| File name: | 2BypassESU-v11.exe |
| Full analysis: | https://app.any.run/tasks/479d938a-de10-4307-8938-abb06ab9a4d9 |
| Verdict: | Malicious activity |
| Analysis date: | April 09, 2021, 03:48:22 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | CA4EC01DED30476F55A85B631D02EC64 |
| SHA1: | AD3E0E83DFF31712D2594184AF65AEA5F8580626 |
| SHA256: | 0C4462E5CED4549A1FB9D57B0EDA0BF5C89B25E8E86B6B014B41503CB75BDB79 |
| SSDEEP: | 24576:O2G/nvxW3WKtoeef8sApAqU9SEfnVO38GySxXqlUU1vu6IFevcSzvcS4ufHvdSHU:ObA3nvHT6qUgEfnVO38GZIUmujF/uL |
MALICIOUS
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 3088)
- Dism.exe (PID: 2556)
- dismhost.exe (PID: 2748)
- TrustedInstaller.exe (PID: 4024)
- TrustedInstaller.exe (PID: 3992)
- Dism.exe (PID: 3576)
- TrustedInstaller.exe (PID: 2500)
- dismhost.exe (PID: 2272)
Starts NET.EXE for service management
- cmd.exe (PID: 3216)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 3792)
- cmd.exe (PID: 1532)
Application was dropped or rewritten from another process
- superUser32.exe (PID: 1452)
- dismhost.exe (PID: 2748)
- superUser32.exe (PID: 888)
- dismhost.exe (PID: 2272)
Runs injected code in another process
- superUser32.exe (PID: 1452)
Application was injected by another process
- cmd.exe (PID: 2064)
Uses NET.EXE to stop Windows Update service
- cmd.exe (PID: 2064)
Drops executable file immediately after starts
- Dism.exe (PID: 2556)
- Dism.exe (PID: 3576)
SUSPICIOUS
Reads internet explorer settings
- 2BypassESU-v11.exe (PID: 1924)
- 2BypassESU-v11.exe (PID: 3280)
Drops a file with too old compile date
- 2BypassESU-v11.exe (PID: 3280)
- 2BypassESU-v11.exe (PID: 1924)
- Dism.exe (PID: 2556)
- Dism.exe (PID: 3576)
Executable content was dropped or overwritten
- 2BypassESU-v11.exe (PID: 1924)
- 2BypassESU-v11.exe (PID: 3280)
- Dism.exe (PID: 2556)
- Dism.exe (PID: 3576)
Uses WHOAMI.EXE to obtaining logged on user information
- cmd.exe (PID: 3216)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 1532)
- cmd.exe (PID: 3792)
Creates files in the Windows directory
- TrustedInstaller.exe (PID: 3992)
- cmd.exe (PID: 2064)
- TrustedInstaller.exe (PID: 4024)
- TrustedInstaller.exe (PID: 2500)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 3216)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 3652)
- cmd.exe (PID: 3552)
- cmd.exe (PID: 3792)
- cmd.exe (PID: 1532)
Application launched itself
- cmd.exe (PID: 3216)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 3792)
- cmd.exe (PID: 1532)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3216)
- TrustedInstaller.exe (PID: 3992)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 3792)
- cmd.exe (PID: 1532)
- TrustedInstaller.exe (PID: 4024)
Starts CHOICE.EXE (used to create a delay)
- cmd.exe (PID: 2064)
- cmd.exe (PID: 1532)
Starts SC.EXE for service management
- cmd.exe (PID: 2064)
- cmd.exe (PID: 1532)
Removes files from Windows directory
- TrustedInstaller.exe (PID: 3992)
- cmd.exe (PID: 1532)
- TrustedInstaller.exe (PID: 4024)
Drops a file that was compiled in debug mode
- Dism.exe (PID: 2556)
- Dism.exe (PID: 3576)
Uses WMIC.EXE to obtain a system information
- cmd.exe (PID: 3516)
INFO
Manual execution by user
- 2BypassESU-v11.exe (PID: 3280)
- cmd.exe (PID: 3216)
- cmd.exe (PID: 3792)
Dropped object may contain Bitcoin addresses
- TrustedInstaller.exe (PID: 3992)
- TrustedInstaller.exe (PID: 4024)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| Subsystem: | Windows GUI |
|---|---|
| SubsystemVersion: | 5.1 |
| ImageVersion: | - |
| OSVersion: | 5.1 |
| EntryPoint: | 0x1ec40 |
| UninitializedDataSize: | - |
| InitializedDataSize: | 252928 |
| CodeSize: | 201216 |
| LinkerVersion: | 14 |
| PEType: | PE32 |
| TimeStamp: | 2020:12:01 19:00:55+01:00 |
| MachineType: | Intel 386 or later, and compatibles |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 01-Dec-2020 18:00:55 |
| Detected languages: |
|
| Debug artifacts: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x00000118 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 6 |
| Time date stamp: | 01-Dec-2020 18:00:55 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x000310EA | 0x00031200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.70808 |
.rdata | 0x00033000 | 0x0000A612 | 0x0000A800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.22174 |
.data | 0x0003E000 | 0x00023728 | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.70882 |
.didat | 0x00062000 | 0x00000188 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.29825 |
.rsrc | 0x00063000 | 0x0000E000 | 0x0000D600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 6.81678 |
.reloc | 0x00071000 | 0x00002268 | 0x00002400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.55486 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.25329 | 1875 | Latin 1 / Western European | Chinese - PRC | RT_MANIFEST |
2 | 5.10026 | 2216 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
3 | 5.25868 | 3752 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
4 | 5.02609 | 1128 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
5 | 5.18109 | 4264 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
6 | 5.04307 | 9640 | Latin 1 / Western European | Chinese - PRC | RT_ICON |
7 | 5.24197 | 182 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
8 | 5.27357 | 214 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
9 | 5.21038 | 188 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
10 | 5.11103 | 116 | Latin 1 / Western European | Chinese - PRC | RT_STRING |
Imports
KERNEL32.dll |
USER32.dll (delay-loaded) |
gdiplus.dll |
Total processes
163
Monitored processes
101
Malicious processes
14
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 560 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_none_b26c9b4c15d241fc" /f /ve /d 6.1 | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 600 | net start TrustedInstaller | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 724 | reg add HKU\.DEFAULT\Console /f /v FontFamily /t REG_DWORD /d 0x36 | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 760 | find /i "STOPPED" | C:\Windows\System32\find.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Find String (grep) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 840 | C:\Windows\system32\net1 stop wuauserv /y | C:\Windows\system32\net1.exe | — | net.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Net Command Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 888 | superUser32.exe /c cmd.exe /c ""C:\Users\admin\Desktop\BypassESU-v11\LiveOS-Setup.cmd" -su" | C:\Users\admin\Desktop\BypassESU-v11\bin\superUser32.exe | — | cmd.exe | |||||||||||
User: admin Company: Awoo~ Integrity Level: HIGH Description: Run any process with TrustedInstaller privileges Exit code: 0 Version: 4.0.0.0 Modules
| |||||||||||||||
| 996 | reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Winners\x86_microsoft-windows-s..edsecurityupdatesai_31bf3856ad364e35_none_b26c9b4c15d241fc\6.1" /f /v 6.1.7603.25000 /t REG_BINARY /d 01 | C:\Windows\System32\reg.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1000 | choice /C 12345679 /N /M "Choose a menu option: " | C:\Windows\System32\choice.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Offers the user a choice Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1284 | sc query TrustedInstaller | C:\Windows\System32\sc.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1344 | C:\Windows\system32\cmd.exe /c ver | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
81 995
Read events
5 881
Write events
34 935
Delete events
41 179
Modification events
| (PID) Process: | (1924) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (1924) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (1924) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (1924) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1924) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3280) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3280) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (3280) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (3280) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3280) 2BypassESU-v11.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
82
Suspicious files
0
Text files
49
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\wimfile.cmd | text | |
MD5:— | SHA256:— | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\x64\ActionCenter.dll.3.Manifest | xml | |
MD5:— | SHA256:— | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\PatchWU.xml | xml | |
MD5:16E8CE4B6D4AAEFA13753F525DD2863A | SHA256:553E025813C1669F342C4DC2E794EFE6D7CB9E0A3FB4368DE5429EF7B7466B8E | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\libwim-15.dll | executable | |
MD5:B6772D691F4C5F4773774E56D793EA1E | SHA256:8BFC31DF098EE56629A3F3053A820BC3D9A5E30B2DD44AD2F4BC1E82668A9FCC | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\PatchWU.cmd | text | |
MD5:6155EFFE606D30DC25EBD2A56F81D359 | SHA256:6428D82F592FF020CE087107CB7966ECB018DD2B09DB9076645C07101464E1DE | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\bbe64.exe | executable | |
MD5:A21987B49C2AFF491E8DBBCBDEE40561 | SHA256:59CF14D560C1A8173F76A19226446A3B61D19ED0A196A194FF71AC6AC14CB2C4 | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\PatchWU.txt | text | |
MD5:A0ADC3B30D674E2E966E9B296AE02136 | SHA256:00042135242BF9443A8CD5084DEAF26EC5B0F94BB639CA5FD14C15E138D8F67B | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\sle32.dll | executable | |
MD5:6413388CBD5A30FF0D8D7969D32438FA | SHA256:AE33F43CFB7246EDCAD243643B6107133BC607DBDA1D23C3661262C413896288 | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\sle64.dll | executable | |
MD5:FCBD64252AD6E3BADFAC715EDA930543 | SHA256:A7B61B447BDC60DC9D962520F380DB87A938B1997AAC73D9F830AE0893E67247 | |||
| 1924 | 2BypassESU-v11.exe | C:\Users\admin\AppData\Local\Temp\BypassESU-v11\bin\superUser64.exe | executable | |
MD5:AEB0CDC3C1C1D3D00AC3377600C6B603 | SHA256:E7272643420F4C9EFB0CAB9C1F56A61709EE56E9A3ED1A6E5EF9A960AE988236 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
— | — | HEAD | 200 | 93.184.221.240:80 | http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?2104090352 | US | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 40.70.224.146:443 | www.update.microsoft.com | Microsoft Corporation | US | malicious |
— | — | 93.184.221.240:80 | download.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.windowsupdate.com |
| whitelisted |
www.update.microsoft.com |
| whitelisted |