File name:

ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe

Full analysis: https://app.any.run/tasks/a0bd6b32-e6cd-4ff0-9465-0f78e717a2d8
Verdict: Malicious activity
Analysis date: January 11, 2025, 00:23:33
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
blackmoon
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

1CF3CD0F2F33CBF5C4B13C6043A46F66

SHA1:

D56D139C384377572F6FD0D5A2969A17B45A4329

SHA256:

AB326DCC6CD58FE04C5245BFFC77EB9AF7E892FC6748CDB90EAF093400BEB5A0

SSDEEP:

6144:QbIsM09rOgQTglMAGGB5USSzJZguJZdLqvzxleIZvd+ujmfIa:kocIq+u9a

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • BLACKMOON has been detected (YARA)

      • Systemprfyx.exe (PID: 6436)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • Reads security settings of Internet Explorer

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • Starts itself from another location

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • There is functionality for taking screenshot (YARA)

      • Systemprfyx.exe (PID: 6436)
  • INFO

    • Checks supported languages

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
      • Systemprfyx.exe (PID: 6436)
    • Reads the computer name

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • Checks proxy server information

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • Create files in a temporary directory

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • The process uses the downloaded file

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
    • Process checks computer location settings

      • ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe (PID: 6232)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (27.4)
.exe | Win64 Executable (generic) (24.3)
.exe | Win32 EXE Yoda's Crypter (23.3)
.scr | Windows screen saver (11.5)
.dll | Win32 Dynamic Link Library (generic) (5.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1000
UninitializedDataSize: -
InitializedDataSize: 95232
CodeSize: 396288
LinkerVersion: 6
PEType: PE32
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
TimeStamp: 2014:12:02 16:57:06+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe #BLACKMOON systemprfyx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
6232"C:\Users\admin\Desktop\ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe" C:\Users\admin\Desktop\ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6436"C:\Users\admin\AppData\Local\Temp\Systemprfyx.exe" C:\Users\admin\AppData\Local\Temp\Systemprfyx.exe
ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\systemprfyx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
667
Read events
667
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
0
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
6232ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exeC:\Users\admin\AppData\Local\Temp\2.dat
MD5:
SHA256:
6232ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exeC:\Users\admin\AppData\Local\Temp\3.dat
MD5:
SHA256:
6232ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exeC:\Users\admin\AppData\Local\Temp\4.dat
MD5:
SHA256:
6232ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exeC:\Users\admin\AppData\Local\Temp\Systemprfyx.exeexecutable
MD5:41D53C1FBD91482C94888EF72B55DC71
SHA256:58244A63C05FB8F46217452C373BF9D44BE32F73970C8A732155E2BAE2025F87
6232ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exeC:\Users\admin\AppData\Local\Temp\path.initext
MD5:877311B92D37CA3883C8F38E0F5BA1D7
SHA256:6040E8C521F445D5A883081D70B21FD1691B2023A220CFF7D8C43DC6B97E4FC5
6232ab326dcc6cd58fe04c5245bffc77eb9af7e892fc6748cdb90eaf093400beb5a0.exeC:\Users\admin\AppData\Local\Temp\Systamprfyx.exeexecutable
MD5:95D8EF51F0964F6D14CACB62506BFD66
SHA256:13CA7248E18E21DD32AA9F7D2B7226B090D13B043286EB0054109E0BA9816C58
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
17
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4300
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4300
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4300
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4300
svchost.exe
23.32.238.112:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4300
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3976
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.206
whitelisted
i2.tietuku.com
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
self.events.data.microsoft.com
  • 13.89.178.26
whitelisted

Threats

No threats detected
No debug info