File name:

Elancia_Hide_Macro_Tool_Install.exe

Full analysis: https://app.any.run/tasks/b31b3c6a-2bd0-41e2-aa31-94beaaf4be9a
Verdict: Malicious activity
Analysis date: December 11, 2024, 23:14:07
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
upx
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

F8E31EFA3903F63E2A1C53A2736F529E

SHA1:

6E9D1C1996C5062FFD143168844A57D414933092

SHA256:

08121FEA32F64A00C8F789EDC01284310AEFFA29A9EA0A940599292E1881A96B

SSDEEP:

98304:9qK6tWkNyECI6oE/TP2WWnF7Uk6v1gqnLC5cT+d9FiecJ+gQ0tg/w7V3VYaBfVLN:0gUK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • IFinst27.exe (PID: 5780)

    • Executable content was dropped or overwritten

      • Elancia_Hide_Macro_Tool_Install.exe (PID: 512)
      • IFinst27.exe (PID: 5780)

    • Starts itself from another location

      • Elancia_Hide_Macro_Tool_Install.exe (PID: 512)

    • Creates a software uninstall entry

      • IFinst27.exe (PID: 5780)

    • Reads Microsoft Outlook installation path

      • FontAdd.exe (PID: 6920)
      • FontAdd.exe (PID: 5032)
      • FontAdd.exe (PID: 4444)

    • Reads security settings of Internet Explorer

      • FontAdd.exe (PID: 6920)
      • FontAdd.exe (PID: 4444)
      • IFinst27.exe (PID: 5780)
      • FontAdd.exe (PID: 5032)

  • INFO

    • Checks supported languages

      • IFinst27.exe (PID: 5780)
      • Elancia_Hide_Macro_Tool_Install.exe (PID: 512)
      • FontAdd.exe (PID: 6920)
      • FontAdd.exe (PID: 4444)
      • FontAdd.exe (PID: 5032)

    • Creates files in the program directory

      • IFinst27.exe (PID: 5780)

    • Create files in a temporary directory

      • IFinst27.exe (PID: 5780)

    • Reads the computer name

      • IFinst27.exe (PID: 5780)
      • FontAdd.exe (PID: 6920)
      • FontAdd.exe (PID: 4444)
      • FontAdd.exe (PID: 5032)

    • UPX packer has been detected

      • IFinst27.exe (PID: 5780)

    • Creates files or folders in the user directory

      • IFinst27.exe (PID: 5780)

    • The sample compiled with english language support

      • IFinst27.exe (PID: 5780)

    • Manual execution by a user

      • FontAdd.exe (PID: 4444)
      • FontAdd.exe (PID: 5032)

    • Checks proxy server information

      • FontAdd.exe (PID: 6920)
      • FontAdd.exe (PID: 4444)
      • FontAdd.exe (PID: 5032)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2000:12:06 19:37:33+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 61440
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x29940
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start elancia_hide_macro_tool_install.exe ifinst27.exe fontadd.exe no specs rundll32.exe no specs fontadd.exe no specs fontadd.exe no specs elancia_hide_macro_tool_install.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
512"C:\Users\admin\AppData\Local\Temp\Elancia_Hide_Macro_Tool_Install.exe" C:\Users\admin\AppData\Local\Temp\Elancia_Hide_Macro_Tool_Install.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\elancia_hide_macro_tool_install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll
1448"C:\Users\admin\AppData\Local\Temp\Elancia_Hide_Macro_Tool_Install.exe" C:\Users\admin\AppData\Local\Temp\Elancia_Hide_Macro_Tool_Install.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\elancia_hide_macro_tool_install.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4444"C:\Program Files (x86)\Elancia Hide Macro Tool\FontAdd.exe" C:\Program Files (x86)\Elancia Hide Macro Tool\FontAdd.exeexplorer.exe
User:
admin
Company:
제리클™
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\program files (x86)\elancia hide macro tool\fontadd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\program files (x86)\elancia hide macro tool\msvbvm60.dll
5032"C:\Program Files (x86)\Elancia Hide Macro Tool\FontAdd.exe" C:\Program Files (x86)\Elancia Hide Macro Tool\FontAdd.exeexplorer.exe
User:
admin
Company:
제리클™
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\program files (x86)\elancia hide macro tool\fontadd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\program files (x86)\elancia hide macro tool\msvbvm60.dll
c:\windows\syswow64\user32.dll
5780"C:\WINDOWS\IFinst27.exe" -IC:\Users\admin\AppData\Local\Temp\Elancia_Hide_Macro_Tool_Install.exeC:\Windows\IFinst27.exe
Elancia_Hide_Macro_Tool_Install.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\windows\ifinst27.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6920"C:\Program Files (x86)\Elancia Hide Macro Tool\FontAdd.exe" C:\Program Files (x86)\Elancia Hide Macro Tool\FontAdd.exeIFinst27.exe
User:
admin
Company:
제리클™
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\program files (x86)\elancia hide macro tool\fontadd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\program files (x86)\elancia hide macro tool\msvbvm60.dll
7056C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
Total events
2 021
Read events
2 011
Write events
3
Delete events
7

