| File name: | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe |
| Full analysis: | https://app.any.run/tasks/c95399f5-3c6b-48b6-b5e3-b0002e1fd397 |
| Verdict: | Malicious activity |
| Analysis date: | November 25, 2024, 05:10:52 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 5 sections |
| MD5: | F21C383AE3917C78D400E9981F11E4C8 |
| SHA1: | ACCE31367B04828937F3509374ED6CE8771FD11C |
| SHA256: | C868D69AB0325FC50C145E01725197F46AA8D7EDF200EF0774E27A92A673E354 |
| SSDEEP: | 1536:LaKRFOd/kiPf2bR7m+vbODE7hZegUzNVDtXPGCgtIKli:L9edciPf2bRdvSrzlPGtRli |
MALICIOUS
Changes the login/logoff helper path in the registry
- SPOOLSV.EXE (PID: 2440)
- CTFMON.EXE (PID: 4816)
- SVCHOST.EXE (PID: 4556)
SUSPICIOUS
Starts a Microsoft application from unusual location
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
Write to the desktop.ini file (may be used to cloak folders)
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
The process creates files with name similar to system file names
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
Starts itself from another location
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
- SVCHOST.EXE (PID: 4556)
- SPOOLSV.EXE (PID: 2440)
- CTFMON.EXE (PID: 4816)
Executable content was dropped or overwritten
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
Application launched itself
- SVCHOST.EXE (PID: 4556)
- SPOOLSV.EXE (PID: 2440)
- CTFMON.EXE (PID: 4816)
Reads the Windows owner or organization settings
- WINWORD.EXE (PID: 5588)
INFO
Create files in a temporary directory
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
- SVCHOST.EXE (PID: 4556)
- SVCHOST.EXE (PID: 5308)
- SPOOLSV.EXE (PID: 2440)
- SVCHOST.EXE (PID: 4144)
- SPOOLSV.EXE (PID: 5548)
- CTFMON.EXE (PID: 4816)
- SVCHOST.EXE (PID: 4528)
- SPOOLSV.EXE (PID: 2100)
- CTFMON.EXE (PID: 4932)
Checks supported languages
- SVCHOST.EXE (PID: 4556)
- c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe (PID: 5320)
- SVCHOST.EXE (PID: 5308)
- SPOOLSV.EXE (PID: 2440)
- SVCHOST.EXE (PID: 4144)
- SPOOLSV.EXE (PID: 5548)
- SPOOLSV.EXE (PID: 2100)
- SVCHOST.EXE (PID: 4528)
- CTFMON.EXE (PID: 4932)
- CTFMON.EXE (PID: 4816)
Drops encrypted VBS script (Microsoft Script Encoder)
- WINWORD.EXE (PID: 5588)
The process uses the downloaded file
- WINWORD.EXE (PID: 5588)
Sends debugging messages
- WINWORD.EXE (PID: 5588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Microsoft Visual Basic 6 (69.4) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (23.3) |
| .exe | | | Win32 Executable (generic) (3.8) |
| .exe | | | Generic Win/DOS Executable (1.6) |
| .exe | | | DOS Executable Generic (1.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2003:08:06 18:34:23+00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 7.1 |
| CodeSize: | 61440 |
| InitializedDataSize: | 20480 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x11d0 |
| OSVersion: | 4 |
| ImageVersion: | 10 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
137
Monitored processes
12
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 396 | "C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "BC54F288-0D61-444D-AA3C-8F50FBCBB148" "20B9A676-9C95-4EAF-84A1-D3E95EB4ED09" "5588" | C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe | — | WINWORD.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64. Version: 0.12.2.0 Modules
| |||||||||||||||
| 2100 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 2440 | C:\recycled\SPOOLSV.EXE :agent | C:\Recycled\SPOOLSV.EXE | SVCHOST.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 4144 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SPOOLSV.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 4528 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 4556 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 4816 | C:\recycled\CTFMON.EXE :agent | C:\Recycled\CTFMON.EXE | SPOOLSV.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 4932 | C:\recycled\CTFMON.EXE :agent | C:\Recycled\CTFMON.EXE | — | CTFMON.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
| 5308 | C:\recycled\SVCHOST.EXE :agent | C:\Recycled\SVCHOST.EXE | — | SVCHOST.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Exit code: 0 Version: 11.0.5604 Modules
| |||||||||||||||
| 5320 | "C:\Users\admin\Desktop\c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe" | C:\Users\admin\Desktop\c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office Word Version: 11.0.5604 Modules
| |||||||||||||||
Total events
15 634
Read events
14 951
Write events
644
Delete events
39
Modification events
