File name:

USB-Console-Installer-Win32bit.EXE

Full analysis: https://app.any.run/tasks/5063e995-8835-4e7e-bfc1-2498a38d02f9
Verdict: Malicious activity
Analysis date: December 02, 2023, 07:57:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
MD5:

0A032B1249DA329DFFE068DFC8E0741E

SHA1:

24DACA42DF31D68C8BE690262F463BA396C00B64

SHA256:

07875F10F81BB2934F84A720ED4E767FDC4C6B242F4D141F809483898A3C219C

SSDEEP:

6144:aBeU00a0a0IJQS4xsyX7wNJ+Q3KG7ggrxH+wCjyWYMTqJmY1cvEJP:ket0bpS4xsyXUNUQ3xnrxHjCjyWYMTk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 2076)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2076)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 2076)

  • INFO

    • Create files in a temporary directory

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)

    • Checks supported languages

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)
      • drvinst.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • DPInst.exe (PID: 2524)
      • drvinst.exe (PID: 2076)

    • Reads the computer name

      • DPInst.exe (PID: 2524)
      • drvinst.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (72.1)
.exe | InstallShield setup (10.2)
.exe | Win32 Executable MS Visual C++ (generic) (7.4)
.exe | Win64 Executable (generic) (6.5)
.dll | Win32 Dynamic Link Library (generic) (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:01:19 06:47:29+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 43520
InitializedDataSize: 271872
UninitializedDataSize: -
EntryPoint: 0x6b20
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.0.6001.18000
ProductVersionNumber: 6.0.6001.18000
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 6.0.6001.18000 (longhorn_rtm.080118-1840)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.0.6001.18000
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start usb-console-installer-win32bit.exe dpinst.exe no specs drvinst.exe no specs usb-console-installer-win32bit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXE" C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
3221226540
Version:
6.0.6001.18000 (longhorn_rtm.080118-1840)
Modules
Images
c:\users\admin\appdata\local\temp\usb-console-installer-win32bit.exe
c:\windows\system32\ntdll.dll
2076DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\hp_cdc_v1p0.inf" "0" "608210963" "000005C8" "WinSta0\Default" "000005B4" "208" "c:\users\admin\appdata\local\temp\ixp000.tmp"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2428"C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXE" C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
6.0.6001.18000 (longhorn_rtm.080118-1840)
Modules
Images
c:\users\admin\appdata\local\temp\usb-console-installer-win32bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2524C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dpinst.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DPInst.exeUSB-Console-Installer-Win32bit.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Driver Package Installer
Exit code:
256
Version:
2.1
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\dpinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 048
Read events
3 023
Write events
24
Delete events
1

Modification events

(PID) Process:(2524) DPInst.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2076) drvinst.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2428) USB-Console-Installer-Win32bit.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:wextract_cleanup0
Value:
rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
Executable files
3
Suspicious files
18
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2524DPInst.exeC:\Windows\INF\setupapi.dev.logtext
MD5:92A4B959A0922C614CC3A7D478D69D6F
SHA256:59339CB585A78C17C7B8B669ECBD70AC563C87B01FC76DEFDFC9AE289608FA32
2076drvinst.exeC:\Windows\System32\DriverStore\Temp\{41099c42-85f2-7a35-12d6-233f8e89e45b}\SET8A81.tmpcat
MD5:2516DCCA51C8596B3F2CB39B5E69AB77
SHA256:A4979ADCCD9A57B72CAB6204B88A819F5BE6B8D794943E853C45A320E3148638
2428USB-Console-Installer-Win32bit.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\hpcdc.catcat
MD5:2516DCCA51C8596B3F2CB39B5E69AB77
SHA256:A4979ADCCD9A57B72CAB6204B88A819F5BE6B8D794943E853C45A320E3148638
2076drvinst.exeC:\Windows\System32\DriverStore\Temp\{41099c42-85f2-7a35-12d6-233f8e89e45b}\SET8A92.tmpbinary
MD5:596207D2261875321ACD7F76583654F1
SHA256:DE707B829E17FB7CC3E26B8FC335407EBC190317E28E0A7F1FB2CACECDFACA48
2428USB-Console-Installer-Win32bit.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\HP_CDC_V1P0.infbinary
MD5:596207D2261875321ACD7F76583654F1
SHA256:DE707B829E17FB7CC3E26B8FC335407EBC190317E28E0A7F1FB2CACECDFACA48
2428USB-Console-Installer-Win32bit.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DPInst.exeexecutable
MD5:591D48093722C976B3A419EA2A294182
SHA256:803BE465A66F90321825C7893A863330BEEDA9E3FDE5A1E47F24AB234E17B3F6
2524DPInst.exeC:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\SET89F4.tmpcat
MD5:2516DCCA51C8596B3F2CB39B5E69AB77
SHA256:A4979ADCCD9A57B72CAB6204B88A819F5BE6B8D794943E853C45A320E3148638
2524DPInst.exeC:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\SET8A05.tmpbinary
MD5:596207D2261875321ACD7F76583654F1
SHA256:DE707B829E17FB7CC3E26B8FC335407EBC190317E28E0A7F1FB2CACECDFACA48
2524DPInst.exeC:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\hp_cdc_v1p0.infbinary
MD5:596207D2261875321ACD7F76583654F1
SHA256:DE707B829E17FB7CC3E26B8FC335407EBC190317E28E0A7F1FB2CACECDFACA48
2076drvinst.exeC:\Windows\System32\DriverStore\infstor.datbinary
MD5:026C98C0C819E0A4260F6D7F8A732F5D
SHA256:80893B9B749025C880816A087742B1C5139D49054295249F5E1552B5FDAB1E22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
USB-Console-Installer-Win32bit.EXE