File name:

ndp48-web.exe

Full analysis: https://app.any.run/tasks/828a92e6-d5b9-42fa-bb8f-9466bd5654fb
Verdict: Malicious activity
Analysis date: April 24, 2024, 16:55:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

34A5C76979563918B953E66E0D39C7EF

SHA1:

4181398AA1FD5190155AC3A388434E5F7EA0B667

SHA256:

0BBA3094588C4BFEC301939985222A20B340BF03431563DEC8B2B4478B06FFFA

SSDEEP:

24576:xGHL3siy910NSmtLvUDSRbm4Jah1rVx8MjoGO8W6cbZtgd6AmpITsz0+lLF7cy:mL3s7K8eTUDBzrVx8MjoGO8W6cbs8NpT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • ndp48-web.exe (PID: 1604)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • ndp48-web.exe (PID: 1604)

    • Executable content was dropped or overwritten

      • ndp48-web.exe (PID: 1604)

    • Reads security settings of Internet Explorer

      • Setup.exe (PID: 2880)

    • Checks Windows Trust Settings

      • Setup.exe (PID: 2880)

    • Reads settings of System Certificates

      • Setup.exe (PID: 2880)

    • Reads the Internet Settings

      • Setup.exe (PID: 2880)

  • INFO

    • Checks supported languages

      • ndp48-web.exe (PID: 1604)
      • Setup.exe (PID: 2880)
      • SetupUtility.exe (PID: 3564)

    • Reads the computer name

      • ndp48-web.exe (PID: 1604)
      • Setup.exe (PID: 2880)
      • SetupUtility.exe (PID: 3564)

    • Reads the machine GUID from the registry

      • ndp48-web.exe (PID: 1604)
      • Setup.exe (PID: 2880)

    • Create files in a temporary directory

      • ndp48-web.exe (PID: 1604)
      • Setup.exe (PID: 2880)

    • Reads CPU info

      • Setup.exe (PID: 2880)

    • Reads Environment values

      • Setup.exe (PID: 2880)

    • Creates files or folders in the user directory

      • Setup.exe (PID: 2880)

    • Reads the software policy settings

      • Setup.exe (PID: 2880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:07:16 21:09:16+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 160256
InitializedDataSize: 29184
UninitializedDataSize: -
EntryPoint: 0x18ee7
OSVersion: 5.1
ImageVersion: 10
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 4.8.4115.0
ProductVersionNumber: 4.8.4115.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: Microsoft .NET Framework 4.8 Setup
FileVersion: 4.8.04115.00
InternalName: NDP48-Web.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: NDP48-Web.exe
ProductName: Microsoft .NET Framework 4.8
ProductVersion: 4.8.04115.00
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ndp48-web.exe setup.exe setuputility.exe no specs ndp48-web.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1288"C:\Windows\ndp48-web.exe" C:\Windows\ndp48-web.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework 4.8 Setup
Exit code:
3221226540
Version:
4.8.04115.00
Modules
Images
c:\windows\ndp48-web.exe
c:\windows\system32\ntdll.dll
1604"C:\Windows\ndp48-web.exe" C:\Windows\ndp48-web.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.8 Setup
Version:
4.8.04115.00
Modules
Images
c:\windows\ndp48-web.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
2880C:\6be5446ae623ad774d46c4b4\\Setup.exe /x86 /x64 /webC:\6be5446ae623ad774d46c4b4\Setup.exe
ndp48-web.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Version:
14.8.4110.0 built by: NET48REL1LAST_B
Modules
Images
c:\6be5446ae623ad774d46c4b4\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\6be5446ae623ad774d46c4b4\setupengine.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3564SetupUtility.exe /screbootC:\6be5446ae623ad774d46c4b4\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.8.4110.0 built by: NET48REL1LAST_B
Modules
Images
c:\6be5446ae623ad774d46c4b4\setuputility.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
5 033
Read events
5 013
Write events
17
Delete events
3

