| File name: | TrkWksrv.exe |
| Full analysis: | https://app.any.run/tasks/f0ea27ed-96f5-4405-baca-7ab89212a98b |
| Verdict: | Malicious activity |
| Analysis date: | January 29, 2025, 18:56:47 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | 04CE0C6078E128A91EF031F68304B2C5 |
| SHA1: | 4F34F7395F4BCC9EBA528CEFCF43B83689EA388D |
| SHA256: | EC7B605AAEFD00F0507F43C78590266B74345BC9308EBA26FC542B6A0AE5E133 |
| SSDEEP: | 98304:aJ3E0sygj98WVeIg8S3qfJQ1knyuI7UJDZ2pli9TZIATPSkO2CGi2pYmJNHaEJjl:MUETyAr0yl |
MALICIOUS
Starts NET.EXE to view/add/change user profiles
- net.exe (PID: 7004)
- cmd.exe (PID: 6932)
- cmd.exe (PID: 5156)
- net.exe (PID: 6288)
Starts NET.EXE to view/change users localgroup
- cmd.exe (PID: 7060)
- net.exe (PID: 7124)
SUSPICIOUS
The process drops C-runtime libraries
- TrkWksrv.exe (PID: 6492)
Process drops legitimate windows executable
- TrkWksrv.exe (PID: 6492)
Executable content was dropped or overwritten
- TrkWksrv.exe (PID: 6492)
Process drops python dynamic module
- TrkWksrv.exe (PID: 6492)
Application launched itself
- TrkWksrv.exe (PID: 6492)
Loads Python modules
- TrkWksrv.exe (PID: 6520)
There is functionality for taking screenshot (YARA)
- TrkWksrv.exe (PID: 6492)
- TrkWksrv.exe (PID: 6520)
Starts CMD.EXE for commands execution
- TrkWksrv.exe (PID: 6520)
INFO
Reads the computer name
- TrkWksrv.exe (PID: 6492)
The sample compiled with english language support
- TrkWksrv.exe (PID: 6492)
Checks supported languages
- TrkWksrv.exe (PID: 6492)
- TrkWksrv.exe (PID: 6520)
Create files in a temporary directory
- TrkWksrv.exe (PID: 6492)
PyInstaller has been detected (YARA)
- TrkWksrv.exe (PID: 6492)
- TrkWksrv.exe (PID: 6520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (87.3) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (6.3) |
| .exe | | | DOS Executable Generic (6.3) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2025:01:24 12:13:37+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.41 |
| CodeSize: | 172032 |
| InitializedDataSize: | 154624 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xce20 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
Total processes
130
Monitored processes
14
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 5156 | C:\WINDOWS\system32\cmd.exe /c net user hoang92bn /active:yes | C:\Windows\System32\cmd.exe | — | TrkWksrv.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5340 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6248 | C:\WINDOWS\system32\net1 user hoang92bn /active:yes | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6288 | net user hoang92bn /active:yes | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6492 | "C:\Users\admin\Desktop\TrkWksrv.exe" | C:\Users\admin\Desktop\TrkWksrv.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 6520 | "C:\Users\admin\Desktop\TrkWksrv.exe" | C:\Users\admin\Desktop\TrkWksrv.exe | — | TrkWksrv.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 6932 | C:\WINDOWS\system32\cmd.exe /c net user hoang92bn C1sco123 /add | C:\Windows\System32\cmd.exe | — | TrkWksrv.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6940 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7004 | net user hoang92bn C1sco123 /add | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7024 | C:\WINDOWS\system32\net1 user hoang92bn C1sco123 /add | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Net Command Exit code: 2 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
238
Read events
238
Write events
0
Delete events
0
Modification events
Executable files
10
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\_bz2.pyd | executable | |
MD5:C17DCB7FC227601471A641EC90E6237F | SHA256:55894B2B98D01F37B9A8CF4DAF926D0161FF23C2FB31C56F9DBBAC3A61932712 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\_lzma.pyd | executable | |
MD5:66A9028EFD1BB12047DAFCE391FD6198 | SHA256:E44DEA262A24DF69FD9B50B08D09AE6F8B051137CE0834640C977091A6F9FCA8 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\python313.dll | executable | |
