| File name: | e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f |
| Full analysis: | https://app.any.run/tasks/d988612d-fe5e-4f67-852a-cd65eb9bc773 |
| Verdict: | Malicious activity |
| Analysis date: | December 14, 2024, 01:05:14 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections |
| MD5: | 1C15A4F17AEAD40B520FEE6136B966F4 |
| SHA1: | 7062FDF8B97BEBBF39E2E7F51489764B20EB837D |
| SHA256: | E8955D539951E3C16E1D1DBFF413566788EBAD092E4D66D862E7B2AE5B90708F |
| SSDEEP: | 6144:i0/1Thw5w4qjPRrf2VrRZHMrbLcPN/wVVVVVVVVV0eDq0:5cPN/wVVVVVVVVV0eW0 |
MALICIOUS
JEEFO has been detected
- icsys.icn.exe (PID: 6508)
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
- explorer.exe (PID: 6528)
- svchost.exe (PID: 6584)
Changes the autorun value in the registry
- explorer.exe (PID: 6528)
- svchost.exe (PID: 6584)
SUSPICIOUS
Executable content was dropped or overwritten
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
- icsys.icn.exe (PID: 6508)
- explorer.exe (PID: 6528)
- spoolsv.exe (PID: 6548)
Starts application with an unusual extension
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
Starts itself from another location
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
- icsys.icn.exe (PID: 6508)
- explorer.exe (PID: 6528)
- spoolsv.exe (PID: 6548)
- svchost.exe (PID: 6584)
The process creates files with name similar to system file names
- icsys.icn.exe (PID: 6508)
- spoolsv.exe (PID: 6548)
Reads security settings of Internet Explorer
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6464)
Creates or modifies Windows services
- svchost.exe (PID: 6584)
INFO
Create files in a temporary directory
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
- icsys.icn.exe (PID: 6508)
- explorer.exe (PID: 6528)
- spoolsv.exe (PID: 6548)
- svchost.exe (PID: 6584)
- spoolsv.exe (PID: 6636)
Checks supported languages
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
- icsys.icn.exe (PID: 6508)
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6464)
- explorer.exe (PID: 6528)
- svchost.exe (PID: 6584)
- spoolsv.exe (PID: 6548)
- spoolsv.exe (PID: 6636)
- identity_helper.exe (PID: 6752)
The sample compiled with english language support
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6440)
- icsys.icn.exe (PID: 6508)
- explorer.exe (PID: 6528)
- spoolsv.exe (PID: 6548)
Reads the computer name
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6464)
- svchost.exe (PID: 6584)
- identity_helper.exe (PID: 6752)
Reads the machine GUID from the registry
- e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe (PID: 6464)
Application launched itself
- msedge.exe (PID: 6696)
- msedge.exe (PID: 6948)
Reads Environment values
- identity_helper.exe (PID: 6752)
Manual execution by a user
- msedge.exe (PID: 6948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| OriginalFileName: | TJprojMain.exe |
|---|---|
| InternalName: | TJprojMain |
| ProductVersion: | 1 |
| FileVersion: | 1 |
| ProductName: | Project1 |
| CharacterSet: | Unicode |
| LanguageCode: | English (U.S.) |
| FileSubtype: | - |
| ObjectFileType: | Executable application |
| FileOS: | Win32 |
| FileFlags: | (none) |
| FileFlagsMask: | 0x0000 |
| ProductVersionNumber: | 1.0.0.0 |
| FileVersionNumber: | 1.0.0.0 |
| Subsystem: | Windows GUI |
| SubsystemVersion: | 4 |
| ImageVersion: | 1 |
| OSVersion: | 4 |
| EntryPoint: | 0x290c |
| UninitializedDataSize: | - |
| InitializedDataSize: | 12288 |
| CodeSize: | 106496 |
| LinkerVersion: | 6 |
| PEType: | PE32 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| TimeStamp: | 2013:04:01 07:08:22+00:00 |
| MachineType: | Intel 386 or later, and compatibles |
Total processes
173
Monitored processes
50
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6284 | "C:\Users\admin\Desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe" | C:\Users\admin\Desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Version: 1.00 Modules
| |||||||||||||||
| 6440 | "C:\Users\admin\Desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe" | C:\Users\admin\Desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 6464 | c:\users\admin\desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | C:\Users\admin\Desktop\e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | — | e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | |||||||||||
User: admin Integrity Level: HIGH Description: AntCash Version: 1.0.0.0 Modules
| |||||||||||||||
| 6508 | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Windows\Resources\Themes\icsys.icn.exe | e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 6528 | c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\explorer.exe | icsys.icn.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.00 Modules
| |||||||||||||||
| 6548 | c:\windows\resources\spoolsv.exe SE | C:\Windows\Resources\spoolsv.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 6584 | c:\windows\resources\svchost.exe | C:\Windows\Resources\svchost.exe | spoolsv.exe | ||||||||||||
User: admin Integrity Level: HIGH Version: 1.00 Modules
| |||||||||||||||
| 6636 | c:\windows\resources\spoolsv.exe PR | C:\Windows\Resources\spoolsv.exe | — | svchost.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Version: 1.00 Modules
| |||||||||||||||
| 6696 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://optimizerlinks.netlify.app/ | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 1 Version: 122.0.2365.59 Modules
| |||||||||||||||