Modification events

(PID) Process:(2880) Setup.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2880) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates
Operation:delete valueName:9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Value:
(PID) Process:(2880) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB6200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2880) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
1400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D70300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB60F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D8200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
(PID) Process:(2880) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates\9F6134C5FA75E4FDDE631B232BE961D6D4B97DB6
Operation:writeName:Blob
Value:
190000000100000010000000BCC80DAA2F98A4692805BFF4CBB372EB0F00000001000000200000009065F32AFC2CFEA7F452D2D6BE94D20C877EFC1C05433D9935696193FDCC05D80300000001000000140000009F6134C5FA75E4FDDE631B232BE961D6D4B97DB61400000001000000140000005D6CA352CEFC713CBBC5E21F663C3639FD19D4D7200000000100000047030000308203433082022BA00302010202147327B7C17D5AE708EF73F1F45A79D78B4E99A29F300D06092A864886F70D01010B05003031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C084469676943657274301E170D3233303932393130353030335A170D3339303530383130353030335A3031310B3009060355040613025553310F300D06035504080C06426F73746F6E3111300F060355040A0C08446967694365727430820122300D06092A864886F70D01010105000382010F003082010A0282010100D91B7A55548F44F3E97C493153B75B055695736B184640D7335A2E6218083B5A1BEE2695209350E57A3EB76FBC604CB3B250DF3D9D0C560D1FBDFE30108D233A3C555100BE1A3F8E543C0B253E06E91B6D5F9CB3A093009BC8B4D3A0EB19DB59E56DA7E3D637847970D6C2AEB4A1FCF3896A7C080FE68759BAA62E6AAA8B7C7CBDA176DDC72F8D259A16D3469E31F19D2959904611D730D7D26FCFED789A0C49698FDFABF3F6727D08C61A073BB11E85C96486D49B0E0D38364C008A5EB964F8813C5DF004F9E76D2F8DB90702D800032674959BF0DF823785419101CEA928A10ACBAE7E48FE19202F3CB7BCF416476D17CB64C5570FCED443BD75D9F2C632FF0203010001A3533051301D0603551D0E041604145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7301F0603551D230418301680145D6CA352CEFC713CBBC5E21F663C3639FD19D4D7300F0603551D130101FF040530030101FF300D06092A864886F70D01010B05000382010100AF2218E4CA18144728FCC76EA14958061522FD4A018BED1A4BFCC5CCE70BC6AE9DF7D3795C9A010D53628E2B6E7C10D6B07E53546235A5EE480E5A434E312154BF1E39AAC27D2C18D4F41CBBECFE4538CEF93EF62C17D187A7F720F4A9478410D09620C9F8B293B5786A5440BC0743B7B7753CF66FBA498B7E083BC267597238DC031B9BB131F997D9B8164AAED0D6E328420E53E1969DA6CD035078179677A7177BB2BF9C87CF592910CD380E8501B92040A39469C782BA383BEAE498C060FCC7C429BC10B7B6B7A0659C9BE03DC13DB46C638CF5E3B22A303726906DC8DD91C64501EBFC282A3A497EC430CACC066EE4BF9C5C8F2F2A05D0C1921A9E3E85E3
Executable files
29
Suspicious files
6
Text files
79
Unknown types
0

Dropped files

PID
Process
Filename
Type
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\Rotate7.icoimage
MD5:B4947D242AB4A902031FCD1FFD3A56CD
SHA256:995C9F4EA0D98C0C4E5037EDE43FC44A680D85CB1E37C782ADAB775915E975B8
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\Rotate5.icoimage
MD5:25F0D572761CB610BDAD6DD980C46CC7
SHA256:CE2AFC0AA52B3D459D6D8D7C551F7B8FBF323E2260326908C37A13F21FEE423E
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\Rotate6.icoimage
MD5:5AC2B8E1A766C204F996D9CE33FB3DB4
SHA256:EE387D9642DF93E4240361077AF6051C1B7E643C3CF110F43DA42E0EFE29A375
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\SplashScreen.bmpimage
MD5:BC32088BFAA1C76BA4B56639A2DEC592
SHA256:B05141DBC71669A7872A8E735E5E43A7F9713D4363B7A97543E1E05DCD7470A7
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\DisplayIcon.icoimage
MD5:F9657D290048E169FFABBBB9C7412BE0
SHA256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\header.bmpimage
MD5:41C22EFA84CA74F0CE7076EB9A482E38
SHA256:255025A0D79EF2DAC04BD610363F966EF58328400BF31E1F8915E676478CD750
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\Rotate1.icoimage
MD5:9B70C7FA81DCA6D3B992037D0C251D92
SHA256:18226B9D56D2B1C070A2C606428892773CB00B5B4B95397E79D01DE26685CCD4
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\Rotate2.icoimage
MD5:F824905E5501603E6720B784ADD71BDD
SHA256:D15A6F1EEFEFE4F9CD51B7B22E9C7B07C7ACAD72FD53E5F277E6D4E0976036C3
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\SysReqNotMet.icoimage
MD5:ECA24331CE0850D188BD2EB5C22DE684
SHA256:DEBA0A7A6E2CA99D3380D35AE33F8D266806FDBCBF75FB06B5718BE5873258F6
1604ndp48-web.exeC:\6be5446ae623ad774d46c4b4\Graphics\Setup.icoimage
MD5:6125F32AA97772AFDFF2649BD403419B
SHA256:A0C7B4B17A69775E1D94123DFCEEC824744901D55B463BA9DCA9301088F12EA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
10
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2880
Setup.exe
GET
200
23.206.188.208:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
unknown
2880
Setup.exe
GET
23.206.188.208:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
unknown
2880
Setup.exe
GET
200
92.122.89.124:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
unknown
unknown
2880
Setup.exe
GET
304
2.21.240.210:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?48c184ffb93444c2
unknown
unknown
2880
Setup.exe
GET
200
23.206.188.208:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
unknown
1080
svchost.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?663a78a3b1d15987
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
2880
Setup.exe
2.21.240.93:80
ctldl.windowsupdate.com
Akamai International B.V.
SE
unknown
2880
Setup.exe
23.206.188.208:80
crl.microsoft.com
Akamai International B.V.
US
unknown
2880
Setup.exe
92.122.89.124:80
www.microsoft.com
Akamai International B.V.
NL
unknown
2880
Setup.exe
2.21.240.210:80
ctldl.windowsupdate.com
Akamai International B.V.
SE
unknown
1080
svchost.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 2.21.240.93
  • 2.21.240.210
  • 2.21.240.153
  • 2.21.240.145
  • 2.21.240.208
  • 23.60.69.16
  • 23.60.69.6
  • 199.232.210.172
  • 199.232.214.172
whitelisted
crl.microsoft.com
  • 23.206.188.208
  • 23.206.188.206
whitelisted
www.microsoft.com
  • 92.122.89.124
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ndp48-web.exe