File name:	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe
Full analysis:	https://app.any.run/tasks/b2d12568-5daf-4df9-8f78-c2070daee900
Verdict:	Malicious activity
Analysis date:	December 19, 2024, 01:23:56
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	sinkhole
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 14 sections
MD5:	6CCDFC62326C34CC2593ED95867C418F
SHA1:	88A8E133601F9A0B3F5EE56E18E8718D57C151D2
SHA256:	A4B36EC5A5DEF2A86FF298B3C367D7C3FDB4EA5E292F0C2935897ED9B6D63477
SSDEEP:	24576:lcuvqS6SyhsDfvBgM7Esy4K79Esy4KwKmuszLHwigEE7Esy4K7T57FkTHdCfF2/r:lcSX6SyhsDfvBgM7Esy4K79Esy4KwKmK

.exe	\|	Win64 Executable (generic) (39.5)
.exe	\|	UPX compressed Win32 Executable (38.7)
.dll	\|	Win32 Dynamic Link Library (generic) (9.4)
.exe	\|	Win32 Executable (generic) (6.4)
.exe	\|	Generic Win/DOS Executable (2.8)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:08:02 09:26:00+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	11264
InitializedDataSize:	366592
UninitializedDataSize:	-
EntryPoint:	0x2b70
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI


(PID) Process:	(6448) a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	userinit
Value: C:\Users\admin\Desktop\a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe
(PID) Process:	(6448) a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Operation:	write	Name:	userinit
Value: C:\Windows\system32\userinit.exe,C:\Users\admin\Desktop\A4B36E~1.EXE,
(PID) Process:	(6448) a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft
Operation:	delete value	Name:	D9486297a
Value:
(PID) Process:	(6448) a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6448) a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6448) a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:

PID	Process	Filename		Type
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Temp\66D6.tmp		html
		MD5:EEEDC91C98E5942D312E0B20C2A52171	SHA256:0CA5FFD53143FFD0C1728D60FDD374C1F362404D55C6E90B971F6522AD5DEB2D
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Temp\6670.tmp		html
		MD5:A66467B6616B44850B6BCABD39303FE9	SHA256:C35F4948794003DC27C37A9C284F9C604D9DB9FE73EAD25F0CCE240EF5CB27F6
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\login[1].htm		html
		MD5:2CB23BB6A3EECCC6C92F951CDF7E3ADD	SHA256:AA32FF6B9A7A856D46E803E2AEE9B6A8D22714264868C67E63A82B1050580D71
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Temp\83CB.tmp		html
		MD5:3B03D93D3487806337B5C6443CE7A62D	SHA256:7392749832C70FCFC2D440D7AFC2F880000DD564930D95D634EB1199FA15DE30
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\login[3].htm		html
		MD5:3B03D93D3487806337B5C6443CE7A62D	SHA256:7392749832C70FCFC2D440D7AFC2F880000DD564930D95D634EB1199FA15DE30
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\login[3].htm		html
		MD5:7A5DF79FBAAFF2C161C6E29461785403	SHA256:B1C52A7C21C4B21BF69866D7859284068D6ECC90306FE22076F81DAA0176A7ED
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\login[4].htm		html
		MD5:E1F035B24CE0E8137682B703D19315B5	SHA256:117EA4F0F411E1AAEAB307C087A57678ABCBA7E6AA96A5BD1F2D5D7026D453A0
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Temp\845A.tmp		html
		MD5:5C6FC9E3A93C92A32725FDAEC5F9F690	SHA256:D12A0F965B596A0F12CC0E26786D10588F45EE31950865E471621082B8C1ACDA
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Temp\898D.tmp		html
		MD5:3B03D93D3487806337B5C6443CE7A62D	SHA256:7392749832C70FCFC2D440D7AFC2F880000DD564930D95D634EB1199FA15DE30
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\login[1].htm		html
		MD5:4F8E702CC244EC5D4DE32740C0ECBD97	SHA256:9E17CB15DD75BBBD5DBB984EDA674863C3B10AB72613CF8A39A00C3E11A8492A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	308	75.2.71.199:80	http://puzylyp.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	301	188.114.96.3:80	http://qegyhig.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	200	34.227.7.138:80	http://vonypom.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	200	3.94.10.34:80	http://lymyxid.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	404	208.100.26.245:80	http://lyvyxor.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	404	23.253.46.64:80	http://gahyqah.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	200	199.191.50.83:80	http://galyqaz.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	—	85.17.31.82:80	http://gatyfus.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	200	199.59.243.227:80	http://vojyqem.com/login.php	unknown	—	—	malicious
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	GET	200	44.221.84.105:80	http://vocyzit.com/login.php	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4712	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
4652	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1228	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	104.126.37.163:80	www.bing.com	Akamai International B.V.	DE	whitelisted
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	188.114.96.3:80	qegyhig.com	CLOUDFLARENET	NL	unknown
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	75.2.71.199:80	puzylyp.com	AMAZON-02	US	unknown
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	199.191.50.83:80	galyqaz.com	CONFLUENCE-NETWORK-INC	VG	unknown
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	34.227.7.138:80	vonypom.com	AMAZON-AES	US	malicious

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 4.231.128.59	whitelisted
google.com	172.217.18.14	whitelisted
www.bing.com	104.126.37.163 104.126.37.144 104.126.37.145 104.126.37.131 104.126.37.128 104.126.37.176	whitelisted
lysynur.com	—	unknown
lyxylux.com	—	unknown
purydyv.com	—	unknown
lymysan.com	—	unknown
vonypom.com	34.227.7.138	malicious
pujyjav.com	—	unknown
volyqat.com	—	unknown

PID	Process	Class	Message
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Windows NT Version 5.0
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	Potential Corporate Privacy Violation	ET POLICY Unsupported/Fake Internet Explorer Version MSIE 2.
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
6448	a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe	A Network Trojan was detected	ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst

General Info

a4b36ec5a5def2a86ff298b3c367d7c3fdb4ea5e292f0c2935897ed9b6d63477.exe

6CCDFC62326C34CC2593ED95867C418F

88A8E133601F9A0B3F5EE56E18E8718D57C151D2

A4B36EC5A5DEF2A86FF298B3C367D7C3FDB4EA5E292F0C2935897ED9B6D63477

24576:lcuvqS6SyhsDfvBgM7Esy4K79Esy4KwKmuszLHwigEE7Esy4K7T57FkTHdCfF2/r:lcSX6SyhsDfvBgM7Esy4K79Esy4KwKmK

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Changes the login/logoff helper path in the registry

Request for a sinkholed resource

SUSPICIOUS

The process verifies whether the antivirus software is installed

Reads the date of Windows installation

Reads security settings of Internet Explorer

There is functionality for taking screenshot (YARA)

Checks Windows Trust Settings

Connects to unusual port

Potential Corporate Privacy Violation

The process checks if it is being run in the virtual environment

INFO

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks proxy server information

Create files in a temporary directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings