File name:

88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81

Full analysis: https://app.any.run/tasks/7cd26aab-4451-41be-bd72-913e34aaf360
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 11, 2025, 00:46:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

831A8A58088361D324C958970B8ED79C

SHA1:

13366BEFE0AF1EBB0665C81209DCAB3388257CF0

SHA256:

88A5FA91E12BE14E5E37A237DA70392DD9218F29AD88FA2CFF8693AB4E215E81

SSDEEP:

24576:2wYksJgT5K8VVbzdV55DgTPtQbbOaTNEH7c/1Xd9+/P60E2Y/DH5+MIOKvMm1ELF:2wYksJgT5H7bzd/5DgTPtQbbOaTNEH7E

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6668)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 6668)
      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6668)
    • Starts POWERSHELL.EXE for commands execution

      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6668)
    • Executes application which crashes

      • msiexec.exe (PID: 1412)
  • INFO

    • Creates files or folders in the user directory

      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
      • WerFault.exe (PID: 4400)
      • msiexec.exe (PID: 1412)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6668)
    • The process uses the downloaded file

      • powershell.exe (PID: 6668)
    • Reads the computer name

      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6668)
    • Checks supported languages

      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
    • Create files in a temporary directory

      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6668)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6668)
    • The sample compiled with english language support

      • 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe (PID: 6604)
      • powershell.exe (PID: 6668)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6668)
    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 1412)
    • Checks proxy server information

      • msiexec.exe (PID: 1412)
      • WerFault.exe (PID: 4400)
    • Reads the software policy settings

      • WerFault.exe (PID: 4400)
      • msiexec.exe (PID: 1412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:27 06:26:01+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 141824
UninitializedDataSize: 2048
EntryPoint: 0x33b6
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.0.0
ProductVersionNumber: 1.2.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: omophagous aakirkebyboernes
CompanyName: illegitimitet fatling
InternalName: harbinger.exe
LegalCopyright: frgeriet kuphar autopsies
OriginalFileName: harbinger.exe
ProductName: embryologies isbaade
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe powershell.exe conhost.exe no specs msiexec.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
6604"C:\Users\admin\AppData\Local\Temp\88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe" C:\Users\admin\AppData\Local\Temp\88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe
explorer.exe
User:
admin
Company:
illegitimitet fatling
Integrity Level:
MEDIUM
Exit code:
4294967295
Modules
Images
c:\users\admin\appdata\local\temp\88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6668powershell.exe -windowstyle hidden "$Forebrace7=gc -raw 'C:\Users\admin\AppData\Local\magmaet\clenched\Dipterologist.Fra';$Afskalning=$Forebrace7.SubString(15810,3);.$Afskalning($Forebrace7) "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
88a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6676\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1412"C:\WINDOWS\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
3762504530
Version:
5.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4400C:\WINDOWS\SysWOW64\WerFault.exe -u -p 1412 -s 2076C:\Windows\SysWOW64\WerFault.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
11 534
Read events
11 534
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
17
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
660488a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exeC:\Users\admin\AppData\Local\magmaet\clenched\Gruppekonto\salpen.zoo
MD5:
SHA256:
660488a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exeC:\Users\admin\AppData\Local\Temp\nsz56DE.tmp
MD5:
SHA256:
6668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ntfiwqed.4o2.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6668powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCachebinary
MD5:5F62DFB53E47D6CD6715ABE772A855F8
SHA256:C327736DF96A1BC7AC8A64CFC9935A7665EE601ACCC469BAB24E3822FA7AEFC0
6668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4wylf5by.i1l.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rrod1cyt.si2.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1412msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
6668powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_e40cr1hx.o03.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
660488a5fa91e12be14e5e37a237da70392dd9218f29ad88fa2cff8693ab4e215e81.exeC:\Users\admin\AppData\Local\Temp\nsg5AA8.tmp\nsExec.dllexecutable
MD5:1B0E41F60564CCCCCD71347D01A7C397
SHA256:13EBC725F3F236E1914FE5288AD6413798AD99BEF38BFE9C8C898181238E8A10
1412msiexec.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:C714DAA995E419BF089C3C12BC10E7D6
SHA256:0A109BBE66E311717624C8F0D6EC727CD88C6D79763D3861FECB16A23BB2E9CA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
42
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1412
msiexec.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
1412
msiexec.exe
GET
200
142.250.184.195:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
1412
msiexec.exe
GET
200
142.250.185.195:80
http://o.pki.goog/wr2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRTQtSEi8EX%2BbYUTXd8%2ByMxD3s1zQQU3hse7XkV1D43JMMhu%2Bw0OW1CsjACEQDREXAZkIcRFgn9FoWvtnQ0
unknown
whitelisted
4400
WerFault.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3700
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3700
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3700
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
3700
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5064
SearchApp.exe
2.23.227.208:443
www.bing.com
Ooredoo Q.S.C.
QA
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
google.com
  • 172.217.16.142
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 184.30.21.171
  • 2.23.246.101
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
go.microsoft.com
  • 2.23.242.9
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.2
  • 20.190.159.73
  • 20.190.159.0
  • 20.190.159.4
  • 40.126.31.73
  • 20.190.159.68
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

No threats detected
No debug info