File name: | 0f60a3e7baecf2748b1c8183ed37d1e4 |
Full analysis: | https://app.any.run/tasks/6dc666b5-d5f6-4fdf-8f3a-5168666219f2 |
Verdict: | Malicious activity |
Threats: | A backdoor is a type of cybersecurity threat that allows attackers to secretly compromise a system and conduct malicious activities, such as stealing data and modifying files. Backdoors can be difficult to detect, as they often use legitimate system applications to evade defense mechanisms. Threat actors often utilize special malware, such as PlugX, to establish backdoors on target devices. |
Analysis date: | August 25, 2024, 16:58:35 |
OS: | Windows 10 Professional (build: 19045, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32+ executable (DLL) (GUI) x86-64, for MS Windows |
MD5: | 59B7B8D29252A9128536FBD08D24375F |
SHA1: | 7221B9125608A54F9DD706166F936C16EE23164A |
SHA256: | B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6 |
SSDEEP: | 3072:rM+YMbz0EcLJxqukyC7/s7vXGbXUyXlzCz3Gl0n/zH:6MbIEcL5kyGs7vXGbLBuH |
.exe | | | Win64 Executable (generic) (87.3) |
---|---|---|
.exe | | | Generic Win/DOS Executable (6.3) |
.exe | | | DOS Executable Generic (6.3) |
Subsystem: | Windows GUI |
---|---|
SubsystemVersion: | 6 |
ImageVersion: | - |
OSVersion: | 6 |
EntryPoint: | 0x9b70 |
UninitializedDataSize: | - |
InitializedDataSize: | 66048 |
CodeSize: | 97280 |
LinkerVersion: | 14 |
PEType: | PE32+ |
ImageFileCharacteristics: | Executable, Large address aware, DLL |
TimeStamp: | 2017:03:28 15:18:51+00:00 |
MachineType: | AMD AMD64 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
6504 | "C:\WINDOWS\System32\regsvr32.exe" C:\Users\admin\Desktop\0f60a3e7baecf2748b1c8183ed37d1e4.dll | C:\Windows\System32\regsvr32.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
7088 | "C:\WINDOWS\system32\rundll32.exe" "C:\ProgramData\Syberry\Updater.dll",Start /u | C:\Windows\System32\rundll32.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
6504 | regsvr32.exe | C:\ProgramData\Syberry\Updater.dll | executable | |
MD5:59B7B8D29252A9128536FBD08D24375F | SHA256:B7AEC5F73D2A6BBD8CD920EDB4760E2EDADC98C3A45BF4FA994D47CA9CBD02F6 | |||
6504 | regsvr32.exe | C:\Windows\Tasks\Syberry.job | binary | |
MD5:4665B13628CE0BABEC21A8C3510ECEEE | SHA256:BDC3F84C91F7F879496086C048ECDEBB8AF76E4286895B8E82A82BE45FC87E1D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3276 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | unknown |
6464 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | unknown |
6464 | SIHClient.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | unknown |
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | unknown |
1064 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | unknown |
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D | unknown | — | — | unknown |
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | — | — | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5464 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2928 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3260 | svchost.exe | 40.113.110.67:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3276 | svchost.exe | 20.190.159.68:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
3276 | svchost.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
7088 | rundll32.exe | 72.5.43.29:80 | — | — | US | malicious |
6464 | SIHClient.exe | 40.68.123.157:443 | slscr.update.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | unknown |
Domain | IP | Reputation |
---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
dns.msftncsi.com |
| whitelisted |