| File name: | pyld611114.exe |
| Full analysis: | https://app.any.run/tasks/d2756ef8-e72d-412b-a14e-e1e53150a5b2 |
| Verdict: | Malicious activity |
| Analysis date: | August 26, 2024, 03:51:34 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 43BCE45D873189F9AE2767D89A1C46E0 |
| SHA1: | 34BC871A24E54A83740E0DF51320B9836D8B820B |
| SHA256: | 9AE4784F0B139619CA8FDADFA31B53B1CBF7CD2B45F74B7E4004E5A97E842291 |
| SSDEEP: | 98304:YQ/yBoq4XxZdxkq+56fdaknEHe2wWsqGPS0EJrcLgIRBvgquQFjMPngqABapeD1W:NG9p9CTT1CPwDvt3uFGCC7EdEVB3 |
MALICIOUS
Adds path to the Windows Defender exclusion list
- cmd.exe (PID: 7084)
- pyld611114.exe (PID: 6724)
- usvcinsta64.exe (PID: 6184)
- cmd.exe (PID: 6368)
- cmd.exe (PID: 6648)
- cmd.exe (PID: 1812)
- printui.exe (PID: 2636)
- svchost.exe (PID: 6280)
- cmd.exe (PID: 1124)
- cmd.exe (PID: 236)
- cmd.exe (PID: 6608)
Starts CMD.EXE for self-deleting
- pyld611114.exe (PID: 6724)
- usvcinsta64.exe (PID: 6184)
Creates or modifies Windows services
- reg.exe (PID: 6260)
Uses Task Scheduler to autorun other applications
- cmd.exe (PID: 7032)
SUSPICIOUS
Drops the executable file immediately after the start
- pyld611114.exe (PID: 6724)
- usvcinsta64.exe (PID: 6184)
- printui.exe (PID: 2636)
Starts CMD.EXE for commands execution
- pyld611114.exe (PID: 6724)
- usvcinsta64.exe (PID: 6184)
- printui.exe (PID: 2636)
- console_zero.exe (PID: 6124)
- svchost.exe (PID: 6280)
Script adds exclusion path to Windows Defender
- cmd.exe (PID: 7084)
- cmd.exe (PID: 6368)
- cmd.exe (PID: 6648)
- cmd.exe (PID: 1812)
- cmd.exe (PID: 1124)
- cmd.exe (PID: 6608)
- cmd.exe (PID: 236)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 6228)
- cmd.exe (PID: 400)
- cmd.exe (PID: 6588)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7084)
- cmd.exe (PID: 6368)
- cmd.exe (PID: 6648)
- cmd.exe (PID: 1812)
- cmd.exe (PID: 1124)
- cmd.exe (PID: 236)
- cmd.exe (PID: 6608)
Executable content was dropped or overwritten
- pyld611114.exe (PID: 6724)
- usvcinsta64.exe (PID: 6184)
- printui.exe (PID: 2636)
- svchost.exe (PID: 6280)
Created directory related to system
- cmd.exe (PID: 6792)
Process drops legitimate windows executable
- printui.exe (PID: 2636)
- usvcinsta64.exe (PID: 6184)
Starts SC.EXE for service management
- cmd.exe (PID: 6320)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 6320)
The process drops C-runtime libraries
- printui.exe (PID: 2636)
Deletes scheduled task without confirmation
- schtasks.exe (PID: 6544)
The process deletes folder without confirmation
- printui.exe (PID: 2636)
Checks for external IP
- svchost.exe (PID: 2256)
- svchost.exe (PID: 6280)
Connects to unusual port
- svchost.exe (PID: 6280)
INFO
Checks supported languages
- pyld611114.exe (PID: 6724)
- usvcinsta64.exe (PID: 6184)
- printui.exe (PID: 2636)
- console_zero.exe (PID: 6124)
- crypti.exe (PID: 6764)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7144)
- powershell.exe (PID: 6536)
- powershell.exe (PID: 6688)
- powershell.exe (PID: 6180)
- powershell.exe (PID: 6496)
- powershell.exe (PID: 6476)
- powershell.exe (PID: 4160)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 7144)
- powershell.exe (PID: 6688)
- powershell.exe (PID: 6180)
- powershell.exe (PID: 6536)
- powershell.exe (PID: 6476)
- powershell.exe (PID: 4160)
- powershell.exe (PID: 6496)
Dropped object may contain TOR URL's
- printui.exe (PID: 2636)
Reads the computer name
- console_zero.exe (PID: 6124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:08:19 13:06:48+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.41 |
| CodeSize: | 249856 |
| InitializedDataSize: | 14936064 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x235d0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
182
Monitored processes
59
Malicious processes
6
Suspicious processes
10
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 236 | cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'D:\' | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 400 | cmd.exe /c timeout /t 10 /nobreak && del "C:\Windows\System32\usvcinsta64.exe" | C:\Windows\System32\cmd.exe | — | usvcinsta64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1124 | cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath 'c:\windows\system32' | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1812 | cmd.exe /c powershell -Command "Add-MpPreference -ExclusionPath '%SystemDrive%\Windows \System32'; Add-MpPreference -ExclusionPath '%SystemDrive%\Windows\System32';" | C:\Windows\System32\cmd.exe | — | printui.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2092 | timeout /t 10 /nobreak | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: timeout - pauses command processing Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2180 | cmd.exe /c start "" "c:\windows\system32\crypti.exe" | C:\Windows\System32\cmd.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2212 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2256 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2360 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2636 | "C:\Windows \System32\printui.exe" | C:\Windows \System32\printui.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Change Printing Settings Exit code: 127 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
