| File name: | ICT_REPORTX_SETUP.exe |
| Full analysis: | https://app.any.run/tasks/0ead71f9-7b02-441d-8dd8-ed69ca96de59 |
| Verdict: | Malicious activity |
| Analysis date: | December 18, 2023, 09:14:53 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | B19DAB9FDAC38A36DFE7510AD5E4D043 |
| SHA1: | EA15B2F8D84B41DB2DF9E28CA250388179B5D3E2 |
| SHA256: | 03BE155C51DA747CA4E860F03824E2714F3C3902601CFBAB200389C3035B4BCE |
| SSDEEP: | 98304:qL+NUcObJzp8UvYZhIf4lFLLEkCYxa8dWag2t0k8R1daDdQPhhrXcqacH9BqQ8St:CA6tDKZYnaHf6HV |
MALICIOUS
Drops the executable file immediately after the start
- ICT_REPORTX_SETUP.exe (PID: 2044)
- ICT_REPORTX_SETUP.exe (PID: 1380)
- ImageSaferInstaller.exe (PID: 1504)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
- ICT_REPORTX_SETUP.tmp (PID: 548)
Steals credentials from Web Browsers
- ICT_REPORTX_SETUP.tmp (PID: 548)
Actions looks like stealing of personal data
- ICT_REPORTX_SETUP.tmp (PID: 548)
- REPORTX.exe (PID: 2168)
- certutil.exe (PID: 2248)
Creates a writable file in the system directory
- ICT_REPORTX_SETUP.tmp (PID: 548)
- ImageSaferInstaller.exe (PID: 1504)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
SUSPICIOUS
Reads the Windows owner or organization settings
- ICT_REPORTX_SETUP.tmp (PID: 548)
Reads Mozilla Firefox installation path
- ICT_REPORTX_SETUP.tmp (PID: 548)
Process drops legitimate windows executable
- ICT_REPORTX_SETUP.tmp (PID: 548)
Changes internet zones settings
- ICT_REPORTX_SETUP.tmp (PID: 548)
The process drops C-runtime libraries
- ICT_REPORTX_SETUP.tmp (PID: 548)
Malware-specific behavior (creating "System.dll" in Temp)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
The process creates files with name similar to system file names
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
Creates/Modifies COM task schedule object
- ImageSaferInstaller.exe (PID: 1504)
Uses NETSH.EXE to add a firewall rule or allowed programs
- ICT_REPORTX_SETUP.tmp (PID: 548)
Drops a system driver (possible attempt to evade defenses)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
Executes as Windows Service
- IMGSF50Svc.exe (PID: 1576)
Reads the Internet Settings
- ICT_REPORTX_SETUP.tmp (PID: 548)
INFO
Checks supported languages
- ICT_REPORTX_SETUP.exe (PID: 2044)
- ICT_REPORTX_SETUP.tmp (PID: 2036)
- ICT_REPORTX_SETUP.exe (PID: 1380)
- ICT_REPORTX_SETUP.tmp (PID: 548)
- ImageSaferInstaller.exe (PID: 1504)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
- IMGSF50Start_x86.exe (PID: 1796)
- certutil.exe (PID: 2248)
- IMGSF50Svc.exe (PID: 1576)
- IMGSF50Svc.exe (PID: 1864)
- IMGSF50Svc.exe (PID: 1264)
- REPORTX.exe (PID: 2168)
- REPORTXSvc.exe (PID: 2640)
Create files in a temporary directory
- ICT_REPORTX_SETUP.exe (PID: 2044)
- ICT_REPORTX_SETUP.tmp (PID: 548)
- ICT_REPORTX_SETUP.exe (PID: 1380)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
- REPORTXSvc.exe (PID: 2640)
Reads the computer name
- ICT_REPORTX_SETUP.tmp (PID: 2036)
- ICT_REPORTX_SETUP.tmp (PID: 548)
- ImageSaferInstaller.exe (PID: 1504)
- markany_ImageSafer_v5.20.1210.exe (PID: 1588)
- IMGSF50Svc.exe (PID: 1576)
- IMGSF50Start_x86.exe (PID: 1796)
- IMGSF50Svc.exe (PID: 1864)
- IMGSF50Svc.exe (PID: 1264)
- REPORTX.exe (PID: 2168)
- certutil.exe (PID: 2248)
- REPORTXSvc.exe (PID: 2640)
Creates files in the program directory
- ICT_REPORTX_SETUP.tmp (PID: 548)
Checks transactions between databases Windows and Oracle
- ImageSaferInstaller.exe (PID: 1504)
Reads the machine GUID from the registry
- ImageSaferInstaller.exe (PID: 1504)
- REPORTXSvc.exe (PID: 2640)
Creates files or folders in the user directory
- certutil.exe (PID: 2248)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41472 |
