File name:

one.exe

Full analysis: https://app.any.run/tasks/53d39a27-c8b8-468f-ba61-1f187c47f371
Verdict: Malicious activity
Analysis date: December 13, 2024, 08:25:26
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

BD216FDEA8517B5BEB003E0AC03F536E

SHA1:

A3F3D4395B74DA605BB1E068C846CCB531213F38

SHA256:

E96A0C1BC5F720D7F0A53F72E5BB424163C943C24A437B1065957A79F5872675

SSDEEP:

98304:rmDg899FxGPZuzI/qoJ9B/CFARcj4alk91PGkFyoftLV3mTd9R1cTO+oBOL55wDc:cHPYdR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6952)

  • SUSPICIOUS

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6224)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 6224)
      • one.exe (PID: 5392)
      • MSBuild.exe (PID: 6404)

    • Executing commands from ".cmd" file

      • one.exe (PID: 5392)

    • Get information on the list of running processes

      • cmd.exe (PID: 6224)

    • The executable file from the user directory is run by the CMD process

      • Briefing.pif (PID: 6896)
      • Wihnup.exe (PID: 6756)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6224)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6224)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6224)
      • Briefing.pif (PID: 6896)
      • MSBuild.exe (PID: 6404)

    • Application launched itself

      • cmd.exe (PID: 6224)

    • Executing commands from a ".bat" file

      • MSBuild.exe (PID: 6404)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 6628)

    • Process drops legitimate windows executable

      • MSBuild.exe (PID: 6404)

  • INFO

    • Reads the computer name

      • one.exe (PID: 5392)
      • Briefing.pif (PID: 6896)
      • MSBuild.exe (PID: 6404)

    • Checks supported languages

      • one.exe (PID: 5392)
      • Briefing.pif (PID: 6896)
      • MSBuild.exe (PID: 6404)

    • Creates a new folder

      • cmd.exe (PID: 6668)

    • Reads mouse settings

      • Briefing.pif (PID: 6896)

    • Manual execution by a user

      • cmd.exe (PID: 7000)
      • cmd.exe (PID: 6952)

    • The sample compiled with english language support

      • Briefing.pif (PID: 6896)
      • MSBuild.exe (PID: 6404)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 6404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 465408
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
23
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start one.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs briefing.pif choice.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs msbuild.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs wihnup.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
5392"C:\Users\admin\AppData\Local\Temp\one.exe" C:\Users\admin\AppData\Local\Temp\one.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\one.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
6224"C:\Windows\System32\cmd.exe" /c copy Remarks Remarks.cmd & Remarks.cmdC:\Windows\SysWOW64\cmd.exe
one.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6236\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6348tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6364findstr /I "wrsa opssvc" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6404C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Briefing.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
6612tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6620findstr -I "avastui avgui bdservicehost nswscsvc sophoshealth" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6628C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmpF89C.tmp.bat""C:\Windows\SysWOW64\cmd.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
6640\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
1 337
Read events
1 336
Write events
1
Delete events
0

Modification events

(PID) Process:(6404) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Wihnup
Value:
"C:\Users\admin\AppData\Roaming\Wihnup.exe"
Executable files
4
Suspicious files
34
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
5392one.exeC:\Users\admin\AppData\Local\Temp\Remarkstext
MD5:2B45FC31B2859F9E44BB3FD335C15394
SHA256:EE96A8343930CB044F37982401528D91A7766E6DEE0E88D3B82379FBC7F7B00E
5392one.exeC:\Users\admin\AppData\Local\Temp\Foughtbinary
MD5:9B34585894EB1CCDCD82B169006576EC
SHA256:FD42916F715812F39B907A28F5AEC9B77C4948CA050A65F2BE6828A3C42CB8D0
5392one.exeC:\Users\admin\AppData\Local\Temp\Auditorbinary
MD5:C9DD3156963812C971C4330538C15475
SHA256:1162076C38551807146CA2BE943AB29320A239C7AE35E07ADB30488918CF9A5C
5392one.exeC:\Users\admin\AppData\Local\Temp\Textilesbinary
MD5:556ADA8916C5BCB381534F3BD45BFCD9
SHA256:9B93972C61A346D132B7A7E99461F6D1E1C7ABE4F84FA08F47118BFDC60FE2F9
5392one.exeC:\Users\admin\AppData\Local\Temp\Sufficientbinary
MD5:7645204A3617032FB1F45EB0A93B66B7
SHA256:25E5D95B5C8814C9F21C6D18B6E13D1969795C6D7CCC88751CAA969ABF1DC678
5392one.exeC:\Users\admin\AppData\Local\Temp\Moroccobinary
MD5:CC57DBF4DAECE475D7AB8DCBC8D8F56D
SHA256:E616E843609C56443ED9AF172579EAD8B2C0CFF92284EEC494D8843D96475627
5392one.exeC:\Users\admin\AppData\Local\Temp\Principalbinary
MD5:39038C8D2BCAE0EE7248712C8F76F2AC
SHA256:B4FEFC16A5D54C809C7FD250AFEAF15F334C5B9AEC634DB49D854F2881B04A39
5392one.exeC:\Users\admin\AppData\Local\Temp\Drinksbinary
MD5:82F11E57B5A9009DE28A97CD1735B6A3
SHA256:4556265567C0239879ECA2DF7E73A88185A70527CB83497C636493D9521C8DB4
5392one.exeC:\Users\admin\AppData\Local\Temp\Workplacebinary
MD5:D851F9AC6B3A85CC5867A8FB505CA14B
SHA256:2C36B36BD475F5BA2926EB570D2BBADC8A248EA0F21A15B82511C737E3EC1358
5392one.exeC:\Users\admin\AppData\Local\Temp\Writingsbinary
MD5:7A9C73DF748595A4C8234E8AF5B0659D
SHA256:D233C7DABD1EABDB771671CFCE90075E817EDC868492E14D560F51B99D337B4C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
32
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4120
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6204
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6204
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
2.16.164.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4120
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
440
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.114:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
5064
SearchApp.exe
2.23.209.173:443
www.bing.com
Akamai International B.V.
GB
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
1176
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.164.114
  • 2.16.164.106
  • 2.16.164.81
  • 2.16.164.99
whitelisted
google.com
  • 142.250.185.238
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 184.30.21.171
whitelisted
www.bing.com
  • 2.23.209.173
  • 2.23.209.178
  • 2.23.209.174
  • 2.23.209.171
  • 2.23.209.167
  • 2.23.209.176
  • 2.23.209.168
  • 2.23.209.177
  • 2.23.209.175
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 40.126.32.134
  • 20.190.160.14
  • 40.126.32.133
  • 20.190.160.17
  • 40.126.32.74
  • 40.126.32.140
  • 40.126.32.136
  • 40.126.32.72
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
kBPChyXYSnkpkiDdTjYrnVxWsglV.kBPChyXYSnkpkiDdTjYrnVxWsglV
unknown
arc.msn.com
  • 20.223.35.26
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
one.exe