| 6724 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.59 --initial-client-data=0x268,0x240,0x260,0x264,0x320,0x7ff821ea5fd8,0x7ff821ea5fe4,0x7ff821ea5ff0 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft Edge Exit code: 0 Version: 122.0.2365.59 Modules
| |||||||||||||||
Total events
5 601
Read events
5 559
Write events
38
Delete events
4
Modification events
| (PID) Process: | (6440) e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process |
| Operation: | write | Name: | LO |
Value: 1 | |||
| (PID) Process: | (6508) icsys.icn.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process |
| Operation: | write | Name: | LO |
Value: 1 | |||
| (PID) Process: | (6528) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Explorer |
Value: c:\windows\resources\themes\explorer.exe RO | |||
| (PID) Process: | (6528) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Svchost |
Value: c:\windows\resources\svchost.exe RO | |||
| (PID) Process: | (6528) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Explorer |
Value: | |||
| (PID) Process: | (6528) explorer.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Svchost |
Value: | |||
| (PID) Process: | (6584) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Explorer |
Value: c:\windows\resources\themes\explorer.exe RO | |||
| (PID) Process: | (6584) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce |
| Operation: | write | Name: | Svchost |
Value: c:\windows\resources\svchost.exe RO | |||
| (PID) Process: | (6584) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Explorer |
Value: | |||
| (PID) Process: | (6584) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run |
| Operation: | delete value | Name: | Svchost |
Value: | |||
Executable files
7
Suspicious files
170
Text files
44
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6440 | e8955d539951e3c16e1d1dbff413566788ebad092e4d66d862e7b2ae5b90708f.exe | C:\Users\admin\AppData\Local\Temp\~DFD6359B56E91947DA.TMP | binary | |
MD5:4CFBD860067DA55B1D0D92EB2D22EA1A | SHA256:EE477A131D2E8E7D71E2B0C730E5C7963BC342663D18919C3E61B2E8D1BCCA91 | |||
| 6696 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Local State~RF136c2b.TMP | binary | |
MD5:DFFC82B8D23613E62A20204028CEF32F | SHA256:114690F0417A9A6B079EA8D0534F095B04467809DCA929EB0983059E1C60FB6C | |||
| 6528 | explorer.exe | C:\Windows\Resources\spoolsv.exe | executable | |
MD5:01659CF12A831EE4B3D40409A1EDD587 | SHA256:0F9A7B54B8A9AF17E8D76B9899017AECAFB5B9AFC6361E63F3D17EF696846B89 | |||
| 6948 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF136d44.TMP | — | |
MD5:— | SHA256:— | |||
| 6948 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF136d44.TMP | — | |
MD5:— | SHA256:— | |||
| 6548 | spoolsv.exe | C:\Users\admin\AppData\Local\Temp\~DF379FDE52B3C736AD.TMP | binary | |
MD5:C4786672D5E8C3CFCFA8CC89B1E684AA | SHA256:AFC220302BC25A097E5D5D8329FDE2F3FA406C6A0C5BB5560FCA08724023AC2D | |||
| 6948 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG.old~RF136d34.TMP | text | |
MD5:C5C8E14929BCE261B2B5B899CB479AF7 | SHA256:73DBFF8A366CFF6972A38C091782EF62C89E28FDA1423A47448A60343F921754 | |||
| 6948 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF136d44.TMP | — | |
MD5:— | SHA256:— | |||
| 6696 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Last Version | text | |
MD5:C7E2197BAE099B13BBB3ADEB1433487D | SHA256:3460EEAF45D581DD43A6E4E17AF8102DDAFF5AEAA88B10099527CF85211629E9 | |||
| 6948 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
69
TCP/UDP connections
59
DNS requests
47
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2548 | svchost.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 401 | 13.107.6.158:443 | https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox | unknown | — | — | — |
3032 | RUXIMICS.exe | GET | 200 | 2.20.245.137:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3032 | RUXIMICS.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2548 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 204.79.197.239:443 | https://edge.microsoft.com/serviceexperimentation/v3/?osname=win&channel=stable&osver=10.0.19045&devicefamily=desktop&installdate=1661339457&clientversion=122.0.2365.59&experimentationmode=2&scpguard=0&scpfull=0&scpver=0 | unknown | binary | 502 b | whitelisted |
— | — | GET | 200 | 13.107.42.16:443 | https://config.edge.skype.com/config/v1/Edge/122.0.2365.59?clientId=4489578223053569932&agents=EdgeFirstRun%2CEdgeFirstRunConfig&osname=win&client=edge&channel=stable&scpfre=0&osarch=x86_64&osver=10.0.19045&wu=1&devicefamily=desktop&uma=0&sessionid=44&mngd=0&installdate=1661339457&edu=0&bphint=2&soobedate=1504771245&fg=1 | unknown | binary | 768 b | whitelisted |
— | — | OPTIONS | 503 | 2.20.245.132:443 | https://bzib.nelreports.net/api/report?cat=bingbusiness | unknown | html | 373 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
2548 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3032 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
— | — | 2.21.110.139:443 | www.bing.com | AKAMAI-AS | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2548 | svchost.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
3032 | RUXIMICS.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6948 | msedge.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.20.245.137:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
optimizerlinks.netlify.app |
| malicious |
edge.microsoft.com |
| whitelisted |
business.bing.com |
| whitelisted |
edge-mobile-static.azureedge.net |
| whitelisted |