analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

openvpn-install-2.4.7-I603.exe

Full analysis: https://app.any.run/tasks/6fb5e258-e1f2-4cf3-a982-991470ae7ab1
Verdict: Malicious activity
Analysis date: March 14, 2019, 19:52:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, Nullsoft Installer self-extracting archive
MD5:

B04C1B28BAAC54B415CB88635B4DC815

SHA1:

E34F5291917D1A9D2E0E94AF8CF34C2F6D0ECA1B

SHA256:

0237BE0BE0156F869F38FB2F38842E3AB5DF46C79B914EBA580DE3031C116651

SSDEEP:

98304:6+ldZJUIozgux1p3zNoVmljXvz1oy8pvenqIkMK/JFhv07MTE:/XLUh91J+mp7d8pvsxkRhv0YY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • openvpn-install-2.4.7-I603.exe (PID: 3952)
      • tap-windows.exe (PID: 2628)
    • Application was dropped or rewritten from another process

      • ns4BF0.tmp (PID: 3524)
      • ns4E61.tmp (PID: 3316)
      • tap-windows.exe (PID: 2628)
      • ns4D75.tmp (PID: 3208)
      • tapinstall.exe (PID: 3872)
      • tapinstall.exe (PID: 4080)
      • openvpnserv.exe (PID: 2824)
    • Changes the autorun value in the registry

      • openvpn-install-2.4.7-I603.exe (PID: 3952)
  • SUSPICIOUS

    • Starts application with an unusual extension

      • tap-windows.exe (PID: 2628)
      • openvpn-install-2.4.7-I603.exe (PID: 3952)
    • Creates files in the program directory

      • tap-windows.exe (PID: 2628)
      • openvpn-install-2.4.7-I603.exe (PID: 3952)
    • Executable content was dropped or overwritten

      • tap-windows.exe (PID: 2628)
      • openvpn-install-2.4.7-I603.exe (PID: 3952)
      • tapinstall.exe (PID: 3872)
      • DrvInst.exe (PID: 3476)
      • DrvInst.exe (PID: 3092)
    • Removes files from Windows directory

      • DrvInst.exe (PID: 3476)
      • DrvInst.exe (PID: 3092)
    • Creates files in the Windows directory

      • DrvInst.exe (PID: 3476)
      • DrvInst.exe (PID: 3092)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 3476)
      • DrvInst.exe (PID: 3092)
    • Creates a software uninstall entry

      • tap-windows.exe (PID: 2628)
      • openvpn-install-2.4.7-I603.exe (PID: 3952)
    • Searches for installed software

      • DrvInst.exe (PID: 3476)
    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 3476)
    • Modifies the open verb of a shell class

      • openvpn-install-2.4.7-I603.exe (PID: 3952)
  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x4375
UninitializedDataSize: 110080
InitializedDataSize: 38912
CodeSize: 35840
LinkerVersion: 2.26
PEType: PE32
TimeStamp: 2016:04:27 03:27:47+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-Apr-2016 01:27:47
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 27-Apr-2016 01:27:47
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_DEBUG_STRIPPED
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00008B24
0x00008C00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.94493
.data
0x0000A000
0x000000E0
0x00000200
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.62454
.rdata
0x0000B000
0x00006A38
0x00006C00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.22225
.bss
0x00012000
0x0001AD00
0x00000000
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.idata
0x0002D000
0x0000127C
0x00001400
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.15437
.ndata
0x0002F000
0x0001A000
0x00000400
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_2048BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_8BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00049000
0x00006DC8
0x00006E00
IMAGE_SCN_ALIGN_1024BYTES, IMAGE_SCN_ALIGN_16BYTES, IMAGE_SCN_ALIGN_1BYTES, IMAGE_SCN_ALIGN_256BYTES, IMAGE_SCN_ALIGN_2BYTES, IMAGE_SCN_ALIGN_32BYTES, IMAGE_SCN_ALIGN_4096BYTES, IMAGE_SCN_ALIGN_4BYTES, IMAGE_SCN_ALIGN_512BYTES, IMAGE_SCN_ALIGN_64BYTES, IMAGE_SCN_ALIGN_8192BYTES, IMAGE_SCN_ALIGN_MASK, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.84468

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.21594
960
UNKNOWN
English - United States
RT_MANIFEST
2
4.15056
4264
UNKNOWN
English - United States
RT_ICON
3
3.94986
3752
UNKNOWN
English - United States
RT_ICON
4
4.50443
2216
UNKNOWN
English - United States
RT_ICON
5
4.1424
1384
UNKNOWN
English - United States
RT_ICON
6
4.74328
1128
UNKNOWN
English - United States
RT_ICON
102
2.70702
180
UNKNOWN
English - United States
RT_DIALOG
103
2.47314
90
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.70176
356
UNKNOWN
English - United States
RT_DIALOG
105
2.68101
582
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.DLL
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
14
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start openvpn-install-2.4.7-i603.exe no specs openvpn-install-2.4.7-i603.exe ns4bf0.tmp no specs tap-windows.exe ns4d75.tmp no specs tapinstall.exe no specs ns4e61.tmp no specs tapinstall.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs drvinst.exe no specs drvinst.exe openvpnserv.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3080"C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe" C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3952"C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe" C:\Users\admin\AppData\Local\Temp\openvpn-install-2.4.7-I603.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
3524"C:\Users\admin\AppData\Local\Temp\nsvEE2F.tmp\ns4BF0.tmp" "C:\Users\admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1C:\Users\admin\AppData\Local\Temp\nsvEE2F.tmp\ns4BF0.tmpopenvpn-install-2.4.7-I603.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2628"C:\Users\admin\AppData\Local\Temp\tap-windows.exe" /S /SELECT_UTILITIES=1C:\Users\admin\AppData\Local\Temp\tap-windows.exe
ns4BF0.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
3208"C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4D75.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4D75.tmptap-windows.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
4080"C:\Program Files\TAP-Windows\bin\tapinstall.exe" hwids tap0901C:\Program Files\TAP-Windows\bin\tapinstall.exens4D75.tmp
User:
admin
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.1.7600.16385 built by: WinDDK
3316"C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4E61.tmp" "C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901C:\Users\admin\AppData\Local\Temp\nsn4D36.tmp\ns4E61.tmptap-windows.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3872"C:\Program Files\TAP-Windows\bin\tapinstall.exe" install "C:\Program Files\TAP-Windows\driver\OemVista.inf" tap0901C:\Program Files\TAP-Windows\bin\tapinstall.exe
ns4E61.tmp
User:
admin
Company:
Windows (R) Win 7 DDK provider
Integrity Level:
HIGH
Description:
Windows Setup API
Exit code:
0
Version:
6.1.7600.16385 built by: WinDDK
3476DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{3502f335-5614-43cb-98fc-407179cd7253}\oemvista.inf" "0" "6d14a44ff" "000005C0" "WinSta0\Default" "000005BC" "208" "c:\program files\tap-windows\driver"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2416rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{5cfbbe6b-6bcb-0bab-07e7-276333807744} Global\{1f50f1de-0d59-092c-6969-1f0873c9e706} C:\Windows\System32\DriverStore\Temp\{1c0b2307-c612-761b-fd51-a07f75371e1a}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{1c0b2307-c612-761b-fd51-a07f75371e1a}\tap0901.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 556
Read events
960
Write events
0
Delete events
0

Modification events

No data
Executable files
30
Suspicious files
21
Text files
359
Unknown types
20

Dropped files

PID
Process
Filename
Type
3952openvpn-install-2.4.7-I603.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Utilities\Generate a static OpenVPN key.lnklnk
MD5:353E851FAFFB1EB6C01F8D0DA6848742
SHA256:10F68409EEE134DF8292C807601D51E98F669B148AA78F01CDE862CA5BE0440C
3952openvpn-install-2.4.7-I603.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Windows Notes.lnklnk
MD5:A72033304B40ECB4167AE183268FDD21
SHA256:A826438C5A0B7B37393CE8DD397EE640C7DAEB0552D2DF6E9C742853AFF53AB6
3952openvpn-install-2.4.7-I603.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Documentation\OpenVPN Manual Page.lnklnk
MD5:8BFAB7F8FF12C805661A1552916CF9A4
SHA256:0D194C78EA2080C58162320D0F75CCFD456CE4D8F18827266D5B04C857F8810A
3952openvpn-install-2.4.7-I603.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\OpenVPN\Shortcuts\OpenVPN Sample Configuration Files.lnklnk
MD5:B36B992D24CB4C516B71688349809090
SHA256:500D6188D306B1C85195ED1137759C872AC713C12A90FE2D1EAE9AEC9C38B018
3952openvpn-install-2.4.7-I603.exeC:\Program Files\OpenVPN\sample-config\client.ovpntext
MD5:0E0C51874EF9C53E4A4DCEC263644536
SHA256:A7DC6B3FB75EE3D2BA9244D9302BC0DD9A7F6FF621FFB9E6D1A4D88E436F5617
3952openvpn-install-2.4.7-I603.exeC:\Program Files\OpenVPN\bin\openvpn.exeexecutable
MD5:DE76066903427C91EEC491A269505828
SHA256:FB263A21E7537D57E75B7FFE27CFE6A364C20CA81709B2980CA54D9D5D263553
3952openvpn-install-2.4.7-I603.exeC:\Users\admin\AppData\Local\Temp\nsvEE2F.tmp\modern-header.bmpimage
MD5:CD8BC7B987FA89E7FD5ACDED7148CF66
SHA256:127FC8103D7D1DAACFB0ABB422C9B2AA8ED14FA095E06A997E43445D5D963352
3952openvpn-install-2.4.7-I603.exeC:\Program Files\OpenVPN\config\README.txttext
MD5:0B36C15757F458123DC271DA6C802C20
SHA256:EE88DA16216AAF4BC760C9732B5C99B46E7F9528811AED06483B2A5737736839
3952openvpn-install-2.4.7-I603.exeC:\Program Files\OpenVPN\doc\openvpn.8.htmltext
MD5:2D3145DA4E8B92290F3F177A0E97C29C
SHA256:6532899539398C1DB287C3AF7149CDD4F09547020704A672F7DEA2AEDC1135A6
3952openvpn-install-2.4.7-I603.exeC:\Program Files\OpenVPN\sample-config\sample.ovpntext
MD5:67F657EED08CE365508F739DCB94ADE1
SHA256:07BE2BC7CA10E502485DADDD31785B5C18EA27C017118EE82B1411D7722E4EA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info