| InitializedDataSize: | 16384 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaa98 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.0 |
| ProductVersionNumber: | 1.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | DigitalZone Co., Ltd |
| FileDescription: | REPORTX |
| FileVersion: | 1.0.0.0 |
| LegalCopyright: | |
| ProductName: | REPORTX |
| ProductVersion: | 1.0.0.0 |
Total processes
55
Monitored processes
15
Malicious processes
8
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 548 | "C:\Users\admin\AppData\Local\Temp\is-4JUKE.tmp\ICT_REPORTX_SETUP.tmp" /SL5="$501B2,7520945,58880,C:\Users\admin\AppData\Local\Temp\ICT_REPORTX_SETUP.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA | C:\Users\admin\AppData\Local\Temp\is-4JUKE.tmp\ICT_REPORTX_SETUP.tmp | ICT_REPORTX_SETUP.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1264 | C:\Windows\IMGSF50Svc.exe -start | C:\Windows\IMGSF50Svc.exe | — | markany_ImageSafer_v5.20.1210.exe | |||||||||||
User: admin Company: MarkAny Integrity Level: HIGH Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5.0.20.1210 Modules
| |||||||||||||||
| 1380 | "C:\Users\admin\AppData\Local\Temp\ICT_REPORTX_SETUP.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA | C:\Users\admin\AppData\Local\Temp\ICT_REPORTX_SETUP.exe | ICT_REPORTX_SETUP.tmp | ||||||||||||
User: admin Company: DigitalZone Co., Ltd Integrity Level: HIGH Description: REPORTX Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1504 | "C:\ProgramData\DAMON\REPORTX\ImageSaferInstaller.exe" | C:\ProgramData\DAMON\REPORTX\ImageSaferInstaller.exe | ICT_REPORTX_SETUP.tmp | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1544 | "C:\Windows\system32\netsh.exe" advfirewall firewall add rule name="REPORTXSvc" program="C:\ProgramData\DAMON\REPORTX\REPORTXSvc.exe" dir=in action=allow enable=yes | C:\Windows\System32\netsh.exe | — | ICT_REPORTX_SETUP.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Network Command Shell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1576 | C:\Windows\IMGSF50Svc.exe | C:\Windows\IMGSF50Svc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: MarkAny Integrity Level: SYSTEM Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5.0.20.1210 Modules
| |||||||||||||||
| 1588 | "C:\Windows\system32\markany_ImageSafer_v5.20.1210.exe" | C:\Windows\System32\markany_ImageSafer_v5.20.1210.exe | — | ImageSaferInstaller.exe | |||||||||||
User: admin Company: MarkAny Inc. Integrity Level: HIGH Description: MarkAny ImageSAFER 5.0 Installer Exit code: 0 Version: 5.0.20.1210 Modules
| |||||||||||||||
| 1796 | "C:\Windows\system32\IMGSF50Start_x86.exe" | C:\Windows\System32\IMGSF50Start_x86.exe | — | IMGSF50Svc.exe | |||||||||||
User: SYSTEM Company: MarkAny Integrity Level: SYSTEM Description: Image SAFER 5.0 Injection Starter for x86 Exit code: 0 Version: 5.0.20.1210 Modules
| |||||||||||||||
| 1864 | C:\Windows\IMGSF50Svc.exe -install | C:\Windows\IMGSF50Svc.exe | — | markany_ImageSafer_v5.20.1210.exe | |||||||||||
User: admin Company: MarkAny Integrity Level: HIGH Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5.0.20.1210 Modules
| |||||||||||||||
| 2036 | "C:\Users\admin\AppData\Local\Temp\is-9CSTE.tmp\ICT_REPORTX_SETUP.tmp" /SL5="$301AA,7520945,58880,C:\Users\admin\AppData\Local\Temp\ICT_REPORTX_SETUP.exe" | C:\Users\admin\AppData\Local\Temp\is-9CSTE.tmp\ICT_REPORTX_SETUP.tmp | — | ICT_REPORTX_SETUP.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
Total events
3 736
Read events
3 636
Write events
78
Delete events
22
Modification events
| (PID) Process: | (548) ICT_REPORTX_SETUP.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3 |
| Operation: | write | Name: | 1609 |
Value: 1 | |||
