| File name: | 3.0_X-Lite_Win32_1006e_34025 12.exe |
| Full analysis: | https://app.any.run/tasks/a227bf09-3b58-4232-80e6-67142fee315d |
| Verdict: | Malicious activity |
| Analysis date: | May 08, 2024, 06:12:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 6A58E670C74172D230613A0489C742FC |
| SHA1: | 59B1F6191A68FED6C3AF4D2DF352EEA2C40D355D |
| SHA256: | 09ECDB655E66D9ACA5F9534576D969670D49AF62F68688E8817E7A7EB6C57843 |
| SSDEEP: | 196608:icaS297x3CE8pXar9zDsWzaHp1AAf7GfX4:icaSWBn8pKr9zzaJ1/DoI |
MALICIOUS
Drops the executable file immediately after the start
- 3.0_X-Lite_Win32_1006e_34025 12.exe (PID: 4092)
- is-333QV.tmp (PID: 1020)
- is-0HBFQ.exe (PID: 1092)
Changes the autorun value in the registry
- is-333QV.tmp (PID: 1020)
SUSPICIOUS
Process drops legitimate windows executable
- is-333QV.tmp (PID: 1020)
Executable content was dropped or overwritten
- 3.0_X-Lite_Win32_1006e_34025 12.exe (PID: 4092)
- is-333QV.tmp (PID: 1020)
- is-0HBFQ.exe (PID: 1092)
Reads the Windows owner or organization settings
- is-333QV.tmp (PID: 1020)
Reads the Internet Settings
- runonce.exe (PID: 1452)
- sipnotify.exe (PID: 1540)
- x-lite.exe (PID: 2164)
The process drops C-runtime libraries
- is-333QV.tmp (PID: 1020)
Searches for installed software
- is-333QV.tmp (PID: 1020)
The process executes via Task Scheduler
- ctfmon.exe (PID: 1616)
- sipnotify.exe (PID: 1540)
Reads Microsoft Outlook installation path
- x-lite.exe (PID: 2164)
Creates/Modifies COM task schedule object
- is-0HBFQ.exe (PID: 1092)
Reads Internet Explorer settings
- x-lite.exe (PID: 2164)
Reads security settings of Internet Explorer
- x-lite.exe (PID: 2164)
Reads the BIOS version
- x-lite.exe (PID: 2164)
INFO
Checks supported languages
- is-333QV.tmp (PID: 1020)
- 3.0_X-Lite_Win32_1006e_34025 12.exe (PID: 4092)
- is-0HBFQ.exe (PID: 1092)
- IMEKLMG.EXE (PID: 2132)
- IMEKLMG.EXE (PID: 2140)
- x-lite.exe (PID: 2164)
- wmpnscfg.exe (PID: 2764)
- wmpnscfg.exe (PID: 2788)
Create files in a temporary directory
- 3.0_X-Lite_Win32_1006e_34025 12.exe (PID: 4092)
- is-333QV.tmp (PID: 1020)
Reads the computer name
- is-333QV.tmp (PID: 1020)
- 3.0_X-Lite_Win32_1006e_34025 12.exe (PID: 4092)
- IMEKLMG.EXE (PID: 2132)
- IMEKLMG.EXE (PID: 2140)
- wmpnscfg.exe (PID: 2764)
- wmpnscfg.exe (PID: 2788)
- x-lite.exe (PID: 2164)
Creates files in the program directory
- is-333QV.tmp (PID: 1020)
Reads the time zone
- runonce.exe (PID: 1452)
Manual execution by a user
- runonce.exe (PID: 1452)
- x-lite.exe (PID: 2164)
- IMEKLMG.EXE (PID: 2132)
- IMEKLMG.EXE (PID: 2140)
- wmpnscfg.exe (PID: 2764)
- wmpnscfg.exe (PID: 2788)
Reads security settings of Internet Explorer
- runonce.exe (PID: 1452)
Creates a software uninstall entry
- is-333QV.tmp (PID: 1020)
Process checks whether UAC notifications are on
- IMEKLMG.EXE (PID: 2132)
- IMEKLMG.EXE (PID: 2140)
Reads CPU info
- x-lite.exe (PID: 2164)
Checks proxy server information
- x-lite.exe (PID: 2164)
Reads the machine GUID from the registry
- x-lite.exe (PID: 2164)
Creates files or folders in the user directory
- x-lite.exe (PID: 2164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable PowerBASIC/Win 9.x (51.2) |
|---|---|---|
| .exe | | | Inno Setup installer (37.9) |
| .exe | | | Win32 Executable Delphi generic (4.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (2.2) |
| .exe | | | Win32 Executable (generic) (1.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 36864 |
| InitializedDataSize: | 16896 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x97f0 |
| OSVersion: | 1 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | This installation was built with Inno Setup: http://www.innosetup.com |
| CompanyName: | CounterPath Solutions Inc. |
| FileDescription: | X-Lite Setup |
| FileVersion: | |
| LegalCopyright: | (c) 2006 CounterPath Solutions Inc. All rights reserved. |
Total processes
90
Monitored processes
12
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1020 | "C:\Users\admin\AppData\Local\Temp\is-LOU6J.tmp\is-333QV.tmp" /SL4 $30138 "C:\Users\admin\AppData\Local\Temp\3.0_X-Lite_Win32_1006e_34025 12.exe" 7311221 52224 | C:\Users\admin\AppData\Local\Temp\is-LOU6J.tmp\is-333QV.tmp | 3.0_X-Lite_Win32_1006e_34025 12.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.42.0.0 Modules
| |||||||||||||||
| 1092 | "C:\Windows\is-0HBFQ.exe" /REG | C:\Windows\is-0HBFQ.exe | runonce.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.42.0.0 Modules
| |||||||||||||||