MD5:3AAD23292404A7038EB07CE5A6348256 | SHA256:78B1DD211C0E66A0603DF48DA2C9B67A915AB3258701B9285D3FAA255ED8DC25 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\_socket.pyd | executable | |
MD5:ABF998769F3CBA685E90FA06E0EC8326 | SHA256:62D0493CED6CA33E2FD8141649DD9889C23B2E9AFC5FDF56EDB4F888C88FB823 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\VCRUNTIME140.dll | executable | |
MD5:862F820C3251E4CA6FC0AC00E4092239 | SHA256:36585912E5EAF83BA9FEA0631534F690CCDC2D7BA91537166FE53E56C221E153 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\_decimal.pyd | executable | |
MD5:AD4324E5CC794D626FFCCDA544A5A833 | SHA256:040F361F63204B55C17A100C260C7DDFADD00866CC055FBD641B83A6747547D5 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\select.pyd | executable | |
MD5:62FE3761D24B53D98CC9B0CBBD0FEB7C | SHA256:81F124B01A85882E362A42E94A13C0EFF2F4CCD72D461821DC5457A789554413 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\base_library.zip | compressed | |
MD5:18C3F8BF07B4764D340DF1D612D28FAD | SHA256:6E30043DFA5FAF9C31BD8FB71778E8E0701275B620696D29AD274846676B7175 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\unicodedata.pyd | executable | |
MD5:43B8B61DEBBC6DD93124A00DDD922D8C | SHA256:3F462EE6E7743A87E5791181936539642E3761C55DE3DE980A125F91FE21F123 | |||
| 6492 | TrkWksrv.exe | C:\Users\admin\AppData\Local\Temp\_MEI64922\_hashlib.pyd | executable | |
MD5:422E214CA76421E794B99F99A374B077 | SHA256:78223AEF72777EFC93C739F5308A3FC5DE28B7D10E6975B8947552A62592772B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
25
DNS requests
11
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 302 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | — | 85.111.49.176:443 | https://bireysel.turktelekom.com.tr/evde-internet/borc-bilgilendirme?url=http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | — |
4504 | svchost.exe | GET | 302 | 2.19.11.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 302 | 212.175.73.3:443 | https://bireysel.turktelekom.com.tr/evde-internet/borc-bilgilendirme?url=http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | — |
4712 | MoUsoCoreWorker.exe | GET | 302 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 212.175.73.205:443 | https://onlineislemler.turktelekom.com.tr/fatura-sorgulama-odeme/internet | unknown | — | — | — |
4504 | svchost.exe | GET | 302 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 302 | 85.111.49.176:443 | https://bireysel.turktelekom.com.tr/evde-internet/borc-bilgilendirme?url=http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | html | 190 b | whitelisted |
— | — | GET | 302 | 212.175.73.3:443 | https://bireysel.turktelekom.com.tr/evde-internet/borc-bilgilendirme?url=http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | html | 190 b | whitelisted |
— | — | GET | 200 | 212.175.73.205:443 | https://onlineislemler.turktelekom.com.tr/fatura-sorgulama-odeme/internet | unknown | html | 10.0 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4504 | svchost.exe | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4504 | svchost.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
4504 | svchost.exe | 85.111.49.177:443 | bireysel.turktelekom.com.tr | Turk Telekom | TR | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.19.11.120:80 | crl.microsoft.com | Elisa Oyj | NL | whitelisted |
4504 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 85.111.49.177:443 | bireysel.turktelekom.com.tr | Turk Telekom | TR | whitelisted |
4712 | MoUsoCoreWorker.exe | 212.175.73.205:443 | onlineislemler.turktelekom.com.tr | Turk Telekom | TR | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
bireysel.turktelekom.com.tr |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
onlineislemler.turktelekom.com.tr |
| whitelisted |
www.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |