analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

bad

Full analysis: https://app.any.run/tasks/2b69ce82-3661-490d-a22e-169706858a91
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Analysis date: September 05, 2024, 19:03:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
warmcookie
backdoor
badspace
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5:

59B7B8D29252A9128536FBD08D24375F

SHA1:

7221B9125608A54F9DD706166F936C16EE23164A

SHA256:

B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6

SSDEEP:

3072:rM+YMbz0EcLJxqukyC7/s7vXGbXUyXlzCz3Gl0n/zH:6MbIEcL5kyGs7vXGbLBuH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • WARMCOOKIE has been detected (YARA)

      • regsvr32.exe (PID: 3596)
      • rundll32.exe (PID: 2128)
    • WARMCOOKIE has been detected (SURICATA)

      • rundll32.exe (PID: 2128)
    • Connects to the CnC server

      • rundll32.exe (PID: 2128)
  • SUSPICIOUS

    • The process executes via Task Scheduler

      • rundll32.exe (PID: 2128)
    • Executable content was dropped or overwritten

      • regsvr32.exe (PID: 3596)
    • Connects to the server without a host name

      • rundll32.exe (PID: 2128)
  • INFO

    • Creates files in the program directory

      • regsvr32.exe (PID: 3596)
    • Checks proxy server information

      • rundll32.exe (PID: 2128)
    • Creates files or folders in the user directory

      • rundll32.exe (PID: 2128)
    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 2128)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x9b70
UninitializedDataSize: -
InitializedDataSize: 66048
CodeSize: 97280
LinkerVersion: 14
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware, DLL
TimeStamp: 2017:03:28 15:18:51+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WARMCOOKIE regsvr32.exe #WARMCOOKIE rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
3596"C:\WINDOWS\System32\regsvr32.exe" C:\Users\admin\AppData\Local\Temp\bad.dllC:\Windows\System32\regsvr32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2128"C:\WINDOWS\system32\rundll32.exe" "C:\ProgramData\Software AG\Updater.dll",Start /uC:\Windows\System32\rundll32.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
409
Read events
406
Write events
3
Delete events
0

Modification events

(PID) Process:(2128) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2128) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2128) rundll32.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
1
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\4V8SOQ08.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
3596regsvr32.exeC:\ProgramData\Software AG\Updater.dllexecutable
MD5:59B7B8D29252A9128536FBD08D24375F
SHA256:B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\9XM6VP1I.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
3596regsvr32.exeC:\Windows\Tasks\Software AG.jobbinary
MD5:E19A2D2141F46E5A916172BAD8BC5E77
SHA256:3E440DDA8A8222C79F39E6FF4F4C129A328CA859EF2EC145807CCB6B17E9A4D3
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\444I10K1.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\U815C15E.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\F42NESNY.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\FHZRC3L0.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\7VH2E8OM.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
2128rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\P0LKA9ER.htmhtml
MD5:7DF3D7CF3358AF3F470AC7229387EF94
SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
30
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5816
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
2636
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
unknown
2128
rundll32.exe
GET
200
72.5.43.29:80
http://72.5.43.29/
unknown
unknown
2128
rundll32.exe
GET
200
72.5.43.29:80
http://72.5.43.29/
unknown
unknown
6612
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
unknown
2636
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
unknown
2128
rundll32.exe
GET
200
72.5.43.29:80
http://72.5.43.29/
unknown
unknown
2128
rundll32.exe
GET
200
72.5.43.29:80
http://72.5.43.29/
unknown
unknown
2128
rundll32.exe
GET
200
72.5.43.29:80
http://72.5.43.29/
unknown
unknown
2128
rundll32.exe
GET
200
72.5.43.29:80
http://72.5.43.29/
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6612
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
6516
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2120
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
6612
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3260
svchost.exe
40.113.103.199:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5816
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5816
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
2128
rundll32.exe
72.5.43.29:80
US
malicious

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 172.217.18.14
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
client.wns.windows.com
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.23
  • 20.190.159.68
  • 20.190.159.71
  • 20.190.159.73
  • 20.190.159.2
  • 20.190.159.4
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 40.127.169.103
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 52.165.164.15
whitelisted

Threats

PID
Process
Class
Message
2128
rundll32.exe
A Network Trojan was detected
ET MALWARE BadSpace/WarmCookie CnC Activity (GET)
2128
rundll32.exe
Potentially Bad Traffic
ET INFO Unconfigured nginx Access
2128
rundll32.exe
A Network Trojan was detected
ET MALWARE BadSpace/WarmCookie CnC Activity (GET)
2128
rundll32.exe
Potentially Bad Traffic
ET INFO Unconfigured nginx Access
2128
rundll32.exe
A Network Trojan was detected
ET MALWARE BadSpace/WarmCookie CnC Activity (GET)
2128
rundll32.exe
Potentially Bad Traffic
ET INFO Unconfigured nginx Access
2128
rundll32.exe
A Network Trojan was detected
ET MALWARE BadSpace/WarmCookie CnC Activity (GET)
2128
rundll32.exe
Potentially Bad Traffic
ET INFO Unconfigured nginx Access
2128
rundll32.exe
A Network Trojan was detected
ET MALWARE BadSpace/WarmCookie CnC Activity (GET)
2128
rundll32.exe
Potentially Bad Traffic
ET INFO Unconfigured nginx Access
8 ETPRO signatures available at the full report
No debug info