File name:

USB-Console-Installer-Win32bit.EXE

Full analysis: https://app.any.run/tasks/5063e995-8835-4e7e-bfc1-2498a38d02f9
Verdict: Malicious activity
Analysis date: December 02, 2023, 07:57:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, MS CAB-Installer self-extracting archive
MD5:

0A032B1249DA329DFFE068DFC8E0741E

SHA1:

24DACA42DF31D68C8BE690262F463BA396C00B64

SHA256:

07875F10F81BB2934F84A720ED4E767FDC4C6B242F4D141F809483898A3C219C

SSDEEP:

6144:aBeU00a0a0IJQS4xsyX7wNJ+Q3KG7ggrxH+wCjyWYMTqJmY1cvEJP:ket0bpS4xsyXUNUQ3xnrxHjCjyWYMTk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 2076)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)

    • Creates files in the driver directory

      • drvinst.exe (PID: 2076)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 2076)

  • INFO

    • Create files in a temporary directory

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • DPInst.exe (PID: 2524)

    • Checks supported languages

      • USB-Console-Installer-Win32bit.EXE (PID: 2428)
      • drvinst.exe (PID: 2076)
      • DPInst.exe (PID: 2524)

    • Reads the computer name

      • DPInst.exe (PID: 2524)
      • drvinst.exe (PID: 2076)

    • Reads the machine GUID from the registry

      • DPInst.exe (PID: 2524)
      • drvinst.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 MS Cabinet Self-Extractor (WExtract stub) (72.1)
.exe | InstallShield setup (10.2)
.exe | Win32 Executable MS Visual C++ (generic) (7.4)
.exe | Win64 Executable (generic) (6.5)
.dll | Win32 Dynamic Link Library (generic) (1.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:01:19 06:47:29+01:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 43520
InitializedDataSize: 271872
UninitializedDataSize: -
EntryPoint: 0x6b20
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
FileVersionNumber: 6.0.6001.18000
ProductVersionNumber: 6.0.6001.18000
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Win32 Cabinet Self-Extractor
FileVersion: 6.0.6001.18000 (longhorn_rtm.080118-1840)
InternalName: Wextract
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: WEXTRACT.EXE
ProductName: Microsoft® Windows® Operating System
ProductVersion: 6.0.6001.18000
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start usb-console-installer-win32bit.exe dpinst.exe no specs drvinst.exe no specs usb-console-installer-win32bit.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
844"C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXE" C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Win32 Cabinet Self-Extractor
Exit code:
3221226540
Version:
6.0.6001.18000 (longhorn_rtm.080118-1840)
Modules
Images
c:\users\admin\appdata\local\temp\usb-console-installer-win32bit.exe
c:\windows\system32\ntdll.dll
2076DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\hp_cdc_v1p0.inf" "0" "608210963" "000005C8" "WinSta0\Default" "000005B4" "208" "c:\users\admin\appdata\local\temp\ixp000.tmp"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2428"C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXE" C:\Users\admin\AppData\Local\Temp\USB-Console-Installer-Win32bit.EXE
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Win32 Cabinet Self-Extractor
Exit code:
0
Version:
6.0.6001.18000 (longhorn_rtm.080118-1840)
Modules
Images
c:\users\admin\appdata\local\temp\usb-console-installer-win32bit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2524C:\Users\admin\AppData\Local\Temp\IXP000.TMP\dpinst.exeC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DPInst.exeUSB-Console-Installer-Win32bit.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Driver Package Installer
Exit code:
256
Version:
2.1
Modules
Images
c:\users\admin\appdata\local\temp\ixp000.tmp\dpinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 048
Read events
3 023
Write events
24
Delete events
1

Modification events

(PID) Process:(2524) DPInst.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2076) drvinst.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2428) USB-Console-Installer-Win32bit.EXEKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:wextract_cleanup0
Value:
rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32 "C:\Users\admin\AppData\Local\Temp\IXP000.TMP\"
Executable files
3
Suspicious files
18
Text files
3
Unknown types
1

Dropped files

PID
Process
Filename
Type
2428USB-Console-Installer-Win32bit.EXEC:\Users\admin\AppData\Local\Temp\IXP000.TMP\DPInst.xmltext
MD5:597DCA05A09F6B08BE4EF3A8E7A14863
SHA256:EE2DB799038A0C1E1B9664BDFB71501DA04FB74F311424D27EA3CF3FABA1EA22
2524DPInst.exeC:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\SET89F4.tmpcat
MD5:2516DCCA51C8596B3F2CB39B5E69AB77
SHA256:A4979ADCCD9A57B72CAB6204B88A819F5BE6B8D794943E853C45A320E3148638
2076drvinst.exeC:\Windows\System32\DriverStore\FileRepository\hp_cdc_v1p0.inf_x86_neutral_e112c7b802bf000e\hp_cdc_v1p0.PNFbinary
MD5:87A89F59488B4F68D03AB1194AC961E1
SHA256:99A262CD83EE31A313C0A0703EA0449618ACF68665101F8CF2C6AAD76C25C6EB
2076drvinst.exeC:\Windows\System32\DriverStore\Temp\{41099c42-85f2-7a35-12d6-233f8e89e45b}\hp_cdc_v1p0.infbinary
MD5:596207D2261875321ACD7F76583654F1
SHA256:DE707B829E17FB7CC3E26B8FC335407EBC190317E28E0A7F1FB2CACECDFACA48
2076drvinst.exeC:\Windows\System32\DriverStore\INFCACHE.2binary
MD5:ABB638661D737D9457D78D28C4145066
SHA256:7602F549ABBAC7DE5CD8125329869D02A0C82AA8C9AAF78011162175AA319261
2524DPInst.exeC:\Users\admin\AppData\Local\Temp\{68bec5aa-81bf-2dce-e830-7b045a632831}\hpcdc.catcat
MD5:2516DCCA51C8596B3F2CB39B5E69AB77
SHA256:A4979ADCCD9A57B72CAB6204B88A819F5BE6B8D794943E853C45A320E3148638
2076drvinst.exeC:\Windows\System32\DriverStore\infstrng.datbinary
MD5:2A02617A7C23CF8C2B38E0F6C325BBBA
SHA256:4F9BE07789D7FE94A3D81658301539EA2B0D9144D6B060D35B5FE9607A468597
2076drvinst.exeC:\Windows\System32\DriverStore\Temp\{41099c42-85f2-7a35-12d6-233f8e89e45b}\SET8A81.tmpcat
MD5:2516DCCA51C8596B3F2CB39B5E69AB77
SHA256:A4979ADCCD9A57B72CAB6204B88A819F5BE6B8D794943E853C45A320E3148638
2076drvinst.exeC:\Windows\System32\DriverStore\infstor.datbinary
MD5:026C98C0C819E0A4260F6D7F8A732F5D
SHA256:80893B9B749025C880816A087742B1C5139D49054295249F5E1552B5FDAB1E22
2076drvinst.exeC:\Windows\System32\DriverStore\Temp\{41099c42-85f2-7a35-12d6-233f8e89e45b}\SET8A92.tmpbinary
MD5:596207D2261875321ACD7F76583654F1
SHA256:DE707B829E17FB7CC3E26B8FC335407EBC190317E28E0A7F1FB2CACECDFACA48
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
USB-Console-Installer-Win32bit.EXE