45 370
Read events
45 338
Write events
31
Delete events
1
Modification events
| (PID) Process: | (6724) pyld611114.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost |
| Operation: | write | Name: | DcomLaunch |
Value: Power | |||
| (PID) Process: | (2636) printui.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PrinterInstallation |
| Operation: | write | Name: | UIEntry |
Value: 10 | |||
| (PID) Process: | (2636) printui.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Power |
| Operation: | write | Name: | HiberbootEnabled |
Value: 0 | |||
| (PID) Process: | (2636) printui.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost |
| Operation: | write | Name: | DcomLaunch |
Value: Power | |||
| (PID) Process: | (6260) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\x592050\Parameters |
| Operation: | write | Name: | ServiceDll |
Value: C:\Windows\System32\x592050.dat | |||
| (PID) Process: | (2636) printui.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\PrinterInstallation |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6496) powershell.exe | Key: | HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
16
Suspicious files
4
Text files
20
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6536 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_zwb2aji0.pgs.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2636 | printui.exe | C:\Windows\System32\winsvcf\winlogsvc | binary | |
MD5:5B5E3152B3862FB64A11F90D69D3F481 | SHA256:6F974DA1622596197B659CBC9E7D5D0BB3AA497B3330C73066A4D873DABB5EC7 | |||
| 6688 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_u1411ivg.h4d.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6180 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_32dzzhrg.ywx.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2636 | printui.exe | C:\Windows\System32\zlib1.dll | executable | |
MD5:BB78414FB31B53EF8FAD8AFBEDBB834C | SHA256:AE8951AD96124A39B63610D7A5A53B446FC7F19151AC1D8E5AC15E8C88227EBF | |||
| 6184 | usvcinsta64.exe | C:\Windows \System32\printui.exe | executable | |
MD5:E43252474ADF63E69B1FC65D202D88C3 | SHA256:53DB039D9D46F2F3F80DF42C8BA48BB96CE4FB96C1BFCE5CD61514A7FF369411 | |||
| 6180 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4wqn5fxx.rcr.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2636 | printui.exe | C:\Windows\System32\libiconv-2.dll | executable | |
MD5:158BC77453D382CF6679CE35DF740CC5 | SHA256:CF131738F4B5FE3F42E9108E24595FC3E6573347D78E4E69EC42106C1EEBE42C | |||
| 2636 | printui.exe | C:\Windows\System32\libcrypto-3-x64.dll | executable | |
MD5:158F0E7C4529E3867E07545C6D1174A9 | SHA256:DCC1FA1A341597DDB1476E3B5B3952456F07870A26FC30B0C6E6312764BAA1FC | |||
| 2636 | printui.exe | C:\Windows\System32\libintl-9.dll | executable | |
MD5:E79E7C9D547DDBEE5C8C1796BD092326 | SHA256:1125AC8DC0C4F5C3ED4712E0D8AD29474099FCB55BB0E563A352CE9D03EF1D78 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
21
DNS requests
6
Threats
4
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
3584 | RUXIMICS.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2096 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2096 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4324 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6280 | svchost.exe | 34.117.59.81:443 | ipinfo.io | GOOGLE-CLOUD-PLATFORM | US | whitelisted |
6280 | svchost.exe | 38.180.213.183:5432 | runvrs.com | COGENT-174 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
ipinfo.io |
| shared |
runvrs.com |
| unknown |
raw.githubusercontent.com |
| shared |
github.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6280 | svchost.exe | Device Retrieving External IP Address Detected | ET POLICY Possible External IP Lookup Domain Observed in SNI (ipinfo. io) |
6280 | svchost.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup SSL Cert Observed (ipinfo .io) |
2256 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ipinfo .io) |
2256 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |