| File name: | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe |
| Full analysis: | https://app.any.run/tasks/c95399f5-3c6b-48b6-b5e3-b0002e1fd397 |
| Verdict: | Malicious activity |
| Analysis date: | November 25, 2024, 05:10:52 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections |
| MD5: | F21C383AE3917C78D400E9981F11E4C8 |
| SHA1: | ACCE31367B04828937F3509374ED6CE8771FD11C |
| SHA256: | C868D69AB0325FC50C145E01725197F46AA8D7EDF200EF0774E27A92A673E354 |
| SSDEEP: | 1536:LaKRFOd/kiPf2bR7m+vbODE7hZegUzNVDtXPGCgtIKli:L9edciPf2bRdvSrzlPGtRli |
MALICIOUS
Changes the login/logoff helper path in the registry
- SPOOLSV.EXE (PID: 2440)
- CTFMON.EXE (PID: 4816)
- SVCHOST.EXE (PID: 4556)
SUSPICIOUS
Write to the desktop.ini file (may be used to cloak folders)
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
The process creates files with name similar to system file names
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
Executable content was dropped or overwritten
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
Application launched itself
- SVCHOST.EXE (PID: 4556)
- SPOOLSV.EXE (PID: 2440)
- CTFMON.EXE (PID: 4816)
Starts a Microsoft application from unusual location
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
Starts itself from another location
- SVCHOST.EXE (PID: 4556)
- CTFMON.EXE (PID: 4816)
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
- SPOOLSV.EXE (PID: 2440)
Reads the Windows owner or organization settings
- WINWORD.EXE (PID: 5588)
INFO
Create files in a temporary directory
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
- SVCHOST.EXE (PID: 4556)
- SVCHOST.EXE (PID: 4144)
- SPOOLSV.EXE (PID: 2440)
- SPOOLSV.EXE (PID: 5548)
- CTFMON.EXE (PID: 4816)
- SVCHOST.EXE (PID: 4528)
- SPOOLSV.EXE (PID: 2100)
- CTFMON.EXE (PID: 4932)
- SVCHOST.EXE (PID: 5308)
Checks supported languages
- SVCHOST.EXE (PID: 4556)
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
- SVCHOST.EXE (PID: 5308)
- SPOOLSV.EXE (PID: 2440)
- SVCHOST.EXE (PID: 4144)
- CTFMON.EXE (PID: 4816)
- CTFMON.EXE (PID: 4932)
- SPOOLSV.EXE (PID: 2100)
- SPOOLSV.EXE (PID: 5548)
- SVCHOST.EXE (PID: 4528)
The process uses the downloaded file
- WINWORD.EXE (PID: 5588)
Sends debugging messages
- WINWORD.EXE (PID: 5588)
Drops encrypted VBS script (Microsoft Script Encoder)
- WINWORD.EXE (PID: 5588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Microsoft Visual Basic 6 (69.4) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.3) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.6) |
| .exe | | | DOS Executable Generic (1.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2003:08:06 18:34:23+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 7.1 |
| CodeSize: | 61440 |
| InitializedDataSize: | 20480 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11d0 |
| OSVersion: | 4 |
| ImageVersion: | 10 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
137
Monitored processes
12
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 396 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "BC54F288-0D61-444D-AA3C-8F50FBCBB148" "20B9A676-9C95-4EAF-84A1-D3E95EB4ED09" "5588" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
| 2100 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 2440 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | SVCHOST.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 4144 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SPOOLSV.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 4528 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 4556 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 4816 | C:\recycled\CTFMON.EXE :agent | C:\Recycled\CTFMON.EXE | SPOOLSV.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 4932 | C:\recycled\CTFMON.EXE :agent | C:\Recycled\CTFMON.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 5308 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SVCHOST.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 5320 | "C:\Users\admin\Desktop\c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe" | C:\Users\admin\Desktop\c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
Total events
15 634
Read events
14 951
Write events
644
Delete events
39
Modification events
