Malware analysis 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87 Malicious activity

Add for printing

File name:	8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87
Full analysis:	https://app.any.run/tasks/872bbc71-0fad-4c00-ad14-4b9925cb4135
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	January 10, 2025, 18:13:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	reflection loader
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:	C759322828B728B406066F7D04170334
SHA1:	99A3B91E0BFBA32C4884C6ACC167DA53EBB580DB
SHA256:	8944DE6CA208C12DC7086AE70FC0375635BEA9AE1B671FB1E54885F8B51B9C87
SSDEEP:	24576:f84s2mRsIb2qIfNEITgIW8UfrGm55em+GDvXwJ3ddGcIXU5A0ENL+b2T:f8emRsIb2qIfiITgIW8UfrGm55emLvXd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Run PowerShell with an invisible window
  - powershell.exe (PID: 6444)
SUSPICIOUS
- Starts POWERSHELL.EXE for commands execution
  - 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
- Executable content was dropped or overwritten
  - 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
- Converts a specified value to a byte (POWERSHELL)
  - powershell.exe (PID: 6444)
- Detects reflection assembly loader (YARA)
  - powershell.exe (PID: 6444)
INFO
- The sample compiled with english language support
  - 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
- Reads the computer name
  - 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
- Checks supported languages
  - 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
- Create files in a temporary directory
  - 8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87.exe (PID: 6316)
- Script raised an exception (POWERSHELL)
  - powershell.exe (PID: 6444)
- Gets data length (POWERSHELL)
  - powershell.exe (PID: 6444)
- The process uses the downloaded file
  - powershell.exe (PID: 6444)
- Converts byte array into ASCII string (POWERSHELL)
  - powershell.exe (PID: 6444)
- Checks whether the specified file exists (POWERSHELL)
  - powershell.exe (PID: 6444)
- Uses string split method (POWERSHELL)
  - powershell.exe (PID: 6444)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:07:02 02:09:48+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	27136
InitializedDataSize:	184832
UninitializedDataSize:	2048
EntryPoint:	0x3532
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	3.5.0.0
ProductVersionNumber:	3.5.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	marg
InternalName:	ryge orkesterets.exe
LegalCopyright:	cassoni chirologies uncompliable
LegalTrademarks:	outblunder
ProductName:	sykes forlse

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

2 483

Monitored processes

2 359

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

General Info

8944de6ca208c12dc7086ae70fc0375635bea9ae1b671fb1e54885f8b51b9c87

C759322828B728B406066F7D04170334

99A3B91E0BFBA32C4884C6ACC167DA53EBB580DB

8944DE6CA208C12DC7086AE70FC0375635BEA9AE1B671FB1E54885F8B51B9C87

24576:f84s2mRsIb2qIfNEITgIW8UfrGm55em+GDvXwJ3ddGcIXU5A0ENL+b2T:f8emRsIb2qIfiITgIW8UfrGm55emLvXd

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Run PowerShell with an invisible window

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Executable content was dropped or overwritten

Converts a specified value to a byte (POWERSHELL)

Detects reflection assembly loader (YARA)

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Create files in a temporary directory

Script raised an exception (POWERSHELL)

Gets data length (POWERSHELL)

The process uses the downloaded file

Converts byte array into ASCII string (POWERSHELL)

Checks whether the specified file exists (POWERSHELL)

Uses string split method (POWERSHELL)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph