File name:

MidNight.exe

Full analysis: https://app.any.run/tasks/ecc884a0-0e3d-4f97-bb58-776314d34f0f
Verdict: Malicious activity
Analysis date: May 24, 2024, 21:38:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

8C46A714AA3497C0D0C1761C6E5EDA8B

SHA1:

E3D0A9241ABB9894B44A2871E17051FBED62BAF6

SHA256:

8625BAC45CF93D62D4C08984E823D0EC34FED5A51BDE0C63436A61020F3122E2

SSDEEP:

49152:QFrKj5GoRdQ6DghpT5k5nWMTX46mopGec7TMCQTt0vvuxvQAYZ4FWXmU:QFrKdvIXk5nrp/c7oCQh0vV4FumU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • MidNight.exe (PID: 6556)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 6636)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MidNight.exe (PID: 6556)

    • Reads security settings of Internet Explorer

      • MidNight.exe (PID: 6556)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 6636)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 6636)

    • Reads the date of Windows installation

      • MidNight.exe (PID: 6556)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 6636)

  • INFO

    • Reads the computer name

      • MidNight.exe (PID: 6556)
      • hypernetSvc.exe (PID: 7124)

    • Process checks computer location settings

      • MidNight.exe (PID: 6556)

    • Checks supported languages

      • hypernetSvc.exe (PID: 7124)
      • MidNight.exe (PID: 6556)

    • Reads the machine GUID from the registry

      • hypernetSvc.exe (PID: 7124)

    • Reads Environment values

      • hypernetSvc.exe (PID: 7124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:01 18:00:55+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14
CodeSize: 201216
InitializedDataSize: 346112
UninitializedDataSize: -
EntryPoint: 0x1ec40
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start midnight.exe wscript.exe no specs cmd.exe no specs conhost.exe no specs hypernetsvc.exe no specs midnight.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6480"C:\Users\admin\Desktop\MidNight.exe" C:\Users\admin\Desktop\MidNight.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\desktop\midnight.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6556"C:\Users\admin\Desktop\MidNight.exe" C:\Users\admin\Desktop\MidNight.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\desktop\midnight.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.19041.3996_none_d954cb49e10154a6\gdiplus.dll
6636"C:\WINDOWS\System32\WScript.exe" "C:\msWebcrt\j5B0Zv2VKfqCh87UmxeVZFHdIBf3R.vbe" C:\Windows\SysWOW64\wscript.exeMidNight.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\syswow64\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
7032C:\WINDOWS\system32\cmd.exe /c ""C:\msWebcrt\qeI37R9jqNEWER2rJ1OW.bat" "C:\Windows\SysWOW64\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7064\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7124"C:\msWebcrt\hypernetSvc.exe"C:\msWebcrt\hypernetSvc.execmd.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
5.15.2.0
Modules
Images
c:\mswebcrt\hypernetsvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
3 427
Read events
3 408
Write events
19
Delete events
0

Modification events

(PID) Process:(6556) MidNight.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\ApplicationAssociationToasts
Operation:writeName:VBEFile_.vbe
Value:
0
(PID) Process:(6556) MidNight.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbe\OpenWithProgids
Operation:writeName:VBEFile
Value:
(PID) Process:(6556) MidNight.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6556) MidNight.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6556) MidNight.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6556) MidNight.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(6636) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(6636) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(6636) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(6636) wscript.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
1
Suspicious files
1
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6556MidNight.exeC:\msWebcrt\qeI37R9jqNEWER2rJ1OW.battext
MD5:6B91012CA4C1019318EE326326C46FB2
SHA256:E382160E56560CBB5E5FF4804A647C8A636E934D084F1DC59247777D441B1F9D
6556MidNight.exeC:\msWebcrt\j5B0Zv2VKfqCh87UmxeVZFHdIBf3R.vbevbe
MD5:1D14631E794F6E62EC6E6376674B4AB8
SHA256:0D37C11570801B9A3E4D30968F495CD8BF8179484652E3D9A533A8363C84CAF4
6556MidNight.exeC:\msWebcrt\hypernetSvc.exeexecutable
MD5:0706A0530B74621568A8B30336AE4FD2
SHA256:209FC27EEEFCC1D05894FABC7F4FD3D585FF14686F768730BEB927AC748121EF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
22
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1636
RUXIMICS.exe
GET
200
23.223.17.207:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
23.223.17.207:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
4232
svchost.exe
GET
200
23.223.17.207:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
1636
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
4232
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
5140
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2908
OfficeClickToRun.exe
POST
200
51.116.253.170:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4364
svchost.exe
239.255.255.250:1900
unknown
4
System
192.168.100.255:138
unknown
4232
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1636
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5140
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1636
RUXIMICS.exe
23.223.17.207:80
crl.microsoft.com
AKAMAI-AS
US
unknown
4232
svchost.exe
23.223.17.207:80
crl.microsoft.com
AKAMAI-AS
US
unknown
5140
MoUsoCoreWorker.exe
23.223.17.207:80
crl.microsoft.com
AKAMAI-AS
US
unknown
1636
RUXIMICS.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown
4232
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.223.17.207
  • 23.223.17.198
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MidNight.exe