Malware analysis widget.exe Malicious activity | ANY.RUN

Add for printing

File name:	widget.exe
Full analysis:	https://app.any.run/tasks/bc7eb1d9-f43d-4499-b57f-472303a0fb32
Verdict:	Malicious activity
Analysis date:	September 21, 2024, 18:37:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	pyinstaller
Indicators:
MIME:	application/x-dosexec
File info:	PE32+ executable (GUI) x86-64, for MS Windows
MD5:	5D7D4194E8EB4DC6EAB29A1B3C080E65
SHA1:	25BA20CC7B3698FCE334A20537A93A1166DC39F1
SHA256:	8E32EF5CB12C168B331C67B8D5A40A97DEA231AA2377DC6468DCAFA580F5F095
SSDEEP:	98304:tEWKYMpk/qrzehL7f9/Vw9aMvZA4OFt6GHgBuHhiLu6u7UJDZ2pli9TZIATPSkO/:Aw9Tyl7NddNvWGBaou7VZ+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Process drops legitimate windows executable
  - widget.exe (PID: 6468)
- Process drops python dynamic module
  - widget.exe (PID: 6468)
- Executable content was dropped or overwritten
  - widget.exe (PID: 6468)
- The process drops C-runtime libraries
  - widget.exe (PID: 6468)
- Application launched itself
  - widget.exe (PID: 6468)
INFO
- Reads the computer name
  - widget.exe (PID: 6468)
- Create files in a temporary directory
  - widget.exe (PID: 6468)
- PyInstaller has been detected (YARA)
  - widget.exe (PID: 6468)
  - widget.exe (PID: 2964)
- Checks supported languages
  - widget.exe (PID: 6468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (57.6)
.exe	\|	Win64 Executable (generic) (36.9)
.exe	\|	Generic Win/DOS Executable (2.6)
.exe	\|	DOS Executable Generic (2.6)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:09:20 09:00:14+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	168960
InitializedDataSize:	153600
UninitializedDataSize:	-
EntryPoint:	0xc0d0
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

128

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2964

"C:\Users\admin\AppData\Local\Temp\widget.exe"

C:\Users\admin\AppData\Local\Temp\widget.exe

widget.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\widget.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

4316

C:\WINDOWS\system32\SppExtComObj.exe -Embedding

C:\Windows\System32\SppExtComObj.Exe

—

svchost.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

KMS Connection Broker

Version:

10.0.19041.3996 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll

6468

"C:\Users\admin\AppData\Local\Temp\widget.exe"

C:\Users\admin\AppData\Local\Temp\widget.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\widget.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll

6844

"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEvent

C:\Windows\System32\slui.exe

—

SppExtComObj.Exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Activation Client

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll

Add for printing

Total events

305

Read events

305

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

921

Unknown types

Dropped files

PID	Process	Filename		Type
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\VCRUNTIME140_1.dll		executable
		MD5:F8DFA78045620CF8A732E67D1B1EB53D	SHA256:A113F192195F245F17389E6ECBED8005990BCB2476DDAD33F7C4C6C86327AFE5
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\_ctypes.pyd		executable
		MD5:5377AB365C86BBCDD998580A79BE28B4	SHA256:6C5F31BEF3FDBFF31BEAC0B1A477BE880DDA61346D859CF34CA93B9291594D93
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\VCRUNTIME140.dll		executable
		MD5:BE8DBE2DC77EBE7F88F910C61AEC691A	SHA256:4D292623516F65C80482081E62D5DADB759DC16E851DE5DB24C3CBB57B87DB83
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\_socket.pyd		executable
		MD5:69801D1A0809C52DB984602CA2653541	SHA256:67ACA001D36F2FCE6D88DBF46863F60C0B291395B6777C22B642198F98184BA3
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\_hashlib.pyd		executable
		MD5:A25BC2B21B555293554D7F611EAA75EA	SHA256:43ACECDC00DD5F9A19B48FF251106C63C975C732B9A2A7B91714642F76BE074D
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\api-ms-win-core-datetime-l1-1-0.dll		executable
		MD5:C5E3E5DF803C9A6D906F3859355298E1	SHA256:956773A969A6213F4685C21702B9ED5BD984E063CF8188ACBB6D55B1D6CCBD4E
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\api-ms-win-core-errorhandling-l1-1-0.dll		executable
		MD5:F1534C43C775D2CCEB86F03DF4A5657D	SHA256:6E6BFDC656F0CF22FABBA1A25A42B46120B1833D846F2008952FE39FE4E57AB2
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\api-ms-win-core-debug-l1-1-0.dll		executable
		MD5:71F1D24C7659171EAFEF4774E5623113	SHA256:C45034620A5BB4A16E7DD0AFF235CC695A5516A4194F4FEC608B89EABD63EEEF
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\api-ms-win-core-interlocked-l1-1-0.dll		executable
		MD5:4F631924E3F102301DAC36B514BE7666	SHA256:E2406077621DCE39984DA779F4D436C534A31C5E863DB1F65DE5939D962157AF
6468	widget.exe	C:\Users\admin\AppData\Local\Temp\_MEI64682\_lzma.pyd		executable
		MD5:9E94FAC072A14CA9ED3F20292169E5B2	SHA256:A46189C5BD0302029847FED934F481835CB8D06470EA3D6B97ADA7D325218A9F

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
1128	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
1128	SIHClient.exe	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
—	—	GET	200	23.35.229.160:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
740	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
6920	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	23.35.229.160:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
892	svchost.exe	20.190.159.64:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158	whitelisted
www.microsoft.com	23.35.229.160	whitelisted
google.com	142.250.185.78	whitelisted
login.live.com	20.190.159.64 40.126.31.71 20.190.159.2 40.126.31.69 20.190.159.4 20.190.159.0 40.126.31.67 40.126.31.73	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
slscr.update.microsoft.com	52.165.165.26	whitelisted
fe3cr.delivery.mp.microsoft.com	13.85.23.206	whitelisted
nexusrules.officeapps.live.com	52.111.229.19	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

widget.exe

5D7D4194E8EB4DC6EAB29A1B3C080E65

25BA20CC7B3698FCE334A20537A93A1166DC39F1

8E32EF5CB12C168B331C67B8D5A40A97DEA231AA2377DC6468DCAFA580F5F095

98304:tEWKYMpk/qrzehL7f9/Vw9aMvZA4OFt6GHgBuHhiLu6u7UJDZ2pli9TZIATPSkO/:Aw9Tyl7NddNvWGBaou7VZ+

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Process drops legitimate windows executable

Process drops python dynamic module

Executable content was dropped or overwritten

The process drops C-runtime libraries

Application launched itself

INFO

Reads the computer name

Create files in a temporary directory

PyInstaller has been detected (YARA)

Checks supported languages

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings