File name:

0f60a3e7baecf2748b1c8183ed37d1e4

Full analysis: https://app.any.run/tasks/6dc666b5-d5f6-4fdf-8f3a-5168666219f2
Verdict: Malicious activity
Threats:

A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices.

Analysis date: August 25, 2024, 16:58:35
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
warmcookie
backdoor
Indicators:
MIME: application/x-dosexec
File info: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
MD5:

59B7B8D29252A9128536FBD08D24375F

SHA1:

7221B9125608A54F9DD706166F936C16EE23164A

SHA256:

B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6

SSDEEP:

3072:rM+YMbz0EcLJxqukyC7/s7vXGbXUyXlzCz3Gl0n/zH:6MbIEcL5kyGs7vXGbLBuH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • WARMCOOKIE has been detected (YARA)

      • regsvr32.exe (PID: 6504)
      • rundll32.exe (PID: 7088)
  • SUSPICIOUS

    • Drops the executable file immediately after the start

      • regsvr32.exe (PID: 6504)
    • Executable content was dropped or overwritten

      • regsvr32.exe (PID: 6504)
    • The process executes via Task Scheduler

      • rundll32.exe (PID: 7088)
  • INFO

    • Creates files in the program directory

      • regsvr32.exe (PID: 6504)
    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 7088)
    • Checks proxy server information

      • rundll32.exe (PID: 7088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 6
ImageVersion: -
OSVersion: 6
EntryPoint: 0x9b70
UninitializedDataSize: -
InitializedDataSize: 66048
CodeSize: 97280
LinkerVersion: 14
PEType: PE32+
ImageFileCharacteristics: Executable, Large address aware, DLL
TimeStamp: 2017:03:28 15:18:51+00:00
MachineType: AMD AMD64
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
2
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #WARMCOOKIE regsvr32.exe #WARMCOOKIE rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
6504"C:\WINDOWS\System32\regsvr32.exe" C:\Users\admin\Desktop\0f60a3e7baecf2748b1c8183ed37d1e4.dllC:\Windows\System32\regsvr32.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
7088"C:\WINDOWS\system32\rundll32.exe" "C:\ProgramData\Syberry\Updater.dll",Start /uC:\Windows\System32\rundll32.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
557
Read events
557
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
6504regsvr32.exeC:\ProgramData\Syberry\Updater.dllexecutable
MD5:59B7B8D29252A9128536FBD08D24375F
SHA256:B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6
6504regsvr32.exeC:\Windows\Tasks\Syberry.jobbinary
MD5:4665B13628CE0BABEC21A8C3510ECEEE
SHA256:BDC3F84C91F7F879496086C048ECDEBB8AF76E4286895B8E82A82BE45FC87E1D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
55
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3276
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1064
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6464
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6464
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5464
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2928
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2120
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3260
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3276
svchost.exe
20.190.159.68:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3276
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
7088
rundll32.exe
72.5.43.29:80
US
malicious
6464
SIHClient.exe
40.68.123.157:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 40.113.110.67
  • 40.113.103.199
whitelisted
login.live.com
  • 20.190.159.68
  • 20.190.159.75
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.2
  • 40.126.31.67
  • 20.190.159.64
  • 40.126.31.73
  • 20.190.159.0
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
slscr.update.microsoft.com
  • 40.68.123.157
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.31
whitelisted
dns.msftncsi.com
  • 131.107.255.255
whitelisted

Threats

No threats detected
No debug info