| File name: | cw1.exe |
| Full analysis: | https://app.any.run/tasks/d84974d4-6c8d-49ea-a15f-6b9a86fdd4cd |
| Verdict: | Malicious activity |
| Analysis date: | March 07, 2024, 17:21:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (console) Intel 80386, for MS Windows |
| MD5: | 51D3A136BBC6A5C90A400D238EA4210C |
| SHA1: | 630CD304036F52C9CCD93454174117F7BBE8A639 |
| SHA256: | E96F8EAEF7A46A8B6F96252378071C2A2F3B8D281A4BF01B85E4484DE10407EC |
| SSDEEP: | 192:OHl/OTIc3RahVhkR+aI9b5h/BN+S0A4V7E5pz6dVrMYY:cFhfkMf9b/PkA4V7XM |
MALICIOUS
Drops the executable file immediately after the start
- cw1.exe (PID: 2160)
Starts CMD.EXE for self-deleting
- cw1.exe (PID: 2160)
SUSPICIOUS
Reads the Internet Settings
- cw1.exe (PID: 2160)
- sdiagnhost.exe (PID: 3308)
Reads security settings of Internet Explorer
- cw1.exe (PID: 2160)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 2332)
Starts CMD.EXE for commands execution
- cw1.exe (PID: 2160)
Hides command output
- cmd.exe (PID: 2332)
Process drops legitimate windows executable
- msdt.exe (PID: 2148)
Reads settings of System Certificates
- msdt.exe (PID: 2148)
Process uses IPCONFIG to discover network configuration
- sdiagnhost.exe (PID: 3308)
Uses ROUTE.EXE to obtain the routing table information
- sdiagnhost.exe (PID: 3308)
INFO
Checks supported languages
- cw1.exe (PID: 2160)
Reads the computer name
- cw1.exe (PID: 2160)
Checks proxy server information
- cw1.exe (PID: 2160)
Reads the machine GUID from the registry
- cw1.exe (PID: 2160)
Manual execution by a user
- msdt.exe (PID: 2148)
Create files in a temporary directory
- msdt.exe (PID: 2148)
- sdiagnhost.exe (PID: 3308)
- makecab.exe (PID: 1772)
Drops the executable file immediately after the start
- msdt.exe (PID: 2148)
Reads the software policy settings
- msdt.exe (PID: 2148)
Reads security settings of Internet Explorer
- msdt.exe (PID: 2148)
- sdiagnhost.exe (PID: 3308)
Creates files or folders in the user directory
- msdt.exe (PID: 2148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2021:09:04 18:11:12+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14.28 |
| CodeSize: | 5632 |
| InitializedDataSize: | 6144 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x15f1 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows command line |
Total processes
51
Monitored processes
10
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | C:\Windows\system32\DllHost.exe /Processid:{BA126F01-2166-11D1-B1D0-00805FC1270E} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 980 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\System32\ipconfig.exe | — | sdiagnhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1772 | "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf | C:\Windows\System32\makecab.exe | — | sdiagnhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2148 | -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF211B.tmp -ep NetworkDiagnosticsConnectivity | C:\Windows\System32\msdt.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2160 | "C:\Users\admin\AppData\Local\Temp\cw1.exe" | C:\Users\admin\AppData\Local\Temp\cw1.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 2332 | cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\admin\AppData\Local\Temp\cw1.exe" | C:\Windows\System32\cmd.exe | — | cw1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2804 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\System32\ROUTE.EXE | — | sdiagnhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2960 | C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {995C996E-D918-4a8c-A302-45719A6F4EA7} -Embedding | C:\Windows\System32\rundll32.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3212 | ping 1.1.1.1 -n 1 -w 3000 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3308 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
5 610
Read events
5 562
Write events
42
Delete events
6
Modification events
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (2160) cw1.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
2
Suspicious files
13
Text files
26
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\NetworkDiagnosticsResolve.ps1 | text | |
MD5:A7B957F221C643580184665BE57E6AC8 | SHA256:8582EF50174CB74233F196F193E04C0CCBBEE2AED5CE50964CBB95822C218E7F | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\StartDPSService.ps1 | text | |
MD5:A660422059D953C6D681B53A6977100E | SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813 | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\DiagPackage.dll | executable | |
MD5:2433E09C08C21455000F7E36D7653759 | SHA256:EA9400E719FB15CD82D5DAB4B7D8E3870BB375BBE11BB95B0D957A84FEE2891C | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\NetworkDiagnosticsTroubleshoot.ps1 | text | |
MD5:1D192CE36953DBB7DC7EE0D04C57AD8D | SHA256:935A231924AE5D4A017B0C99D4A5F3904EF280CEA4B3F727D365283E26E8A756 | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\DiagPackage.diagpkg | xml | |
MD5:C9FB87FA3460FAE6D5D599236CFD77E2 | SHA256:CDE728C08A4E50A02FCFF35C90EE2B3B33AB24C8B858F180B6A67BFA94DEF35F | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\InteractiveRes.ps1 | text | |
MD5:25B8543DBF571F040118423BC3C7A75E | SHA256:D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\HTInteractiveRes.ps1 | text | |
MD5:C25ED2111C6EE9299E6D9BF51012F2F5 | SHA256:8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\UtilityFirewall.ps1 | text | |
MD5:B004AFC224E9216115EC3B0BF5D43BA2 | SHA256:31B97632CA31D1BB21917A07757B2FF415DBB6A4E7DD7B533ECC52431ACF65B5 | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\NetworkDiagnosticsVerify.ps1 | text | |
MD5:C0BB6343BD0F6F9B46B33E4B66106953 | SHA256:EB9BC61668A93759D0127A11CDFC03E924100D69C7E6457FEAA89330474C90C3 | |||
| 2148 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_4b951ef9-22ef-4dc6-9d75-d9dba2c752db\en-US\DiagPackage.dll.mui | executable | |
MD5:5D7936806E6855E2ECC2B095316D45D8 | SHA256:71A4559F9FD122914A95998E8685BE638B8F81E581987708497E8F8A7A2F4DCB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2160 | cw1.exe | 49.13.77.253:80 | ssl-6582datamanager.hellotherehi.local | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ssl-6582datamanager.hellotherehi.local |
| unknown |