File name:

nj230708full.pdf.exe

Full analysis: https://app.any.run/tasks/5b375ba3-8907-45da-8f1b-f2d4d742a8f9
Verdict: Malicious activity
Analysis date: December 16, 2024, 09:22:13
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
autoit
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 6 sections
MD5:

BD216FDEA8517B5BEB003E0AC03F536E

SHA1:

A3F3D4395B74DA605BB1E068C846CCB531213F38

SHA256:

E96A0C1BC5F720D7F0A53F72E5BB424163C943C24A437B1065957A79F5872675

SSDEEP:

98304:rmDg899FxGPZuzI/qoJ9B/CFARcj4alk91PGkFyoftLV3mTd9R1cTO+oBOL55wDc:cHPYdR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • MSBuild.exe (PID: 4392)
      • MSBuild.exe (PID: 4668)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 6268)

    • Create files in the Startup directory

      • cmd.exe (PID: 6068)

    • AutoIt loader has been detected (YARA)

      • Briefing.pif (PID: 7124)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • nj230708full.pdf.exe (PID: 6556)

    • Get information on the list of running processes

      • cmd.exe (PID: 6632)

    • Executing commands from ".cmd" file

      • nj230708full.pdf.exe (PID: 6556)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6632)

    • Starts CMD.EXE for commands execution

      • nj230708full.pdf.exe (PID: 6556)
      • cmd.exe (PID: 6632)
      • MSBuild.exe (PID: 4668)
      • MSBuild.exe (PID: 4392)

    • Executable content was dropped or overwritten

      • cmd.exe (PID: 6632)
      • Briefing.pif (PID: 7124)
      • MSBuild.exe (PID: 4668)
      • MSBuild.exe (PID: 4392)

    • Application launched itself

      • cmd.exe (PID: 6632)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6632)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6632)

    • The executable file from the user directory is run by the CMD process

      • Briefing.pif (PID: 7124)
      • Wihnup.exe (PID: 5472)
      • Wihnup.exe (PID: 4444)

    • Drops a file with a rarely used extension (PIF)

      • cmd.exe (PID: 6632)

    • Executing commands from a ".bat" file

      • MSBuild.exe (PID: 4668)
      • MSBuild.exe (PID: 4392)

    • Process drops legitimate windows executable

      • MSBuild.exe (PID: 4668)
      • MSBuild.exe (PID: 4392)

    • Uses TIMEOUT.EXE to delay execution

      • cmd.exe (PID: 5752)
      • cmd.exe (PID: 3692)

  • INFO

    • Checks supported languages

      • nj230708full.pdf.exe (PID: 6556)
      • Briefing.pif (PID: 7124)
      • MSBuild.exe (PID: 4392)
      • Wihnup.exe (PID: 5472)
      • MSBuild.exe (PID: 4668)
      • Wihnup.exe (PID: 4444)

    • Reads the computer name

      • nj230708full.pdf.exe (PID: 6556)
      • Briefing.pif (PID: 7124)
      • MSBuild.exe (PID: 4392)
      • Wihnup.exe (PID: 5472)
      • MSBuild.exe (PID: 4668)
      • Wihnup.exe (PID: 4444)

    • Create files in a temporary directory

      • nj230708full.pdf.exe (PID: 6556)
      • MSBuild.exe (PID: 4392)

    • Process checks computer location settings

      • nj230708full.pdf.exe (PID: 6556)

    • Creates a new folder

      • cmd.exe (PID: 7032)

    • Reads mouse settings

      • Briefing.pif (PID: 7124)

    • Creates files or folders in the user directory

      • Briefing.pif (PID: 7124)
      • MSBuild.exe (PID: 4392)

    • Manual execution by a user

      • cmd.exe (PID: 6268)
      • cmd.exe (PID: 6068)

    • The sample compiled with english language support

      • Briefing.pif (PID: 7124)
      • MSBuild.exe (PID: 4392)
      • MSBuild.exe (PID: 4668)

