| File name: | x.exe |
| Full analysis: | https://app.any.run/tasks/c64d3f86-5943-47c7-889f-6a9a5c3c2bde |
| Verdict: | Malicious activity |
| Threats: | Mallox is a ransomware strain that emerged in 2021, known for its ability to encrypt files and target database servers using vulnerabilities like RDP. Often distributed through phishing campaigns and exploiting exposed SQL servers, it locks victims' data and demands a ransom. Mallox operates as a Ransomware-as-a-Service (RaaS), making it accessible to affiliates who use it to conduct attacks. |
| Analysis date: | August 08, 2024, 11:33:49 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 0AAB6BAB5024B02B33B3A1AB6403A63B |
| SHA1: | 042571A56C890EC611C626602573DBA953155512 |
| SHA256: | D6E3F6E93F95B70C8D5C4721CC1DBE09E9AE5EAA4B5A0FB7DA1E1206AB601D0B |
| SSDEEP: | 12288:3v7Z+zKu6aphgjXSyu41gnForZbbuRS9wwx6Ti8CFl:/9mKu6Ydz4URSQCF |
MALICIOUS
Drops the executable file immediately after the start
- x.exe (PID: 6252)
Using BCDEDIT.EXE to modify recovery options
- cmd.exe (PID: 6304)
- cmd.exe (PID: 6344)
Connects to the CnC server
- x.exe (PID: 6252)
MALLOX has been detected (SURICATA)
- x.exe (PID: 6252)
Renames files like ransomware
- x.exe (PID: 6252)
Create files in the Startup directory
- x.exe (PID: 6252)
Actions looks like stealing of personal data
- x.exe (PID: 6252)
SUSPICIOUS
Reads security settings of Internet Explorer
- x.exe (PID: 6252)
Starts CMD.EXE for commands execution
- x.exe (PID: 6252)
Reads the date of Windows installation
- x.exe (PID: 6252)
Creates file in the systems drive root
- x.exe (PID: 6252)
Connects to unusual port
- x.exe (PID: 6252)
Creates files like ransomware instruction
- x.exe (PID: 6252)
Checks for external IP
- x.exe (PID: 6252)
Reads browser cookies
- x.exe (PID: 6252)
Connects to the server without a host name
- x.exe (PID: 6252)
INFO
Checks supported languages
- x.exe (PID: 6252)
Reads the computer name
- x.exe (PID: 6252)
Process checks computer location settings
- x.exe (PID: 6252)
Reads the machine GUID from the registry
- x.exe (PID: 6252)
Reads Environment values
- x.exe (PID: 6252)
Checks proxy server information
- x.exe (PID: 6252)
Reads product name
- x.exe (PID: 6252)
Create files in a temporary directory
- x.exe (PID: 6252)
Creates files or folders in the user directory
- x.exe (PID: 6252)
Creates files in the program directory
- x.exe (PID: 6252)
The dropped object may contain a URL to Tor Browser
- x.exe (PID: 6252)
Dropped object may contain TOR URL's
- x.exe (PID: 6252)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:06:19 13:25:02+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.38 |
| CodeSize: | 337408 |
| InitializedDataSize: | 184832 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2d624 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
143
Monitored processes
8
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6252 | "C:\Users\admin\AppData\Local\Temp\x.exe" | C:\Users\admin\AppData\Local\Temp\x.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 6304 | "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} bootstatuspolicy ignoreallfailures | C:\Windows\System32\cmd.exe | — | x.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6312 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6344 | "C:\Windows\System32\cmd.exe" /c bcdedit /set {current} recoveryenabled no | C:\Windows\System32\cmd.exe | — | x.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6352 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6424 | bcdedit /set {current} bootstatuspolicy ignoreallfailures | C:\Windows\System32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Boot Configuration Data Editor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6440 | bcdedit /set {current} recoveryenabled no | C:\Windows\System32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Boot Configuration Data Editor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6812 | C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
2 174
Read events
2 163
Write events
11
Delete events
0
Modification events
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (6252) x.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
6
Suspicious files
6 571
Text files
1 777
Unknown types
113
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6252 | x.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\.ms-ad\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\$Recycle.Bin\S-1-5-21-1693682860-607145093-2874071422-1001\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\Music\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\Contacts\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\3D Objects\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\Low\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\Low\ESE\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\Desktop\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
| 6252 | x.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE\Low\HOW TO BACK FILES.txt | text | |
MD5:90307B35D80B790BC68281ABB74E7645 | SHA256:45328AB4569231A3F00DB255EC0D13A0E758EA98452C60AAB2F182D9804AAB8D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
63
DNS requests
18
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7012 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
5336 | SearchApp.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | unknown | — | — | whitelisted |
6252 | x.exe | POST | 200 | 91.215.85.135:80 | http://91.215.85.135/QWEwqdsvsf/ap.php | unknown | — | — | unknown |
6252 | x.exe | GET | 200 | 104.26.12.205:80 | http://api.ipify.org/ | unknown | — | — | whitelisted |
6252 | x.exe | POST | 200 | 91.215.85.135:80 | http://91.215.85.135/QWEwqdsvsf/ap.php | unknown | — | — | unknown |
3844 | svchost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6988 | backgroundTaskHost.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3972 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2120 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4560 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6252 | x.exe | 104.26.12.205:80 | api.ipify.org | CLOUDFLARENET | US | unknown |
6252 | x.exe | 91.215.85.135:80 | — | — | RU | malicious |
3972 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.2:445 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
api.ipify.org |
| shared |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
www.bing.com |
| whitelisted |
th.bing.com |
| whitelisted |
fd.api.iris.microsoft.com |
| whitelisted |
arc.msn.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6252 | x.exe | Device Retrieving External IP Address Detected | POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org) |
6252 | x.exe | Device Retrieving External IP Address Detected | ET POLICY External IP Lookup api.ipify.org |
2256 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
6252 | x.exe | A Network Trojan was detected | ET MALWARE Win32/Filecoder.OJC CnC Checkin |
6252 | x.exe | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
6252 | x.exe | A Network Trojan was detected | ET MALWARE Win32/Filecoder.OJC CnC Checkin |
Process | Message |
|---|---|
x.exe | No permission: \\.\C:\$WinREAgent |
x.exe | No permission: \\.\C:\$WinREAgent |
x.exe | No permission: \\.\C:\bootmgr |
x.exe | No permission: \\.\C:\bootmgr |
x.exe | No permission: \\.\C:\BOOTNXT |
x.exe | No permission: \\.\C:\BOOTNXT |
x.exe | No permission: \\.\C:\Documents and Settings |
x.exe | No permission: \\.\C:\Documents and Settings |
x.exe | In use another process: \\.\C:\DumpStack.log.tmp |
x.exe | In use another process: \\.\C:\DumpStack.log.tmp |