File name:

fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af

Full analysis: https://app.any.run/tasks/be9a2f7b-f7e0-4025-a4b4-841f288da068
Verdict: Malicious activity
Analysis date: January 10, 2025, 21:33:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
expiro
sinkhole
m0yv
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

22B40728C8FB1599479347BA89387EF4

SHA1:

7D951DD272C9B0B1E4295872D0004EB711F0EABB

SHA256:

FCED488BAB6F8793E1CA19858CF208EBC5C2B0EE18087489A2A35EB7FEE803AF

SSDEEP:

49152:tHlGA9WQkC2R/QORBt7QjFtmcaTH/vU4do9Pcjq1GvXB1sgPR8N32+Rr181vWDZi:qA4QX21RBt7QjTmcaTH/vU4do9Pcjq1I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • M0YV mutex has been found

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Connects to the CnC server

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • EXPIRO has been detected (SURICATA)

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Expiro has been found (SURICATA)

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Request for a sinkholed resource

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • M0YV has been detected (YARA)

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
  • SUSPICIOUS

    • Process drops legitimate windows executable

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Executes application which crashes

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Executable content was dropped or overwritten

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Contacting a server suspected of hosting an CnC

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
  • INFO

    • Creates files or folders in the user directory

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
      • WerFault.exe (PID: 6424)
    • Reads mouse settings

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Checks supported languages

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Reads the software policy settings

      • WerFault.exe (PID: 6424)
    • Reads the computer name

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Create files in a temporary directory

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • Checks proxy server information

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
      • WerFault.exe (PID: 6424)
    • The sample compiled with english language support

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
    • The process uses AutoIt

      • fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe (PID: 6152)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

CharacterSet: Unicode
LanguageCode: English (British)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x27dcd
UninitializedDataSize: -
InitializedDataSize: 599552
CodeSize: 581120
LinkerVersion: 12
PEType: PE32
ImageFileCharacteristics: Executable, Large address aware, 32-bit
TimeStamp: 2024:12:09 11:44:04+00:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #EXPIRO fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe svchost.exe no specs werfault.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
6152"C:\Users\admin\AppData\Local\Temp\fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe" C:\Users\admin\AppData\Local\Temp\fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
Modules
Images
c:\users\admin\appdata\local\temp\fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
6320"C:\Users\admin\AppData\Local\Temp\fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe" C:\Windows\SysWOW64\svchost.exefced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
6424C:\WINDOWS\SysWOW64\WerFault.exe -u -p 6152 -s 964C:\Windows\SysWOW64\WerFault.exe
fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
Total events
3 418
Read events
3 418
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
10
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportArchive\AppCrash_fced488bab6f8793_12132dec5caee4449842b24918f58131d940fe_5e0c9a3c_6b2275bd-b520-44d9-9f6d-8d7eb17feb5b\Report.wer
MD5:
SHA256:
6152fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeexecutable
MD5:B9DB71E78F61A3200D4DBE7597C71620
SHA256:5BC91DED391781ED9EC902A61DC4A3EB9B4AB0BC89281BFB426A685EAD6EECA6
6152fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exeC:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exeexecutable
MD5:682202293A3B5B045170A57BEDCBC8ED
SHA256:1CAC0AFA015355B167144A09ACBE8125D52610BBF0AFE47B561F4702856F3D60
6424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER65A5.tmp.xmlxml
MD5:63789CAC8B04C85B336372A671CB4DFC
SHA256:40C2DD2792985C48866B375FEBFD1E06C59B9797327BD5A992ED30E209BE07CF
6152fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exeC:\Users\admin\AppData\Local\Temp\aut5641.tmpbinary
MD5:188755497F2F9E69E3CD8691AD42C304
SHA256:74275CA67FB35D3E6C5CC120BF6FCDAE2AB3CF00AC766610DE913296756C0AA6
6424WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6303.tmp.dmpbinary
MD5:96D6872BB849377DB40E6CC50BCCF744
SHA256:4A6D657D77AA62DC4810F443427280C3E314D277F11BEB4618D56D59E67DE7E5
6424WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\37C951188967C8EB88D99893D9D191FEbinary
MD5:66D048B4ABAC09C4A6D178DEC727735C
SHA256:E9904EF18F07BCD3766878EC5D0368520F6D2061671338F5CEB5F36724FF61D7
6152fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exeC:\Users\admin\AppData\Local\Temp\aut5690.tmpbinary
MD5:7E3D833B99A5C90D0BD5DCBB65B1E9E7
SHA256:4FBBE82F94EC26F88642E8A50F621538F8842D5D5387CD0F876D207AEA9B2344
6152fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exeC:\Users\admin\AppData\Local\Temp\maneuverabilitybinary
MD5:188755497F2F9E69E3CD8691AD42C304
SHA256:74275CA67FB35D3E6C5CC120BF6FCDAE2AB3CF00AC766610DE913296756C0AA6
6424WerFault.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\21253908F3CB05D51B1C2DA8B681A785binary
MD5:F6F53CD09A41E968C363419B279D3112
SHA256:6D2BB01CC7A9BADE2113B219CAC1BDA86B2733196B7E1BD0C807CE1E396B1892
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
40
DNS requests
27
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6424
WerFault.exe
GET
200
2.16.241.12:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6152
fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
POST
200
18.141.10.107:80
http://ssbzmoy.biz/eaomk
unknown
malicious
6152
fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
POST
200
54.244.188.177:80
http://pywolwnvd.biz/xrubposym
unknown
malicious
6424
WerFault.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3552
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6236
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
6152
fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
POST
200
54.244.188.177:80
http://cvgrf.biz/hmprfie
unknown
malicious
4712
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3552
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2144
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
4712
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5156
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5064
SearchApp.exe
104.126.37.153:443
www.bing.com
Akamai International B.V.
DE
whitelisted
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
4
System
192.168.100.255:138
whitelisted
6152
fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
54.244.188.177:80
pywolwnvd.biz
AMAZON-02
US
malicious
6152
fced488bab6f8793e1ca19858cf208ebc5c2b0ee18087489a2a35eb7fee803af.exe
18.141.10.107:80
ssbzmoy.biz
AMAZON-02
SG
malicious
1076
svchost.exe
184.28.89.167:443
go.microsoft.com
AKAMAI-AS
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
www.bing.com
  • 104.126.37.153
  • 104.126.37.185
  • 104.126.37.178
  • 104.126.37.123
  • 104.126.37.160
  • 104.126.37.170
  • 104.126.37.145
  • 104.126.37.177
  • 104.126.37.186
  • 2.23.227.215
  • 2.23.227.208
whitelisted
google.com
  • 172.217.16.206
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
pywolwnvd.biz
  • 54.244.188.177
malicious
ssbzmoy.biz
  • 18.141.10.107
malicious
cvgrf.biz
  • 54.244.188.177
malicious
go.microsoft.com
  • 184.28.89.167
whitelisted
login.live.com
  • 40.126.31.73
  • 20.190.159.2
  • 20.190.159.64
  • 40.126.31.69
  • 20.190.159.4
  • 40.126.31.71
  • 20.190.159.68
  • 40.126.31.67
whitelisted
watson.events.data.microsoft.com
  • 52.182.143.212
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value Snkz
A Network Trojan was detected
ET MALWARE Possible Compromised Host AnubisNetworks Sinkhole Cookie Value btst
1 ETPRO signatures available at the full report
No debug info