    • Reads the machine GUID from the registry

      • MSBuild.exe (PID: 4392)
      • MSBuild.exe (PID: 4668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:02:24 19:19:54+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 28160
InitializedDataSize: 465408
UninitializedDataSize: 16896
EntryPoint: 0x3883
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
146
Monitored processes
29
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start nj230708full.pdf.exe no specs cmd.exe conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs findstr.exe no specs cmd.exe no specs briefing.pif choice.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe conhost.exe no specs schtasks.exe no specs msbuild.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs wihnup.exe no specs conhost.exe no specs msbuild.exe cmd.exe no specs conhost.exe no specs timeout.exe no specs wihnup.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
8timeout 3 C:\Windows\SysWOW64\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
timeout - pauses command processing
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\timeout.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3092\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeWihnup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3224\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3296\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3532\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3692C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\tmp1A4.tmp.bat""C:\Windows\SysWOW64\cmd.exeMSBuild.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4392C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Briefing.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4444"C:\Users\admin\AppData\Roaming\Wihnup.exe" C:\Users\admin\AppData\Roaming\Wihnup.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\roaming\wihnup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
4668C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Briefing.pif
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\msbuild.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5472"C:\Users\admin\AppData\Roaming\Wihnup.exe" C:\Users\admin\AppData\Roaming\Wihnup.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
MSBuild.exe
Exit code:
1
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\users\admin\appdata\roaming\wihnup.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
1 569
Read events
1 567
Write events
2
Delete events
0

Modification events

(PID) Process:(4392) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Wihnup
Value:
"C:\Users\admin\AppData\Roaming\Wihnup.exe"
(PID) Process:(4668) MSBuild.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:Wihnup
Value:
"C:\Users\admin\AppData\Roaming\Wihnup.exe"
Executable files
5
Suspicious files
34
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Breedbinary
MD5:7B85A8A8162983834481C2FC3977D6CC
SHA256:8CA02A9A6593A3BC55FDC3BE6C10653BA260BEFC660A5E6681E0E2B82C38711F
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Textilesbinary
MD5:556ADA8916C5BCB381534F3BD45BFCD9
SHA256:9B93972C61A346D132B7A7E99461F6D1E1C7ABE4F84FA08F47118BFDC60FE2F9
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Remarkstext
MD5:2B45FC31B2859F9E44BB3FD335C15394
SHA256:EE96A8343930CB044F37982401528D91A7766E6DEE0E88D3B82379FBC7F7B00E
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Docsbinary
MD5:4A6384A47DF8AE1A3E249CC4267F77DE
SHA256:3A3B4CECBBAD4A93725CD9FF55A80E35DD1915D18FAEE7B6746EBDD049801DC8
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Auditorbinary
MD5:C9DD3156963812C971C4330538C15475
SHA256:1162076C38551807146CA2BE943AB29320A239C7AE35E07ADB30488918CF9A5C
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Computationalbinary
MD5:B4DCCF25FC88FA917A3C8ADEBE421B48
SHA256:B53F6EA9BD037FE2E37548E8F86ADE76B24BD96784FFF770A5B16D8681708801
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Foughtbinary
MD5:9B34585894EB1CCDCD82B169006576EC
SHA256:FD42916F715812F39B907A28F5AEC9B77C4948CA050A65F2BE6828A3C42CB8D0
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Principalbinary
MD5:39038C8D2BCAE0EE7248712C8F76F2AC
SHA256:B4FEFC16A5D54C809C7FD250AFEAF15F334C5B9AEC634DB49D854F2881B04A39
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Sufficientbinary
MD5:7645204A3617032FB1F45EB0A93B66B7
SHA256:25E5D95B5C8814C9F21C6D18B6E13D1969795C6D7CCC88751CAA969ABF1DC678
6556nj230708full.pdf.exeC:\Users\admin\AppData\Local\Temp\Rememberbinary
MD5:F799D842D9351D2C86F0DB882599DFBA
SHA256:8F64F1856CDA02AE9276E6CE7B5B64AEC5D4939AF919B9B7F79E5540D8B7ABE1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
19
DNS requests
6
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4712
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
192.168.100.255:137
whitelisted
2220
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
92.123.104.37:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3976
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
www.bing.com
  • 92.123.104.37
  • 92.123.104.35
  • 92.123.104.46
  • 92.123.104.41
  • 92.123.104.45
  • 92.123.104.42
  • 92.123.104.43
  • 92.123.104.36
  • 92.123.104.38
whitelisted
google.com
  • 172.217.23.110
whitelisted
kBPChyXYSnkpkiDdTjYrnVxWsglV.kBPChyXYSnkpkiDdTjYrnVxWsglV
unknown
self.events.data.microsoft.com
  • 20.44.10.122
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
nj230708full.pdf.exe