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5320) c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (4556) SVCHOST.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\install |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2440) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config\command |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2440) SPOOLSV.EXE | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\scrfile\shell\config |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
9
Suspicious files
129
Text files
47
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Recycled\desktop.ini | text | |
MD5:AD0B0B4416F06AF436328A3C12DC491B | SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416 | |||
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Recycled\SVCHOST.EXE | executable | |
MD5:03447E8151FF762EEE54C239949DED27 | SHA256:900A91B778ADE62DCA2497649424C4C0B28200D3E9E2A555C00155251D3F0F9E | |||
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Recycled\CTFMON.EXE | executable | |
MD5:9CE076077FC3FE8048AB759763DCBDFB | SHA256:788D0AFD34EC4E4EAEF164334ED4FFA58E48FEC958C7A16FD65D68B29C28EDF0 | |||
| 5308 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DF34970587C9723690.TMP | binary | |
MD5:05375C00C316C55AE253EFE3FB210DCF | SHA256:BB7A7A92C6E63978A4527F6BEC7D3285276412E4558ACE1205AE064F9D27FE70 | |||
| 4144 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DF513F32E5B7A55EA7.TMP | binary | |
MD5:9CDC44D2C5CEA7970F687E7B94366437 | SHA256:E99B788F42A444AB609850F1E5C8F28048CAFBF9D3708767D9B63CCC6B275CC6 | |||
| 4816 | CTFMON.EXE | C:\Users\admin\AppData\Local\Temp\~DF9FAB8B983E9AA0BC.TMP | binary | |
MD5:81D1A6F648F119B6E36EF5B9B567693B | SHA256:226AE8DBE870CC3989936DAA2EEE50362AB38C9CE6E3D6BF7E0A27594359D11B | |||
| 5588 | WINWORD.EXE | C:\Users\admin\Desktop\~$68d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.doc | pgc | |
MD5:A9C62B433657DD31F003F7C3EBAD3AEE | SHA256:20E7F2EA10987F8221F79DE6FF129B96A2F261D35D6A23190C1DD0F7AB6FA331 | |||
| 5588 | WINWORD.EXE | C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$Normal.dotm | binary | |
MD5:E4F2994886D1FB4C3573C1DF52621A05 | SHA256:1AD15F912D588DE74DDADCB53BB767E96E505A6F6119048282D1D8B409AB8E75 | |||
| 5320 | c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.exe | C:\Users\admin\Desktop\c868d69ab0325fc50c145e01725197f46aa8d7edf200ef0774e27a92a673e354.doc | text | |
MD5:7D5B1332D1874453174F93A08C05DAA5 | SHA256:BED78D662432B83D61EDD3D0417A3C4FC89311AAD8A69FD740E919C3C4768366 | |||
| 4556 | SVCHOST.EXE | C:\Users\admin\AppData\Local\Temp\~DF632592CA8A4AD2F6.TMP | binary | |
MD5:69AA01128DA8AB66FC18D17FC57C3E50 | SHA256:F9152C337E6F1C833E9B3F3553E0AA4A94BAE57FFFB808DD5E98728B89F92C94 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
73
TCP/UDP connections
80
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.42.40:443 | https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851225.cab | unknown | compressed | 30.2 Kb | whitelisted |
— | — | GET | 200 | 23.53.40.82:443 | https://omex.cdn.office.net/addinclassifier/officesharedentities | unknown | text | 314 Kb | whitelisted |
— | — | GET | 200 | 52.111.243.8:443 | https://messaging.lifecycle.office.com/getcustommessage16?app=0&ui=en-US&src=BizBar&messagetype=BizBar&hwid=04111-083-043729&ver=16.0.16026&lc=en-US&platform=10%3A0%3A19045%3A2%3A0%3A0%3A256%3A1%3A&productid=%7B1717C1E0-47D3-4899-A6D3-1022DB7415E0%7D%3A00411-10830-43729-AA720%3AOffice%2019%2C%20Office19Professional2019R_Retail%20edition&clientsessionid=%7B94CAAA7A-24D9-400D-93BE-6122ED305F5D%7D&datapropertybag=%7B%22Audience%22%3A%22Production%22%2C%22AudienceGroup%22%3A%22Production%22%2C%22AudienceChannel%22%3A%22CC%22%2C%22Flight%22%3A%22ofsh6c2b1tla1a31%2Cofcrui4yvdulbf31%2Cofhpex3jznepoo31%2Cofpioygfqmufst31%2Cofjhlwlmoc1pz531%22%7D | unknown | text | 542 b | whitelisted |
— | — | GET | 200 | 23.53.42.59:443 | https://binaries.templates.cdn.office.net/support/templates/en-us/tp02851217.cab | unknown | compressed | 32.8 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5588 | WINWORD.EXE | 52.109.28.46:443 | officeclient.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | GB | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5588 | WINWORD.EXE | 23.53.40.82:443 | omex.cdn.office.net | Akamai International B.V. | DE | whitelisted |
5588 | WINWORD.EXE | 52.113.194.132:443 | ecs.office.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4328 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
officeclient.microsoft.com |
| whitelisted |
omex.cdn.office.net |
| whitelisted |
ecs.office.com |
| whitelisted |
messaging.lifecycle.office.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
metadata.templates.cdn.office.net |
| whitelisted |
Threats
Process | Message |
|---|---|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|
WINWORD.EXE | WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
|