File name: | bad |
Full analysis: | https://app.any.run/tasks/2b69ce82-3661-490d-a22e-169706858a91 |
Verdict: | Malicious activity |
Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
Analysis date: | September 05, 2024, 19:03:34 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
MD5: | 59B7B8D29252A9128536FBD08D24375F |
SHA1: | 7221B9125608A54F9DD706166F936C16EE23164A |
SHA256: | B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6 |
SSDEEP: | 3072:rM+YMbz0EcLJxqukyC7/s7vXGbXUyXlzCz3Gl0n/zH:6MbIEcL5kyGs7vXGbLBuH |
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x9b70 |
UninitializedDataSize: | - |
InitializedDataSize: | 66048 |
CodeSize: | 97280 |
LinkerVersion: | 14 |
PEType: | PE32+ |
ImageFileCharacteristics: | Executable, Large address aware, DLL |
TimeStamp: | 2017:03:28 15:18:51+00:00 |
MachineType: | AMD AMD64 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3596 | "C:\WINDOWS\System32\regsvr32.exe" C:\Users\admin\AppData\Local\Temp\bad.dll | C:\Windows\System32\regsvr32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
2128 | "C:\WINDOWS\system32\rundll32.exe" "C:\ProgramData\Software AG\Updater.dll",Start /u | C:\Windows\System32\rundll32.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
(PID) Process: | (2128) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2128) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2128) rundll32.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\4V8SOQ08.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
3596 | regsvr32.exe | C:\ProgramData\Software AG\Updater.dll | executable | |
MD5:59B7B8D29252A9128536FBD08D24375F | SHA256:B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6 | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\9XM6VP1I.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
3596 | regsvr32.exe | C:\Windows\Tasks\Software AG.job | binary | |
MD5:E19A2D2141F46E5A916172BAD8BC5E77 | SHA256:3E440DDA8A8222C79F39E6FF4F4C129A328CA859EF2EC145807CCB6B17E9A4D3 | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\444I10K1.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\U815C15E.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\F42NESNY.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\FHZRC3L0.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\7VH2E8OM.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE | |||
2128 | rundll32.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\P0LKA9ER.htm | html | |
MD5:7DF3D7CF3358AF3F470AC7229387EF94 | SHA256:FB47468A2CD3953C7131431991AFCC6A2703F14640520102EEA0A685A7E8D6DE |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
5816 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
2636 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
2128 | rundll32.exe | GET | 200 | 72.5.43.29:80 | http://72.5.43.29/ | unknown | — | — | unknown |
2128 | rundll32.exe | GET | 200 | 72.5.43.29:80 | http://72.5.43.29/ | unknown | — | — | unknown |
6612 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
2636 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
2128 | rundll32.exe | GET | 200 | 72.5.43.29:80 | http://72.5.43.29/ | unknown | — | — | unknown |
2128 | rundll32.exe | GET | 200 | 72.5.43.29:80 | http://72.5.43.29/ | unknown | — | — | unknown |
2128 | rundll32.exe | GET | 200 | 72.5.43.29:80 | http://72.5.43.29/ | unknown | — | — | unknown |
2128 | rundll32.exe | GET | 200 | 72.5.43.29:80 | http://72.5.43.29/ | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
6612 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6516 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6612 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3260 | svchost.exe | 40.113.103.199:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5816 | svchost.exe | 20.190.159.64:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5816 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
2128 | rundll32.exe | 72.5.43.29:80 | — | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2128 | rundll32.exe | A Network Trojan was detected | ET MALWARE BadSpace/WarmCookie CnC Activity (GET) |
2128 | rundll32.exe | Potentially Bad Traffic | ET INFO Unconfigured nginx Access |
2128 | rundll32.exe | A Network Trojan was detected | ET MALWARE BadSpace/WarmCookie CnC Activity (GET) |
2128 | rundll32.exe | Potentially Bad Traffic | ET INFO Unconfigured nginx Access |
2128 | rundll32.exe | A Network Trojan was detected | ET MALWARE BadSpace/WarmCookie CnC Activity (GET) |
2128 | rundll32.exe | Potentially Bad Traffic | ET INFO Unconfigured nginx Access |
2128 | rundll32.exe | A Network Trojan was detected | ET MALWARE BadSpace/WarmCookie CnC Activity (GET) |
2128 | rundll32.exe | Potentially Bad Traffic | ET INFO Unconfigured nginx Access |
2128 | rundll32.exe | A Network Trojan was detected | ET MALWARE BadSpace/WarmCookie CnC Activity (GET) |
2128 | rundll32.exe | Potentially Bad Traffic | ET INFO Unconfigured nginx Access |