| File name: | abyss.exe |
| Full analysis: | https://app.any.run/tasks/68157f40-aa99-4656-ab63-cd0fcbcfdd84 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | July 01, 2025, 20:16:16 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 7 sections |
| MD5: | 8D41FB6300A4A5273E7B51FC54071B45 |
| SHA1: | C8350254C727FDC65C77163741B5960643DE900D |
| SHA256: | CD994BAC103C7F7615E5F2CBE6CAE084DC59A0C27436CC7AD664F8673196C4A9 |
| SSDEEP: | 98304:QC3CpA8xWBI4Lp/59iTc8wCRy8MhzSmEL4w848191bkaZA+u6jlU456hJFmmp7Qw:t30esCC6GdZczMcpQeY3cxCYeND6ir |
MALICIOUS
Create files in the Startup directory
- abyss.exe (PID: 2808)
Actions looks like stealing of personal data
- abyss.exe (PID: 2808)
- abyss.exe (PID: 4800)
Steals credentials from Web Browsers
- abyss.exe (PID: 2808)
- abyss.exe (PID: 4800)
Changes Controlled Folder Access settings
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Changes Windows Defender settings
- cmd.exe (PID: 7060)
- cmd.exe (PID: 2536)
Changes settings for protection against network attacks (IPS)
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Changes settings for reporting to Microsoft Active Protection Service (MAPS)
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Changes settings for checking scripts for malicious actions
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Changes settings for real-time protection
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Changes settings for sending potential threat samples to Microsoft servers
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
LUNA has been detected
- abyss.exe (PID: 2808)
- abyss.exe (PID: 4800)
Changes antivirus protection settings for downloading files from the Internet (IOAVProtection)
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
SUSPICIOUS
Application launched itself
- abyss.exe (PID: 1800)
- abyss.exe (PID: 320)
Process drops legitimate windows executable
- abyss.exe (PID: 1800)
- abyss.exe (PID: 320)
Loads Python modules
- abyss.exe (PID: 2808)
- abyss.exe (PID: 4800)
Process drops python dynamic module
- abyss.exe (PID: 1800)
- abyss.exe (PID: 320)
The process drops C-runtime libraries
- abyss.exe (PID: 1800)
- abyss.exe (PID: 320)
Executable content was dropped or overwritten
- abyss.exe (PID: 1800)
- abyss.exe (PID: 2808)
- abyss.exe (PID: 320)
Starts CMD.EXE for commands execution
- abyss.exe (PID: 2808)
- abyss.exe (PID: 4800)
Script disables Windows Defender's real-time protection
- cmd.exe (PID: 7060)
- cmd.exe (PID: 2536)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 3148)
- cmd.exe (PID: 1520)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7060)
- cmd.exe (PID: 2536)
Script disables Windows Defender's IPS
- cmd.exe (PID: 7060)
- cmd.exe (PID: 2536)
INFO
Checks supported languages
- abyss.exe (PID: 1800)
- abyss.exe (PID: 2808)
- abyss.exe (PID: 320)
- abyss.exe (PID: 4800)
Reads the computer name
- abyss.exe (PID: 1800)
- abyss.exe (PID: 2808)
- abyss.exe (PID: 320)
- abyss.exe (PID: 4800)
Create files in a temporary directory
- abyss.exe (PID: 1800)
- abyss.exe (PID: 2808)
- abyss.exe (PID: 320)
- abyss.exe (PID: 4800)
The sample compiled with english language support
- abyss.exe (PID: 1800)
- abyss.exe (PID: 320)
Creates files or folders in the user directory
- abyss.exe (PID: 2808)
Launching a file from the Startup directory
- abyss.exe (PID: 2808)
Manual execution by a user
- abyss.exe (PID: 320)
- notepad.exe (PID: 4224)
- notepad.exe (PID: 1300)
- notepad.exe (PID: 6264)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 1156)
- powershell.exe (PID: 1812)
Checks proxy server information
- abyss.exe (PID: 2808)
- slui.exe (PID: 3580)
- abyss.exe (PID: 4800)
Reads security settings of Internet Explorer
- notepad.exe (PID: 4224)
- notepad.exe (PID: 6264)
- notepad.exe (PID: 1300)
Reads the software policy settings
- slui.exe (PID: 3580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:07:01 18:19:53+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.43 |
| CodeSize: | 174592 |
| InitializedDataSize: | 95744 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xd0d0 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
159
Monitored processes
20
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 320 | "C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abyss.exe" | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\abyss.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 684 | netsh wlan show profiles | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1156 | powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1300 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\cookies.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1520 | C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles" | C:\Windows\System32\cmd.exe | — | abyss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1800 | "C:\Users\admin\Desktop\abyss.exe" | C:\Users\admin\Desktop\abyss.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 1812 | powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2076 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2380 | netsh wlan show profiles | C:\Windows\System32\netsh.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Network Command Shell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2536 | C:\WINDOWS\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2" | C:\Windows\System32\cmd.exe | — | abyss.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
15 839
Read events
15 839
Write events
0
Delete events
0
Modification events
Executable files
159
Suspicious files
4
Text files
52
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_chacha20.pyd | executable | |
MD5:CDDB611703F253C9BE50AC3B0D7C03E3 | SHA256:6F4ABBE4368A9C6D4C440B92D04D1E1F2E19CD3D496FD61D1636F1FC298CC44D | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_eksblowfish.pyd | executable | |
MD5:8EC14C1A7930F44F7164138E707799AF | SHA256:1ACC08E280CCD4FEB5AA37AA84E3EB0547EA56E53D033BF770A4858A9044874D | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_arc2.pyd | executable | |
MD5:D5ECA8AE91A857BBF03D78DB84AF53CE | SHA256:2845C1911496B07D80573CA59A359AABD4B5B04E6A00A54641921494FA4D3A1D | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_ecb.pyd | executable | |
MD5:B7B7E507BD8449F97C62082C00C1BDEA | SHA256:1ACE429FB6F44B8E0E2F0C5BB0A7B9AC9ECB100A1721CE7094030255161E48AE | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_ctr.pyd | executable | |
MD5:4750B4E6541547C2DAE41BE75F120F0C | SHA256:E230D693B5FA6B61CC2A415D2191F540B6E057CB263B2F7F13B8633D40B9B40F | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_aes.pyd | executable | |
MD5:9796EC9233D686839E4BA4D90150593E | SHA256:898FD9B702DF2E9BCDCE0733F7AB6F0AF350624C388AEAADCF72200272FBE538 | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_des3.pyd | executable | |
MD5:38967802B6F1E1072173B9DE026890D2 | SHA256:68EC80EA94001C5CBC31529218172151FB6A00DB2338418D051449BC4D1E30DB | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_aesni.pyd | executable | |
MD5:BEC59200BC006A36F15C6DEFBF8BB93B | SHA256:016507BE631DCCAAB53925BFBA41B12EEB4F67B86789D39BFCF2E465732BBE31 | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_blowfish.pyd | executable | |
MD5:D1193FF2FD0088F2184254DABCCDE58A | SHA256:ACB8EBBB541A3B406BFC95905230E592A05FC22C7B70FCC9449641B3E04A6441 | |||
| 1800 | abyss.exe | C:\Users\admin\AppData\Local\Temp\_MEI18002\Crypto\Cipher\_raw_ofb.pyd | executable | |
MD5:5262E23B51AE12D4F2E19909A51CE651 | SHA256:17B74C782E1048AB4A4AE0F2F6E8E094401A83300EAE9523294726462FEA0979 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
48
DNS requests
21
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.124:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6828 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 200 | 20.190.160.22:443 | https://login.live.com/RST2.srf | unknown | xml | 1.24 Kb | whitelisted |
— | — | POST | 400 | 20.190.160.22:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 200 | 40.126.32.136:443 | https://login.live.com/RST2.srf | unknown | xml | 11.1 Kb | whitelisted |
— | — | GET | 304 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | unknown |
— | — | POST | 200 | 20.190.159.68:443 | https://login.live.com/RST2.srf | unknown | xml | 11.0 Kb | whitelisted |
— | — | GET | 200 | 4.175.87.197:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | compressed | 23.9 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
1268 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6828 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.124:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
6828 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
discord.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2200 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
2808 | abyss.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
2808 | abyss.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
4800 | abyss.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
4800 | abyss.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |