| File name: | 89.cpl |
| Full analysis: | https://app.any.run/tasks/06e4d0e3-00f1-436e-bdd4-ac2c52fe0ca5 |
| Verdict: | Malicious activity |
| Analysis date: | November 03, 2023, 12:00:39 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (DLL) (GUI) Intel 80386, for MS Windows |
| MD5: | 0BE59B56306F441CB39EF0E02A7185EC |
| SHA1: | 52390C57570C448D035CF83B5226A240AF3E3152 |
| SHA256: | DA34DA8D5B35170FB3D1397E40C1FCBFA766EB043BC0B5DC1CE4578513C50901 |
| SSDEEP: | 49152:TN7JVW91jU9z2jpPMMN9dErDThngTe/vianjuDl1FRieP5iFAYB3UTVN8veieSHH:TVcVUVaNvcnghxiM5iF12HDSHlDgkd/z |
MALICIOUS
Connects to the CnC server
- SearchProtocolHost.exe (PID: 856)
SUSPICIOUS
Identifying current user with WHOAMI command
- SearchProtocolHost.exe (PID: 856)
Process uses IPCONFIG to discover network configuration
- SearchProtocolHost.exe (PID: 856)
Connects to unusual port
- SearchProtocolHost.exe (PID: 856)
INFO
Checks proxy server information
- SearchProtocolHost.exe (PID: 856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:01:19 15:52:54+01:00 |
| ImageFileCharacteristics: | Executable, 32-bit, DLL |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 284160 |
| InitializedDataSize: | 95232 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x29335 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.2.0.1831 |
| ProductVersionNumber: | 1.2.0.1831 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Dynamic link library |
| FileSubtype: | - |
| LanguageCode: | Russian |
| CharacterSet: | Unicode |
| CompanyName: | Yandex LLC |
| FileDescription: | Yandex updater (CU) |
| FileVersion: | 1.2.0.1831 |
| InternalName: | dllyupdate |
| LegalCopyright: | Copyright (C) 2014 Yandex LLC |
| OriginalFileName: | dllyupdate.dll |
| ProductName: | Yandex updater |
| ProductVersion: | 1.2.0.1831 |
Total processes
185
Monitored processes
11
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 856 | "C:\Windows\System32\SearchProtocolHost.exe" | C:\Windows\SysWOW64\SearchProtocolHost.exe | rundll32.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.0.19041.1151 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1044 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 2428 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 3268 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | NETSTAT.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6260 | ipconfig.exe /all | C:\Windows\SysWOW64\ipconfig.exe | — | SearchProtocolHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6332 | whoami.exe /all | C:\Windows\SysWOW64\whoami.exe | — | SearchProtocolHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: whoami - displays logged on user information Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6344 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | whoami.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6388 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | ipconfig.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6448 | netstat.exe -aon | C:\Windows\SysWOW64\NETSTAT.EXE | — | SearchProtocolHost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Netstat Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6868 | "C:\Windows\System32\rundll32.exe" C:\Users\admin\Desktop\89.cpl.exe, Crash | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
739
Read events
729
Write events
10
Delete events
0
Modification events
| (PID) Process: | (856) SearchProtocolHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (856) SearchProtocolHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (856) SearchProtocolHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (856) SearchProtocolHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (856) SearchProtocolHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (856) SearchProtocolHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
Executable files
0
Suspicious files
4
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2428 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-03.1207.2428.1.odl | binary | |
MD5:D5897ACD013C189646739CB21C6432D2 | SHA256:0FD40C39304AF72D8619E490784961D5BB77E4BE788E9E59B1B988D12C817439 | |||
| 1044 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-03.1217.1044.1.aodl | binary | |
MD5:923BF0E545D9C37CA8874C8D6C4A30E6 | SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65 | |||
| 1044 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-03.1217.1044.1.odl | binary | |
MD5:3712BAF6C81D71F332F49203A21D2625 | SHA256:B72A3FA4607D0F1A4AE9C4F60163CAC78935A4F2DEDB4D34668F72FA3ADB5319 | |||
| 2428 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-11-03.1207.2428.1.aodl | binary | |
MD5:923BF0E545D9C37CA8874C8D6C4A30E6 | SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
237
TCP/UDP connections
44
DNS requests
25
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6504 | svchost.exe | HEAD | 200 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699514207&P2=404&P3=2&P4=hTYhn7%2b62Q9UKuAofWFNQcx%2f51OtVwJ%2fmUDMlOzK41DjYsZr%2bodoJswBmJ0XyCJBhc1xIY%2bqTHVmyWipXrBdSw%3d%3d | unknown | — | — | unknown |
6504 | svchost.exe | GET | — | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699514207&P2=404&P3=2&P4=hTYhn7%2b62Q9UKuAofWFNQcx%2f51OtVwJ%2fmUDMlOzK41DjYsZr%2bodoJswBmJ0XyCJBhc1xIY%2bqTHVmyWipXrBdSw%3d%3d | unknown | — | — | unknown |
6504 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699514207&P2=404&P3=2&P4=hTYhn7%2b62Q9UKuAofWFNQcx%2f51OtVwJ%2fmUDMlOzK41DjYsZr%2bodoJswBmJ0XyCJBhc1xIY%2bqTHVmyWipXrBdSw%3d%3d | unknown | binary | 28 b | unknown |
6504 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699514207&P2=404&P3=2&P4=hTYhn7%2b62Q9UKuAofWFNQcx%2f51OtVwJ%2fmUDMlOzK41DjYsZr%2bodoJswBmJ0XyCJBhc1xIY%2bqTHVmyWipXrBdSw%3d%3d | unknown | binary | 1.09 Kb | unknown |
6504 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699514207&P2=404&P3=2&P4=hTYhn7%2b62Q9UKuAofWFNQcx%2f51OtVwJ%2fmUDMlOzK41DjYsZr%2bodoJswBmJ0XyCJBhc1xIY%2bqTHVmyWipXrBdSw%3d%3d | unknown | binary | 177 b | unknown |
6504 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/873489b1-33b2-480a-baa2-641b9e09edcd?P1=1699514207&P2=404&P3=2&P4=hTYhn7%2b62Q9UKuAofWFNQcx%2f51OtVwJ%2fmUDMlOzK41DjYsZr%2bodoJswBmJ0XyCJBhc1xIY%2bqTHVmyWipXrBdSw%3d%3d | unknown | binary | 1.69 Kb | unknown |
7108 | SIHClient.exe | GET | 200 | 2.20.157.251:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 418 b | unknown |
2980 | svchost.exe | GET | 200 | 23.52.59.236:80 | http://x1.c.lencr.org/ | unknown | binary | 717 b | unknown |
2984 | OfficeClickToRun.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D | unknown | binary | 471 b | unknown |
6504 | svchost.exe | GET | 206 | 152.199.19.161:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/621a4ceb-00df-4de7-b7ca-42b2435b0a29?P1=1699514523&P2=404&P3=2&P4=lFQV4JKWZCknSrCTJ1AJxfAHPTDbXCixvecbBzfADBTxirxa%2bd8voBRip5PSFpdBDCPB0iH6TkoKR6JFpBJe0w%3d%3d | unknown | binary | 3.35 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4132 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
2836 | msedge.exe | 224.0.0.251:5353 | — | — | — | unknown |
3792 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
856 | SearchProtocolHost.exe | 65.20.84.254:13783 | — | AS-CHOOPA | IN | unknown |
2948 | msedge.exe | 13.107.21.239:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
2948 | msedge.exe | 23.40.141.150:443 | go.microsoft.com | JasTel Network International Gateway | TH | unknown |
6504 | svchost.exe | 152.199.19.161:80 | msedge.b.tlu.dl.delivery.mp.microsoft.com | EDGECAST | US | whitelisted |
2984 | OfficeClickToRun.exe | 20.189.173.13:443 | self.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
edge.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
msedge.b.tlu.dl.delivery.mp.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
856 | SearchProtocolHost.exe | A Network Trojan was detected | ET CNC Feodo Tracker Reported CnC Server group 8 |