File name: | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe |
Full analysis: | https://app.any.run/tasks/36914c70-075a-46de-8d7f-538c8a06d8d4 |
Verdict: | Malicious activity |
Analysis date: | May 20, 2024, 12:38:12 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32+ executable (console) x86-64 (stripped to external PDB), for MS Windows |
MD5: | D9B10475F33905DECB604C690E5D17C0 |
SHA1: | 1728FDBF0AC8FAFF1F66902B0A5D5D8DD08C2544 |
SHA256: | 9539620D8E139D97EF9A29CA267BFE913D9BB0CC1E821696B7B9E554E7AE6A85 |
SSDEEP: | 49152:Rn8+gCN4iigiORdg5aIwC+AlcpfVEnmcKxY/O1u:18zW4kB6 |
.exe | | | Win32 EXE PECompact compressed (generic) (39.6) |
---|---|---|
.exe | | | Win64 Executable (generic) (26.3) |
.exe | | | UPX compressed Win32 Executable (25.8) |
.exe | | | Win32 Executable (generic) (4.3) |
.exe | | | Generic Win/DOS Executable (1.9) |
Subsystem: | Windows command line |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x9a338 |
UninitializedDataSize: | 3190784 |
InitializedDataSize: | 4096 |
CodeSize: | 278528 |
LinkerVersion: | 14.22 |
PEType: | PE32+ |
ImageFileCharacteristics: | Executable, Large address aware, No debug |
TimeStamp: | 2019:08:29 00:43:41+00:00 |
MachineType: | AMD AMD64 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6320 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Minimized -Command "Start-Process C:\Users\admin\Desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe -Verb runas ; echo 'Started the file with administrator privileges, this is not part of the sample!' ; exit 0 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6328 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6708 | "C:\Users\admin\Desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe" | C:\Users\admin\Desktop\9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | powershell.exe | ||||||||||||
User: admin Integrity Level: HIGH Modules
| |||||||||||||||
6744 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
6788 | C:\Windows\System\DpZcssX.exe | C:\Windows\System\DpZcssX.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6812 | C:\Windows\System\SZnBlpj.exe | C:\Windows\System\SZnBlpj.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6832 | C:\Windows\System\vNKqfeQ.exe | C:\Windows\System\vNKqfeQ.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6848 | C:\Windows\System\VUjDiUB.exe | C:\Windows\System\VUjDiUB.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6868 | C:\Windows\System\aMPTcXl.exe | C:\Windows\System\aMPTcXl.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
6896 | C:\Windows\System\IZDFdLS.exe | C:\Windows\System\IZDFdLS.exe | — | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
|
(PID) Process: | (6320) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (6320) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (6320) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (6320) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
6320 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | C:\Windows\System\wXhsrKh.exe | executable | |
MD5:7EF409EE45546399DCEFAF7E745BB6F4 | SHA256:E6D3D9788393B598AB5698E58FC7AF3E56ED41481ED9EED3057BF19DADDEB80E | |||
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | C:\Windows\System\vEyoduB.exe | executable | |
MD5:C6B10F5EB84B62500577E20BF7F68C75 | SHA256:18AE64A7C25028809B8532B01211D85ED6D227F37A17435DC60E33143615F32D | |||
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | C:\Windows\System\xYxfelF.exe | executable | |
MD5:0C58177D33E261F3F8CD649BF9F33FBA | SHA256:B8B5516D6FF52F9752EA3230991BA062A0534D3A9A9231D4F6BB88DC67795678 | |||
6320 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:D61E70D758CA1ABD092826F8F8FB6591 | SHA256:DFC6E2A9BD85F12ACD1B5B86A4F00806965D0E4A1CB62B6DCD5355A2F836BF64 | |||
6320 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_fnxcgm5l.f2n.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | C:\Windows\System\hpZyZSv.exe | executable | |
MD5:EE378DDC6E7590C0A470BBA4FBE7822B | SHA256:50DA9CCCC51AF716BE74E2EAE2A0D768AC80502C8F1E920DC2808DC6417B1C36 | |||
6320 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\46C5JVSSQ8VIHXRV4BJ9.temp | binary | |
MD5:5011518D440BF02A845830FF75CEA7B2 | SHA256:A3C067CD2467BECE95FDE7420E90C73C0471F2AE8C6E9B4AB77FC3F1353F14A8 | |||
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | C:\Windows\System\DpZcssX.exe | executable | |
MD5:7FE8A7BB25EA2898B7EEF8DD9F4AF0E3 | SHA256:DB02F1E3DC8629EEEF2E5ED405E96C1387D2BF970498F6D1DA976D5B2BB35EFF | |||
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | C:\Windows\System\VUjDiUB.exe | executable | |
MD5:738A8970626746C6226E637ABF9DA76E | SHA256:926C1061D0EEE06047D7B58939BCC51476198DE658A1B0FAB24F76817C6627BB |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.24:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5524 | RUXIMICS.exe | GET | 200 | 2.18.97.123:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1744 | svchost.exe | GET | 200 | 2.18.97.123:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 2.18.97.123:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
1744 | svchost.exe | GET | 200 | 2.16.164.24:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5524 | RUXIMICS.exe | GET | 200 | 2.16.164.24:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
2908 | OfficeClickToRun.exe | POST | 200 | 13.89.179.9:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | binary | 9 b | — |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
5524 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5140 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5140 | MoUsoCoreWorker.exe | 2.16.164.24:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5524 | RUXIMICS.exe | 2.16.164.24:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
1744 | svchost.exe | 2.16.164.24:80 | crl.microsoft.com | Akamai International B.V. | NL | unknown |
5524 | RUXIMICS.exe | 2.18.97.123:80 | www.microsoft.com | Akamai International B.V. | FR | unknown |
5140 | MoUsoCoreWorker.exe | 2.18.97.123:80 | www.microsoft.com | Akamai International B.V. | FR | unknown |
1744 | svchost.exe | 2.18.97.123:80 | www.microsoft.com | Akamai International B.V. | FR | unknown |
1744 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
Domain | IP | Reputation |
---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
— | — | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
— | — | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
— | — | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
— | — | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |
6708 | 9539620d8e139d97ef9a29ca267bfe913d9bb0cc1e821696b7b9e554e7ae6a85.exe | Potential Corporate Privacy Violation | ET POLICY Cryptocurrency Miner Checkin |