Modification events

(PID) Process:(5780) IFinst27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:delete valueName:Elancia Hide Macro Tool
Value:
(PID) Process:(5780) IFinst27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Elancia Hide Macro Tool
Operation:writeName:DisplayName
Value:
Elancia Hide Macro Tool Uninstall
(PID) Process:(5780) IFinst27.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Elancia Hide Macro Tool
Operation:writeName:UninstallString
Value:
"C:\WINDOWS\IFinst27.exe" -UC:\Program Files (x86)\Elancia Hide Macro Tool\IFUA5AE.inf
(PID) Process:(6920) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:writeName:{BD84B380-8CA2-1069-AB1D-08000948F534} {000214E6-0000-0000-C000-000000000046} 0xFFFF
Value:
010000000000000030B49B6F224CDB01
(PID) Process:(6920) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(6920) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
(PID) Process:(4444) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(4444) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
(PID) Process:(5032) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFavoritesInitialSelection
Value:
(PID) Process:(5032) FontAdd.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:delete valueName:AddToFeedsInitialSelection
Value:
Executable files
10
Suspicious files
7
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\MSVBVM60.DLLexecutable
MD5:F28EB5CBC3CA6D8C787F09F047D1F9C8
SHA256:3EF32E0152CC3FA07C417E6AADF9EAD83A17B5FDEE73799044E1BD7564725D6E
512Elancia_Hide_Macro_Tool_Install.exeC:\Windows\IFinst27.exeexecutable
MD5:9C17BCA3EF837BACDED7E4299508E71D
SHA256:2405E5479AEB7D43D1362969B9C439E5931B8F900F9ADFE0FAAA986365415193
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\HideMacro.zipcompressed
MD5:AE19B9EBFB4549B793DE647ACD203C86
SHA256:E87F53AE24D94127188B6E19818E3F785EE8CDCD9EEF16769394D5A7BCC1AF62
5780IFinst27.exeC:\Windows\Fonts\¿£ÅÍ-¼ÖÀÙ9_beta3.5_20051010.ttfbinary
MD5:C36054449816588A3C4BF246A4CB3469
SHA256:B6A441B5B359AD9C94CAC049E4BC4F1D42D69A3D16736AE6D3BD150C46B57C0B
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\Keyinput.skntext
MD5:8C53ACF8DC5BC840E0B25E48C6285410
SHA256:4F5A7C83B6925AFA9EDC86DA17E5FDBAFFCF4ED842FB2C8C1888DCC3CA1F3BF1
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\Main.skntext
MD5:E88E45CE8CE9B2D3BFE22E35777075BE
SHA256:A113BFE07D812460EEB589233811BC079141FF92CA0820F752DC571B5090BC35
5780IFinst27.exeC:\Windows\Fonts\¿£ÅÍ-°¥ÀÙ9_Beta2.1.ttfbinary
MD5:25609C804C5FA8765C8FFB836713447F
SHA256:5D4805D655ADA74AEAA9B925692FA12C7569995191319C0909E1F1F0551E1A32
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\Hotkey.skntext
MD5:28B8E1AEF1B47C54E805E0CDEB51FEE6
SHA256:7674F1D925FF77A1062042F547CB0728FD62A7451B09C8205AD243D8682BCD16
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\PICCLP32.OCXexecutable
MD5:380D13794FF7642B1091BD7F9A05AFD3
SHA256:A1134BD48B0D243E1F9AD6CCC08F1D56C8793D76F3AE7DD4BF1EB02AF086443C
5780IFinst27.exeC:\Program Files (x86)\Elancia Hide Macro Tool\BHButton.ocxexecutable
MD5:B72BFC05D849357C05176F72EB251E19
SHA256:C1D83C31FE88B7490B79DF516FCB545A582BAC7B7C335EF460650FA8BAD036B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
34
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
188
svchost.exe
GET
200
23.53.40.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
188
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4712
MoUsoCoreWorker.exe
GET
200
23.53.40.139:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5616
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
6540
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5616
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
1176
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5064
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
5064
SearchApp.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4712
MoUsoCoreWorker.exe
23.53.40.139:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
188
svchost.exe
23.53.40.139:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
188
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
188
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5064
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.130
  • 104.126.37.160
  • 104.126.37.155
  • 104.126.37.137
  • 104.126.37.153
  • 104.126.37.131
  • 104.126.37.163
  • 104.126.37.154
  • 104.126.37.162
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.53.40.139
  • 23.53.40.137
whitelisted
google.com
  • 142.250.185.110
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.73
  • 20.190.159.68
  • 20.190.159.0
  • 20.190.159.4
  • 40.126.31.67
  • 40.126.31.71
  • 40.126.31.69
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Elancia_Hide_Macro_Tool_Install.exe