| File name: | Launcher.exe |
| Full analysis: | https://app.any.run/tasks/aa50c348-a4e4-464d-b23a-537263408f4b |
| Verdict: | Malicious activity |
| Analysis date: | November 23, 2024, 08:06:18 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | FEA90A75B71EC4B5C70A899E95B81BE6 |
| SHA1: | 7B924FE86A09280722B741CE8FD12F69BA1F7053 |
| SHA256: | A075D67308D9C6E58F227B69594CF595A1780B6B8D145DF48D4538CFCF4DCE14 |
| SSDEEP: | 98304:JrkPDVdlhBr6t24I92V3UWtlI2I8dbsauUcUUYwZZfY15xJvcc/2B6QEH0BMM/V+:whkHqIpivs0YlBa8a/LJFgpodFm0 |
MALICIOUS
No malicious indicators.SUSPICIOUS
The process drops C-runtime libraries
- Launcher.exe (PID: 4052)
Executable content was dropped or overwritten
- Launcher.exe (PID: 4052)
Process drops legitimate windows executable
- Launcher.exe (PID: 4052)
Process drops python dynamic module
- Launcher.exe (PID: 4052)
Application launched itself
- Launcher.exe (PID: 4052)
Loads Python modules
- Launcher.exe (PID: 3140)
INFO
Reads the computer name
- Launcher.exe (PID: 4052)
- Launcher.exe (PID: 3140)
Checks supported languages
- Launcher.exe (PID: 4052)
- Launcher.exe (PID: 3140)
PyInstaller has been detected (YARA)
- Launcher.exe (PID: 4052)
Create files in a temporary directory
- Launcher.exe (PID: 4052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2023:12:08 11:50:26+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.37 |
| CodeSize: | 171008 |
| InitializedDataSize: | 119296 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc1a0 |
| OSVersion: | 5.2 |
| ImageVersion: | - |
| SubsystemVersion: | 5.2 |
| Subsystem: | Windows GUI |
Total processes
121
Monitored processes
2
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3140 | "C:\Users\admin\Desktop\Launcher.exe" | C:\Users\admin\Desktop\Launcher.exe | — | Launcher.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 4052 | "C:\Users\admin\Desktop\Launcher.exe" | C:\Users\admin\Desktop\Launcher.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
Total events
332
Read events
332
Write events
0
Delete events
0
Modification events
Executable files
32
Suspicious files
4
Text files
923
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\VCRUNTIME140.dll | executable | |
MD5:4585A96CC4EEF6AAFD5E27EA09147DC6 | SHA256:A8F950B4357EC12CFCCDDC9094CCA56A3D5244B95E09EA6E9A746489F2D58736 | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\_socket.pyd | executable | |
MD5:899380B2D48DF53414B974E11BB711E3 | SHA256:B38E66E6EE413E5955EF03D619CADD40FCA8BE035B43093D2342B6F3739E883E | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\PIL\_imaging.cp312-win_amd64.pyd | executable | |
MD5:FF6D9C67013D8608550DF0AA2278F563 | SHA256:A2D830DCA681D54C8EA8CE7AB454CB747E3ECD944D353B6ADC52DC567E512A1B | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\PIL\_imagingtk.cp312-win_amd64.pyd | executable | |
MD5:E58A46DB8A4B2D46D9FAB255122FFA6C | SHA256:52FD0E29ED1BED4D202C531DBC39DA0DBB5F90968C3B377A3FBD8D4A30B332B6 | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\PIL\_imagingcms.cp312-win_amd64.pyd | executable | |
MD5:EB74692245D65FC8162806E6D50DCB3C | SHA256:60B5E2BAB1E8C84F194ACF3C4C95B0B4B95F8EFDE3411C1F30B37AB24B953E1B | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\_asyncio.pyd | executable | |
MD5:2CD68FF636394D3019411611E27D0A3B | SHA256:0D4FBD46F922E548060EA74C95E99DC5F19B1DF69BE17706806760515C1C64FE | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\PIL\_webp.cp312-win_amd64.pyd | executable | |
MD5:AD1DB1FB2FF2DE6EE860CB8C78329FB5 | SHA256:967D8534D378F8ECA4BB180D424A5641D9B439AEB6F54C5A2FC20A61E52EE56C | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\_cffi_backend.cp312-win_amd64.pyd | executable | |
MD5:0572B13646141D0B1A5718E35549577C | SHA256:D8A76D1E31BBD62A482DEA9115FC1A109CB39AF4CF6D1323409175F3C93113A7 | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\_bz2.pyd | executable | |
MD5:C7CE973F261F698E3DB148CCAD057C96 | SHA256:02D772C03704FE243C8DE2672C210A5804D075C1F75E738D6130A173D08DFCDE | |||
| 4052 | Launcher.exe | C:\Users\admin\AppData\Local\Temp\_MEI40522\_ctypes.pyd | executable | |
MD5:10FDCF63D1C3C3B7E5861FBB04D64557 | SHA256:BC3B83D2DC9E2F0E6386ED952384C6CF48F6EED51129A50DFD5EF6CBBC0A8FB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
21
DNS requests
7
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 1.01 Kb | whitelisted |
2084 | RUXIMICS.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 1.01 Kb | whitelisted |
4328 | svchost.exe | GET | 200 | 2.16.164.9:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 1.01 Kb | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
4328 | svchost.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
2084 | RUXIMICS.exe | GET | 200 | 88.221.169.152:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | DE | binary | 973 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2084 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4328 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.23.209.185:443 | www.bing.com | Akamai International B.V. | GB | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
2084 | RUXIMICS.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4328 | svchost.exe | 2.16.164.9:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 88.221.169.152:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |