File name:	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942
Full analysis:	https://app.any.run/tasks/cc00490f-1587-4cc9-8cf5-9b82916bb185
Verdict:	Malicious activity
Threats:	A botnet is a group of internet-connected devices that are controlled by a single individual or group, often without the knowledge or consent of the device owners. These devices can be used to launch a variety of malicious attacks, such as distributed denial-of-service (DDoS) attacks, spam campaigns, and data theft. Botnet malware is the software that is used to infect devices and turn them into part of a botnet. Mirai is a self-propagating malware that scans the internet for vulnerable IoT devices and infects them to create a botnet. Mirai variants utilize lists of common default credentials to gain access to devices. Mirai's primary use is for launching distributed denial-of-service (DDoS) attacks, but it has also been used for cryptocurrency mining. Malware Trends Tracker >>>
Analysis date:	November 16, 2024, 22:08:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	scan smbscan irc mirai botnet
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:	EB7330325909FF6408D68FC58FC33FBD
SHA1:	EEF449D31DA65F764EC529AA1EBCFDB83E9AAA44
SHA256:	B06785EB2069F8365A2E17C280BD4B41FA0459EE29A5CEC2820A873563EA7942
SSDEEP:	768:w+obsZUKcEu3Z7uT54Sn5TDn4PedR2/cm3ILBJ7UlQkBci/snTyUejfV0ISI:X8sho3Z7uimRCQBJ70QbrlDISI

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1992:06:19 22:22:17+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	58880
InitializedDataSize:	19968
UninitializedDataSize:	-
EntryPoint:	0xf2ac
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI


(PID) Process:	(6688) b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	WEBSCANX
Value: C:\WINDOWS\mZdZ76bJS.exe

PID	Process	Filename		Type
7780	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_b06785eb2069f836_55b02cba7da642a07581e5c197ac29f14c162_a3a6141a_189ac247-4180-4a63-9d04-c0fbc481cebf\Report.wer		—
		MD5:—	SHA256:—
7780	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCBC7.tmp.xml		xml
		MD5:4198EAA86B482D734E6D63FDEBD9658E	SHA256:E893423F5304AF561E6DDD5B05732C0E7FC61A0B7F6FA917123945FA5EDF3B19
7780	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERCB78.tmp.WERInternalMetadata.xml		xml
		MD5:4A8BED45036E1A013750DEBE1C0FE980	SHA256:9B1A989AE847A0FC24C9B72CD2B70B83329053441B27B6581FFFB5973EAD1F96
7780	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\Temp\WERC26E.tmp.dmp		binary
		MD5:963552B1621172A4C64FCBCB0CAC0A9A	SHA256:C62F5E50DCFE5D56D5490D1BF6688E7209C958B537CF7DCB6B9CA158D08368A9
7780	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe.6688.dmp		binary
		MD5:01EA0E90CC5FED4EEFF79CC47E64E2A8	SHA256:400C4D2E0EFF680C0B143AE07144019F6E18C7E9DFA09FFCBF768DDAC6399698

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1252	RUXIMICS.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	23.32.238.34:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1252	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6944	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
6944	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5488	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1252	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	145.40.163.23:139	—	Toob Limited	GB	unknown
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	99.231.250.131:139	—	ROGERS-COMMUNICATIONS	CA	unknown
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	136.94.44.88:139	—	—	US	unknown
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	61.231.234.201:139	—	Data Communication Business Group	TW	unknown
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	10.123.199.188:139	—	—	—	unknown

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 40.127.240.158	whitelisted
google.com	172.217.16.206	whitelisted
crl.microsoft.com	23.32.238.34 2.19.198.194	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
watson.events.data.microsoft.com	20.189.173.21	whitelisted
self.events.data.microsoft.com	40.79.189.58	whitelisted

PID	Process	Class	Message
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Misc activity	ET CHAT IRC NICK command
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Misc activity	ET CHAT IRC USER command
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Malware Command and Control Activity Detected	BOTNET [ANY.RUN] Possible Mirai.Gen (Linux)
6688	b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942.exe	Potential Corporate Privacy Violation	POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network

General Info

b06785eb2069f8365a2e17c280bd4b41fa0459ee29a5cec2820a873563ea7942

EB7330325909FF6408D68FC58FC33FBD

EEF449D31DA65F764EC529AA1EBCFDB83E9AAA44

B06785EB2069F8365A2E17C280BD4B41FA0459EE29A5CEC2820A873563EA7942

768:w+obsZUKcEu3Z7uT54Sn5TDn4PedR2/cm3ILBJ7UlQkBci/snTyUejfV0ISI:X8sho3Z7uimRCQBJ70QbrlDISI

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SMBSCAN has been detected (SURICATA)

Attempting to scan the network

Connects to the CnC server

IRC has been detected (SURICATA)

MIRAI has been detected (SURICATA)

SUSPICIOUS

Executes application which crashes

Reads security settings of Internet Explorer

Potential Corporate Privacy Violation

Contacting a server suspected of hosting an CnC

Connects to unusual port

INFO

Checks supported languages

Checks proxy server information

Reads the computer name

Creates files or folders in the user directory

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings