File name:

8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe

Full analysis: https://app.any.run/tasks/78db11cd-9275-48a8-9c2c-920ed6f34805
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: January 10, 2025, 18:00:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
reflection
loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

D51CEC05AD91514ACD2245C933B3F59D

SHA1:

4370DFE00BAEF38D523A63356B6C6AF9A5CD0AC7

SHA256:

8D61CCE21D5AE050FB6268BA6093EF9E2BCCD4957007526620AAB0E6A630FCFE

SSDEEP:

49152:obnSt6JehOlyOSNnEdKbYqcVJpmhHTtf1r5YCr+6Mu1S9mxzoEY5fHZf2DAnEvL0:eJehTfnE8tcVrmBTbrWCy6R1SkxzoNfT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 6524)
  • SUSPICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • 8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe.exe (PID: 6332)
    • Executable content was dropped or overwritten

      • 8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe.exe (PID: 6332)
    • Converts a specified value to a byte (POWERSHELL)

      • powershell.exe (PID: 6524)
    • Detects reflection assembly loader (YARA)

      • powershell.exe (PID: 6524)
  • INFO

    • Checks supported languages

      • 8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe.exe (PID: 6332)
    • The sample compiled with english language support

      • 8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe.exe (PID: 6332)
    • Reads the computer name

      • 8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe.exe (PID: 6332)
    • The process uses the downloaded file

      • powershell.exe (PID: 6524)
    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 6524)
    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 6524)
    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 6524)
    • Uses string split method (POWERSHELL)

      • powershell.exe (PID: 6524)
    • Converts byte array into ASCII string (POWERSHELL)

      • powershell.exe (PID: 6524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 3.2.0.0
ProductName: levevejenes transkontinental omrres
OriginalFileName: unarmoureds navigatrerne.exe
InternalName: unarmoureds navigatrerne.exe
FileDescription: pelsdyrsygdomme sms
Comments: circumspheral ubetvivlelig
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.2.0.0
FileVersionNumber: 3.2.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x33d8
UninitializedDataSize: 1024
InitializedDataSize: 161792
CodeSize: 26624
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2024:03:30 16:55:21+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
2 211
Monitored processes
2 082
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start 8d61cce21d5ae050fb6268ba6093ef9e2bccd4957007526620aab0e6a630fcfe.exe powershell.exe no specs conhost.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs dxdiag.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs dxdiag.exe no specs dxdiag.exe no specs