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2440) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2440) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
9
Suspicious files
129
Text files
47
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5548 | SPOOLSV.EXE | C:\Users\admin\AppData\Local\Temp\~DF84D3855DCF2FA0DB.TMP | binary | |
MD5:DACDA2D488C01B6888ED05A98B3C8047 | SHA256:6094DA14FE27E4BC8E896DD680EEFEE6237A1C0E2DADED01EC8874C7D4EB332F | |||
| 2100 | SPOOLSV.EXE | C:\Users\admin\AppData\Local\Temp\~DFD46F3AF556F09AB4.TMP | binary | |
MD5:F61827906B4D7CC8FF24BC388E3012A9 | SHA256:709EE227BD863693FBDC17DC060D8563196BD8832991D6CE7D65D8A67BE3F30D | |||
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Users\admin\AppData\Local\Temp\Flu Burung.txt | text | |
MD5:1A1DCE35D60D2C70CA8894954FD5D384 | SHA256:2661C05273F33EFA4B7FAA6ED8A6F7E69A13AD86077F69EE285ECE9CBA57E44C | |||
| 4932 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF488CA17D6A41FEA0.TMP | binary | |
MD5:03EA034224EE63BF5C8D4D4DCCBC29FF | SHA256:C23584458A0EA9B4C681B26526B03FC297D9F8CF337FD1860958F7F0B6F99249 | |||
| 4144 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DF513F32E5B7A55EA7.TMP | binary | |
MD5:9CDC44D2C5CEA7970F687E7B94366437 | SHA256:E99B788F42A444AB609850F1E5C8F28048CAFBF9D3708767D9B63CCC6B275CC6 | |||
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Recycled\SMSS.EXE | executable | |
MD5:2017F34402020C333F2BCCDCA53687C7 | SHA256:8A791DB01609120BC36FBC8E69A44CD0C2F16F715A16134E7363AF0C69EF28E5 | |||
| 4816 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF9FAB8B983E9AA0BC.TMP | binary | |
MD5:81D1A6F648F119B6E36EF5B9B567693B | SHA256:226AE8DBE870CC3989936DAA2EEE50362AB38C9CE6E3D6BF7E0A27594359D11B | |||
| 4556 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DF632592CA8A4AD2F6.TMP | binary | |
MD5:69AA01128DA8AB66FC18D17FC57C3E50 | SHA256:F9152C337E6F1C833E9B3F3553E0AA4A94BAE57FFFB808DD5E98728B89F92C94 | |||
| 4528 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DF70D91ABD2E688AF6.TMP | binary | |
MD5:4B3894FD1E76A19A916CF559F6972DDF | SHA256:CB482088F802863E3167D2DAEF2EE77F68C253ACC5AD1F8B81B986625699AC2B | |||
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Recycled\SVCHOST.EXE | executable | |
MD5:03447E8151FF762EEE54C239949DED27 | SHA256:900A91B778ADE62DCA2497649424C4C0B28200D3E9E2A555C00155251D3F0F9E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
80
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 52.113.194.132:443 | https://ecs.office.com/config/v2/Office/word/16.0.16026.20146/Production/CC?&Clientid=%7bD61AB268-C26A-439D-BB15-2A0DEDFCA6A3%7d&Application=word&Platform=win32&Version=16.0.16026.20146&MsoVersion=16.0.16026.20002&SDX=fa000000002.2.0.1907.31003&SDX=fa000000005.1.0.1909.30011&SDX=fa000000006.1.0.1909.13002&SDX=fa000000008.1.0.1908.16006&SDX=fa000000009.1.0.1908.6002&SDX=fa000000016.1.0.1810.13001&SDX=fa000000029.1.0.1906.25001&SDX=fa000000033.1.0.1908.24001&SDX=wa104381125.1.0.1810.9001&ProcessName=winword.exe&Audience=Production&Build=ship&Architecture=x64&Language=en-US&SubscriptionLicense=false&PerpetualLicense=2019&LicenseCategory=6&LicenseSKU=Professional2019Retail&OsVersion=10.0&OsBuild=19045&Channel=CC&InstallType=C2R&SessionId=%7b94CAAA7A-24D9-400D-93BE-6122ED305F5D%7d&LabMachine=false | unknown | binary | 381 Kb | whitelisted |
— | — | POST | 200 | 52.168.112.66:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.42.72.131:443 | https://self.events.data.microsoft.com/OneCollector/1.0/ | unknown | — | — | whitelisted |
— | — | GET | 200 | 52.111.243.8:443 | https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B94CAAA7A-24D9-400D-93BE-6122ED305F5D%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D | unknown | text | 542 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5588 | WINWORD.EXE | 52.109.28.46:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5588 | WINWORD.EXE | 23.53.40.82:443 | omex.cdn.office.net | Akamai International B.V. | DE | whitelisted |
5588 | WINWORD.EXE | 52.113.194.132:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4328 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
metadata.templates.cdn.office.net |
| whitelisted |
Threats
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|