| 1452 | runonce.exe /Explorer | C:\Windows\System32\runonce.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Run Once Wrapper Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1540 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 1616 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2132 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2140 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2164 | "C:\Program Files\CounterPath\X-Lite\x-lite.exe" | C:\Program Files\CounterPath\X-Lite\x-lite.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Modules
| |||||||||||||||
| 2764 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2788 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
8 864
Read events
8 764
Write events
89
Delete events
11
Modification events
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_CURRENT_USER\Software\EBInstaller |
| Operation: | write | Name: | InstallerName |
Value: 3.0_X-Lite_Win32_1006e_34025 12.exe | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Program Files\Common Files\Intel\ataplugin\msvcr71.dll |
Value: 1 | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Program Files\Common Files\Intel\ataplugin\ATAPlugIn.ax |
Value: 1 | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs |
| Operation: | write | Name: | C:\Program Files\Common Files\Microsoft Shared\Triedit\dhtmled.ocx |
Value: 1 | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | eyeBeam SIP Client |
Value: "C:\Program Files\CounterPath\X-Lite\x-lite.exe" | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.eba |
| Operation: | write | Name: | Content Type |
Value: application/eyebeam | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/eyebeam |
| Operation: | write | Name: | Extension |
Value: .eba | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\eyeBeam.args |
| Operation: | write | Name: | EditFlags |
Value: D8070100 | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\sip |
| Operation: | write | Name: | EditFlags |
Value: 02000000 | |||
| (PID) Process: | (1020) is-333QV.tmp | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Tcpip\Parameters |
| Operation: | write | Name: | DisableUserTOSSetting |
Value: 0 | |||
Executable files
34
Suspicious files
8
Text files
27
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\is-SDSKH.tmp | executable | |
MD5:86F1895AE8C5E8B17D99ECE768A70732 | SHA256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE | |||
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\msvcr71.dll | executable | |
MD5:86F1895AE8C5E8B17D99ECE768A70732 | SHA256:8094AF5EE310714CAEBCCAEEE7769FFB08048503BA478B879EDFEF5F1A24FEFE | |||
| 1020 | is-333QV.tmp | C:\Users\admin\AppData\Local\Temp\is-J9IE0.tmp\WinCPUID.dll | executable | |
MD5:3353EBF04F3B207E0D2197D201B2E577 | SHA256:4003B27885F145B2BE0E471A75C06EDADADECF8CA0D0911FCD0BFF52526A3CC3 | |||
| 4092 | 3.0_X-Lite_Win32_1006e_34025 12.exe | C:\Users\admin\AppData\Local\Temp\is-LOU6J.tmp\is-333QV.tmp | executable | |
MD5:036EF63E2F9B138A42D6ADB54EC0CD1E | SHA256:71B487F0523F213004766402B22BF86FA0EF9891E940D2A4CB12EBA6627E7CC6 | |||
| 1020 | is-333QV.tmp | C:\Users\admin\AppData\Local\Temp\is-J9IE0.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\msvcp71.dll | executable | |
MD5:561FA2ABB31DFA8FAB762145F81667C2 | SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B | |||
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\is-7FE2J.tmp | executable | |
MD5:BA00755C6793E249F5A278BCC144C2CC | SHA256:C9503A656245A8D463946B47D8709CD2E468E72E54447238D9419179F5A16627 | |||
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\is-4F6E6.tmp | image | |
MD5:5A77AB01BB917BB0F539B07614A6135F | SHA256:16C1B2FA5AD3D758B51E1757B3AB6A1DD1E79391703010E7793CBC4B8F85E55F | |||
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\uninstall.ico | image | |
MD5:5A77AB01BB917BB0F539B07614A6135F | SHA256:16C1B2FA5AD3D758B51E1757B3AB6A1DD1E79391703010E7793CBC4B8F85E55F | |||
| 1020 | is-333QV.tmp | C:\Program Files\CounterPath\X-Lite\is-POM47.tmp | executable | |
MD5:6831E53C1F7AAA8F5F0104E0E0CD6A9E | SHA256:A367BE631C73A8516BEB6F01045100B1DD1C033F7AF0D6F94B44A4F95E70AE46 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1540 | sipnotify.exe | HEAD | — | 104.107.20.123:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133596259984210000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1100 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1540 | sipnotify.exe | 104.107.20.123:80 | query.prod.cms.rt.microsoft.com | AKAMAI-AS | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| whitelisted |
xlite.counterpath.com |
| unknown |