| (PID) Process: | (1588) markany_ImageSafer_v5.20.1210.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager |
| Operation: | write | Name: | PendingFileRenameOperations |
Value: \??\C:\Users\admin\AppData\Local\Temp\nsz1308.tmp\nsProcess.dll | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59C6CE43-75B4-4C77-A404-821E6E412B78} |
| Operation: | write | Name: | LocalizedString |
Value: C:\Windows\system32\MaMakeUp.dll,-102 | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{C255D909-D01A-4E81-95F7-E47C03A9EDF9}\InprocServer32 |
| Operation: | write | Name: | ThreadingModel |
Value: Apartment | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\MaMakeUp.DLL |
| Operation: | write | Name: | AppID |
Value: {59C6CE43-75B4-4C77-A404-821E6E412B78} | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59C6CE43-75B4-4C77-A404-821E6E412B78}\Elevation |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59C6CE43-75B4-4C77-A404-821E6E412B78}\InprocServer32 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59C6CE43-75B4-4C77-A404-821E6E412B78}\LUA |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59C6CE43-75B4-4C77-A404-821E6E412B78}\ProgID |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1504) ImageSaferInstaller.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{59C6CE43-75B4-4C77-A404-821E6E412B78}\Programmable |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
58
Suspicious files
10
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2044 | ICT_REPORTX_SETUP.exe | C:\Users\admin\AppData\Local\Temp\is-9CSTE.tmp\ICT_REPORTX_SETUP.tmp | executable | |
MD5:054D9014CE1264433C488D0B96443D54 | SHA256:780C1F58B8E5E143678FB2B1433084384EA3004C0504ACDDA8C1A4D73BE657C4 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\is-272LE.tmp | executable | |
MD5:2A9022D42D0A90CA90AEC6603BA9AC34 | SHA256:46C785B72C3E85F73E621CA12E1A92BD00EA0153833ED46AD574B0242013A818 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\ssleay32.dll | executable | |
MD5:3373645020343F68A48B69B5EF0053B9 | SHA256:92DDE70A460EE34C65474CF023F4703F54982E6AC82C43CF286C4DBDF3595197 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\Users\admin\AppData\Local\Temp\is-3SAS8.tmp\MyDll.dll | executable | |
MD5:1952173E8254C5E4A7B0208F386B0735 | SHA256:9CEEBAFF220512B761632B2009D7E60B15ACC49BE1A6349905184BE50B8E0E11 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\Windows\System32\DZRootCA.tmp | binary | |
MD5:84905487FACF79644DF48BD46A55CE8E | SHA256:0A5791D55E384EAE880A867B51DB60AD50E4E17B955AF9186FCFC5E4A9A55B14 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\is-S42C1.tmp | executable | |
MD5:BC612E24B21A9CD3533CC163DE2DD36F | SHA256:C72DAFE1C24A927CC8CAED363CFDED9D3541C67B1B9AECA3C85E9A611A32D150 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\is-L3QII.tmp | executable | |
MD5:3373645020343F68A48B69B5EF0053B9 | SHA256:92DDE70A460EE34C65474CF023F4703F54982E6AC82C43CF286C4DBDF3595197 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\REPORTX.ini | text | |
MD5:43332DD5271A7CDE93EE04FD6D7836F5 | SHA256:895DFE4F2D55ED40E13B4DEDC4B0093C989F6733AA2E6AD0F8D3124262EB664C | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\VER | text | |
MD5:E2181B2EB0BFD40F33D9DDABF87622FA | SHA256:A3C0CB74852D52FA5BF0FB9C124239A1583BE07C1D5F2E63A13EA6AF6B7886D0 | |||
| 548 | ICT_REPORTX_SETUP.tmp | C:\ProgramData\DAMON\REPORTX\is-9NUF2.tmp | executable | |
MD5:5D71CEAA5A903CAFFBABD739B55B9A46 | SHA256:EF118F61BA6894077CDCB6932050D465E30B9F97AFF9761CA6F34E67F6BD4436 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
DNS requests
Threats
Process | Message |
|---|---|
ImageSaferInstaller.exe | ### INIT... |
ImageSaferInstaller.exe | ### INIT... |
ImageSaferInstaller.exe | ### INIT... |
ImageSaferInstaller.exe | ### INIT... |