
147.75.63.52:443
instance-hcg3z5-relay.screenconnect.com
PACKET
US
unknown
624
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
404
iexplore.exe
23.45.105.185:80
x1.c.lencr.org
AKAMAI-AS
DE
unknown

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
instance-hcg3z5-relay.screenconnect.com
  • 147.75.63.52
unknown

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info