| File name: | fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458 |
| Full analysis: | https://app.any.run/tasks/d5916378-2c97-4fe6-864e-1601e147ca6b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | June 10, 2023, 01:17:16 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/html |
| File info: | PEM certificate |
| MD5: | FF19670725EAF5DF6F3D2CA656D3DB27 |
| SHA1: | E2795EE5FD02713FD42BBCF2CD0DE4C9434475BE |
| SHA256: | FE7C6AF8A14AF582C3F81749652B9C1EA6C0C002BB181C9FFB154EAE609E6458 |
| SSDEEP: | 192:H1vlVFYlBjrBE3+bg/XiBaUAEnAsNT084n/qf1oD7:HpxYlBjU+bMJUAL84nC2 |
MALICIOUS
Scans artifacts that could help determine the target
- wscript.exe (PID: 5960)
Unusual connection from system programs
- wscript.exe (PID: 5960)
Application was dropped or rewritten from another process
- AM_Engine.exe (PID: 3928)
- MpSigStub.exe (PID: 1896)
- AM_Base.exe (PID: 4960)
- AM_Delta.exe (PID: 3156)
SUSPICIOUS
Process requests binary or script from the Internet
- wscript.exe (PID: 5960)
Executable content was dropped or overwritten
- MpSigStub.exe (PID: 1896)
INFO
The process checks LSA protection
- AM_Engine.exe (PID: 3928)
- conhost.exe (PID: 1628)
- dllhost.exe (PID: 3392)
- rundll32.exe (PID: 4052)
- MpSigStub.exe (PID: 1896)
- AM_Base.exe (PID: 4960)
- AM_Delta.exe (PID: 3156)
Checks supported languages
- AM_Engine.exe (PID: 3928)
- AM_Base.exe (PID: 4960)
- AM_Delta.exe (PID: 3156)
Manual execution by a user
- cmd.exe (PID: 1992)
Checks proxy server information
- wscript.exe (PID: 5960)
Creates files in the program directory
- MpSigStub.exe (PID: 1896)
Reads the software policy settings
- MpSigStub.exe (PID: 1896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .cer | | | Internet Security Certificate (100) |
|---|
Total processes
129
Monitored processes
10
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 300 | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_1\FileCoAuth.exe -Embedding | C:\Users\admin\AppData\Local\Microsoft\OneDrive\19.043.0304.0013_1\FileCoAuth.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft OneDriveFile Co-Authoring Executable Exit code: 0 Version: 19.043.0304.0013 Modules
| |||||||||||||||
| 1628 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1896 | C:\WINDOWS\system32\MpSigStub.exe /stub 1.1.18500.10 /payload 1.1.19900.2 /MpWUStub /program C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Engine.exe | C:\Windows\System32\MpSigStub.exe | AM_Engine.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Malware Protection Signature Update Stub Exit code: 2147942405 Version: 1.1.18500.10 (bd3bd17b10e8c188734ef863541b1db0d3f8b954) Modules
| |||||||||||||||
| 1992 | "C:\WINDOWS\system32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3156 | "C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Delta.exe" WD /q | C:\Windows\SoftwareDistribution\Download\Install\AM_Delta.exe | — | wuauclt.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: AntiMalware Definition Update Exit code: 2147942405 Version: 1.381.122.0 Modules
| |||||||||||||||
| 3392 | C:\WINDOWS\system32\DllHost.exe /Processid:{338B40F9-9D68-4B53-A793-6B9AA0C5F63B} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 10.0.19041.546 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3928 | "C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Engine.exe" | C:\Windows\SoftwareDistribution\Download\Install\AM_Engine.exe | — | wuauclt.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: AntiMalware Definition Update Exit code: 0 Version: 1.1.19900.2 Modules
| |||||||||||||||
| 4052 | "C:\WINDOWS\system32\rundll32.exe" cryptext.dll,CryptExtOpenCER "C:\fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458.cer" | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4960 | "C:\WINDOWS\SoftwareDistribution\Download\Install\AM_Base.exe" | C:\Windows\SoftwareDistribution\Download\Install\AM_Base.exe | — | wuauclt.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: AntiMalware Definition Update Exit code: 0 Version: 1.381.0.0 Modules
| |||||||||||||||
| 5960 | wscript.exe fe7c6af8a14af582c3f81749652b9c1ea6c0c002bb181c9ffb154eae609e6458.wsf | C:\Windows\System32\wscript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
Total events
5 197
Read events
5 173
Write events
22
Delete events
2
Modification events
| (PID) Process: | (5960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (5960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (5960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (5960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (5960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (5960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3928) AM_Engine.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub |
| Operation: | write | Name: | LastStartTime |
Value: 332C5E360A0BD901 | |||
| (PID) Process: | (4960) AM_Base.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub |
| Operation: | write | Name: | LastStartTime |
Value: 13E085A7399BD901 | |||
| (PID) Process: | (4960) AM_Base.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MpSigStub |
| Operation: | write | Name: | LastExitCode |
Value: 0 | |||
| (PID) Process: | (1896) MpSigStub.exe | Key: | \REGISTRY\A\{fde979c6-df5c-32b4-9598-b9688a2cae99}\Root\InventoryApplicationFile |
| Operation: | write | Name: | WritePermissionsCheck |
Value: 1 | |||
Executable files
6
Suspicious files
3
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1896 | MpSigStub.exe | C:\WINDOWS\Temp\5EA6E90C-51DF-4073-B5DF-73978C1EE8E4768.1d99b39a78a485f\mpasbase.vdm | — | |
MD5:— | SHA256:— | |||
| 1896 | MpSigStub.exe | C:\WINDOWS\Temp\5EA6E90C-51DF-4073-B5DF-73978C1EE8E4768.1d99b39a78a485f\mpavbase.vdm | — | |
MD5:— | SHA256:— | |||
| 1896 | MpSigStub.exe | C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpasbase.vdm | — | |
MD5:— | SHA256:— | |||
| 1896 | MpSigStub.exe | C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpavbase.vdm | — | |
MD5:— | SHA256:— | |||
| 1896 | MpSigStub.exe | C:\ProgramData\Microsoft\Windows\WER\ReportQueue\NonCritical_0x80070005_e865777b0d7de36448289cda813de552cfbf9e1_00000000_8e0f1355-2a12-4b50-bcbc-d9303a99d1bf\Report.wer | — | |
MD5:— | SHA256:— | |||
| 300 | FileCoAuth.exe | C:\Users\admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2023-06-10.0118.300.1.aodl | binary | |
MD5:923BF0E545D9C37CA8874C8D6C4A30E6 | SHA256:AB32C675D35DDBEBFCF8B11720C3E550024E8D0DF557838F17186377E3D0FE65 | |||
| 1896 | MpSigStub.exe | C:\WINDOWS\Temp\E8A562D5-E836-4DBB-9F9D-7FF3A01EDA98-Sigs\MpSigStub.pid | binary | |
MD5:92310AF39834820F3B51EF0D675A933B | SHA256:C92C3536F6D9F8BC32B0B2E0DA271FD64E05DD21A7240924DCD8470D767901F5 | |||
| 1896 | MpSigStub.exe | C:\WINDOWS\Temp\5EA6E90C-51DF-4073-B5DF-73978C1EE8E4768.1d99b39a78a485f\mpasdlta.vdm | executable | |
MD5:94FAA517F0ABF448AA239B8FDD815A0F | SHA256:29E0E7DBF358000A87832B5EBBDCF5000E898DF574CF449DBFCC6B10936262D7 | |||
| 1896 | MpSigStub.exe | C:\WINDOWS\Temp\5EA6E90C-51DF-4073-B5DF-73978C1EE8E4768.1d99b39a78a485f\mpavdlta.vdm | executable | |
MD5:D9FC3B46C6FB8137A7554DB7C23F33AC | SHA256:03CBBC7FB5A50A726E3E5D58E8F1E67538F395A103CAD82D7AD3C827B112B9DD | |||
| 1896 | MpSigStub.exe | C:\ProgramData\Microsoft\Windows Defender\Definition Updates\Updates\mpengine.dll | executable | |
MD5:EE52553EFB5A7D9BDA2E3BAEB3A1649B | SHA256:A61AA6CF95F38F0507FE41385096976A41AA506C70842524708620D3E6C068D6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
428
TCP/UDP connections
68
DNS requests
21
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3716 | svchost.exe | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | xml | 9.93 Kb | whitelisted |
5348 | svchost.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl | unknown | binary | 813 b | whitelisted |
3716 | svchost.exe | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
3716 | svchost.exe | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | xml | 11.1 Kb | whitelisted |
5348 | svchost.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | binary | 420 b | whitelisted |
5348 | svchost.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Time-Stamp%20PCA%202010(1).crl | unknown | binary | 1.56 Kb | whitelisted |
5348 | svchost.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl | unknown | binary | 813 b | whitelisted |
3716 | svchost.exe | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | xml | 9.93 Kb | whitelisted |
3716 | svchost.exe | POST | 200 | 20.190.160.14:443 | https://login.live.com/RST2.srf | US | xml | 9.93 Kb | whitelisted |
5348 | svchost.exe | GET | 200 | 2.18.233.62:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl | unknown | binary | 401 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3716 | svchost.exe | 20.190.160.14:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | suspicious |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4764 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
5348 | svchost.exe | 2.18.233.62:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2572 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | suspicious |
2900 | svchost.exe | 52.168.112.67:443 | v10.events.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5584 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
3612 | svchost.exe | 52.184.213.21:443 | geo.prod.do.dsp.mp.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | suspicious |
3612 | svchost.exe | 23.56.203.223:443 | geover.prod.do.dsp.mp.microsoft.com | AKAMAI-AS | GB | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
v10.events.data.microsoft.com |
| whitelisted |
geo.prod.do.dsp.mp.microsoft.com |
| whitelisted |
geover.prod.do.dsp.mp.microsoft.com |
| whitelisted |
au.download.windowsupdate.com |
| whitelisted |
fs.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |