File name:	d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07
Full analysis:	https://app.any.run/tasks/bec561db-6dd6-4f45-a8dc-b0105fe11713
Verdict:	Malicious activity
Analysis date:	January 03, 2025, 04:05:18
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:	829ECC80D8246BE38ADD680762425162
SHA1:	ADDEE915B475A25F75AD3FC3DCC63A7A36AE616E
SHA256:	D49656C69AFA69B93E60A74A52F1653248B1C4AF7D137295C10DF46FD618AB07
SSDEEP:	384:982w+Xa+UPj/seGZJ0GQJgGPibM7wq/40sIABo6lE:982NXzUrszjYgGPig7FWo6lE

.exe	\|	UPX compressed Win32 Executable (43.5)
.exe	\|	Win32 EXE Yoda's Crypter (42.7)
.exe	\|	Win32 Executable (generic) (7.2)
.exe	\|	Generic Win/DOS Executable (3.2)
.exe	\|	DOS Executable Generic (3.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2006:01:26 23:27:38+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	12288
InitializedDataSize:	8192
UninitializedDataSize:	36864
EntryPoint:	0xc470
OSVersion:	4
ImageVersion:	1
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
Comments:	Word Document
CompanyName:	\|“~\|~\|~\|•~\|~\|Œ~O…„
FileDescription:	Word Document
ProductName:	\|“~\|~\|~\|•~\|~\|Œ~O…„
FileVersion:	1
ProductVersion:	1
InternalName:	Document
OriginalFileName:	Document.exe


(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Bron-Spizaetus
Value:
(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Tok-Cirrhatus
Value:
(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	delete value	Name:	Tok-Cirrhatus-1860
Value:
(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Security\status
Operation:	write	Name:	last-check
Value: RfYSceYO†™†
(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Security\status
Operation:	write	Name:	last-check7
Value: RfYSceYrvrwtxO†™†
(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	1E82BD8.exe
Value: C:\WINDOWS\1E82BD8.exe
(PID) Process:	(5392) d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Security\status
Operation:	write	Name:	value
Value: ”†„–“†X

PID	Process	Filename		Type
5392	d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	C:\Users\admin\AppData\Roaming\[r][o][n][t][o][k].doc		html
		MD5:16E7774F34DDAC0F2C10E105B0F6D261	SHA256:78E6E26B5B8BBCBAF00D78505B9E65E890A908C57C600A8EA54BC8B0C9232CFD
5392	d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	C:\Users\Public\Documents\Sejarah Pembuat Virus Brontok.exe		executable
		MD5:AEC884C0B341987B8AFD306964E98468	SHA256:8E3EB3A51EE224D0406EB6924D108064C167C20630426078BCA25F87E07F2414
5392	d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07.exe	C:\Users\admin\AppData\Local\Temp\~DF4CC06B6014C57150.TMP		binary
		MD5:39CF34F9BF1473E9D8CC720678A0B16F	SHA256:FD35B74234E0EB02BA24BADC284C660C887D8E533A26EDBDF23CD845FF331060

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1380	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4804	RUXIMICS.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1380	svchost.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4804	RUXIMICS.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
4712	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1380	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4804	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2192	svchost.exe	224.0.0.252:5355	—	—	—	whitelisted
2192	svchost.exe	224.0.0.251:5353	—	—	—	unknown
1380	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4804	RUXIMICS.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.104.136.2	whitelisted
google.com	142.250.185.110	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.6	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
self.events.data.microsoft.com	20.42.72.131	whitelisted

General Info

d49656c69afa69b93e60a74a52f1653248b1c4af7d137295c10df46fd618ab07

829ECC80D8246BE38ADD680762425162

ADDEE915B475A25F75AD3FC3DCC63A7A36AE616E

D49656C69AFA69B93E60A74A52F1653248B1C4AF7D137295C10DF46FD618AB07

384:982w+Xa+UPj/seGZJ0GQJgGPibM7wq/40sIABo6lE:982NXzUrszjYgGPig7FWo6lE

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

SUSPICIOUS

Uses TASKKILL.EXE to kill process

Executable content was dropped or overwritten

INFO

Checks supported languages

The sample compiled with english language support

Create files in a temporary directory

Failed to create an executable file in Windows directory

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings