| File name: | PSAgentInstaller.exe |
| Full analysis: | https://app.any.run/tasks/ad8cdafc-dd9c-4b7c-8b0d-44c15d25a39a |
| Verdict: | Malicious activity |
| Analysis date: | December 26, 2023, 10:55:59 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | B41C61FE254B1C1CA243E38222C3709F |
| SHA1: | 41AC991AD54C1238593A9202F8293BEC852D3A7B |
| SHA256: | 1009D6DB73A7B2CC1D82B77141EFD17C3A3A590264315EF019B9BCE8946BB57D |
| SSDEEP: | 98304:9u0sG94xlidCBpJLouPuMVR80M1cWYn9g+YJzsskV2WJUDXAQ74W75wy8W7OE7Sk:mT1iu83Q/SUeht2YHgxIaHQ3cmH |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 1592)
Create files in the Startup directory
- PSAgentInstaller.tmp (PID: 548)
SUSPICIOUS
Uses TASKKILL.EXE to kill process
- PSAgentInstaller.tmp (PID: 548)
Reads the Windows owner or organization settings
- PSAgentInstaller.tmp (PID: 548)
Reads the Internet Settings
- RemovePrintserver.exe (PID: 1784)
- PSAgentInstaller.tmp (PID: 548)
- SoftovWD.exe (PID: 3328)
- node.exe (PID: 3436)
- sipnotify.exe (PID: 1460)
- SoftovWD.exe (PID: 336)
- node.exe (PID: 2136)
The process deletes folder without confirmation
- RemovePrintserver.exe (PID: 1784)
Starts CMD.EXE for commands execution
- RemovePrintserver.exe (PID: 1784)
- node.exe (PID: 3436)
- PSAgentInstaller.tmp (PID: 548)
- node.exe (PID: 2136)
Reads settings of System Certificates
- sipnotify.exe (PID: 1460)
Adds/modifies Windows certificates
- sipnotify.exe (PID: 1460)
INFO
Drops the executable file immediately after the start
- PSAgentInstaller.exe (PID: 116)
- PSAgentInstaller.exe (PID: 1380)
- PSAgentInstaller.tmp (PID: 548)
Checks supported languages
- PSAgentInstaller.exe (PID: 116)
- PSAgentInstaller.tmp (PID: 548)
- PSAgentInstaller.exe (PID: 1380)
- PSAgentInstaller.tmp (PID: 1072)
- RemovePrintserver.exe (PID: 1784)
- SoftovWD.exe (PID: 3328)
- CertMgr.exe (PID: 3304)
- node.exe (PID: 3436)
- node.exe (PID: 3644)
- IMEKLMG.EXE (PID: 1676)
- IMEKLMG.EXE (PID: 1200)
- SoftovWD.exe (PID: 336)
- node.exe (PID: 2136)
- node.exe (PID: 2348)
- wmpnscfg.exe (PID: 2496)
- SoftovWD.exe (PID: 2656)
- SoftovWD.exe (PID: 2696)
- wmpnscfg.exe (PID: 2536)
- UserInteractive.exe (PID: 2844)
- SoftovWD.exe (PID: 2780)
Reads the computer name
- PSAgentInstaller.tmp (PID: 1072)
- RemovePrintserver.exe (PID: 1784)
- SoftovWD.exe (PID: 3328)
- node.exe (PID: 3436)
- node.exe (PID: 3644)
- IMEKLMG.EXE (PID: 1200)
- IMEKLMG.EXE (PID: 1676)
- PSAgentInstaller.tmp (PID: 548)
- node.exe (PID: 2136)
- SoftovWD.exe (PID: 336)
- node.exe (PID: 2348)
- wmpnscfg.exe (PID: 2496)
- wmpnscfg.exe (PID: 2536)
- UserInteractive.exe (PID: 2844)
- PSAgentInstaller.exe (PID: 116)
Create files in a temporary directory
- PSAgentInstaller.tmp (PID: 548)
- PSAgentInstaller.exe (PID: 116)
- PSAgentInstaller.exe (PID: 1380)
Creates files in the program directory
- PSAgentInstaller.tmp (PID: 548)
- node.exe (PID: 3436)
Manual execution by a user
- chrome.exe (PID: 1560)
- IMEKLMG.EXE (PID: 1676)
- SoftovWD.exe (PID: 336)
- IMEKLMG.EXE (PID: 1200)
- wmpnscfg.exe (PID: 2496)
- wmpnscfg.exe (PID: 2536)
- SoftovWD.exe (PID: 2656)
- SoftovWD.exe (PID: 2780)
- SoftovWD.exe (PID: 2696)
Application launched itself
- chrome.exe (PID: 1560)
- node.exe (PID: 3436)
- node.exe (PID: 2136)
Process drops legitimate windows executable
- PSAgentInstaller.tmp (PID: 548)
Reads the machine GUID from the registry
- CertMgr.exe (PID: 3304)
- node.exe (PID: 3436)
- node.exe (PID: 3644)
- node.exe (PID: 2136)
- node.exe (PID: 2348)
Checks operating system version
- node.exe (PID: 3436)
- node.exe (PID: 2136)
The process executes via Task Scheduler
- ctfmon.exe (PID: 1512)
- sipnotify.exe (PID: 1460)
Process checks are UAC notifies on
- IMEKLMG.EXE (PID: 1200)
- IMEKLMG.EXE (PID: 1676)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 1460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (77.7) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10) |
| .dll | | | Win32 Dynamic Link Library (generic) (4.6) |
| .exe | | | Win32 Executable (generic) (3.1) |
| .exe | | | Win16/32 Executable Delphi generic (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:20 00:22:17+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 41984 |
| InitializedDataSize: | 17920 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xaad0 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.4.203.0 |
| ProductVersionNumber: | 3.4.203.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Softov Medical Systems ltd |
| FileDescription: | PSAgent PSAgent - CRT Setup |
| FileVersion: | 3.4.203 |
| LegalCopyright: | |
| ProductName: | PSAgent PSAgent - CRT |
| ProductVersion: | 3.4.203 |
Total processes
138
Monitored processes
44
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | "C:\Users\admin\AppData\Local\Temp\PSAgentInstaller.exe" | C:\Users\admin\AppData\Local\Temp\PSAgentInstaller.exe | — | explorer.exe | |||||||||||
User: admin Company: Softov Medical Systems ltd Integrity Level: MEDIUM Description: PSAgent PSAgent - CRT Setup Exit code: 0 Version: 3.4.203 Modules
| |||||||||||||||
| 336 | "C:\Program Files\PSAgent\SoftovWD.exe" -v 0 node.exe app.js | C:\Program Files\PSAgent\SoftovWD.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 532 | "taskkill.exe" /f /im SoftovWD.exe | C:\Windows\System32\taskkill.exe | — | PSAgentInstaller.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 548 | "C:\Users\admin\AppData\Local\Temp\is-7E2VB.tmp\PSAgentInstaller.tmp" /SL5="$601B2,10678126,58368,C:\Users\admin\AppData\Local\Temp\PSAgentInstaller.exe" /SPAWNWND=$401AE /NOTIFYWND=$301AA | C:\Users\admin\AppData\Local\Temp\is-7E2VB.tmp\PSAgentInstaller.tmp | PSAgentInstaller.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 712 | schtasks /Delete /F /TN printserver | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 884 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=3668 --field-trial-handle=1168,i,934747547500745306,10898255014534000771,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 900 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --mojo-platform-channel-handle=1284 --field-trial-handle=1168,i,934747547500745306,10898255014534000771,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1072 | "C:\Users\admin\AppData\Local\Temp\is-QD53T.tmp\PSAgentInstaller.tmp" /SL5="$301AA,10678126,58368,C:\Users\admin\AppData\Local\Temp\PSAgentInstaller.exe" | C:\Users\admin\AppData\Local\Temp\is-QD53T.tmp\PSAgentInstaller.tmp | — | PSAgentInstaller.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 1200 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 1232 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1116 --field-trial-handle=1168,i,934747547500745306,10898255014534000771,131072 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
Total events
8 625
Read events
8 523
Write events
93
Delete events
9
Modification events
| (PID) Process: | (1784) RemovePrintserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1784) RemovePrintserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1784) RemovePrintserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1784) RemovePrintserver.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1560) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (1560) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (1560) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (1560) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (1560) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (1560) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 1 | |||
Executable files
40
Suspicious files
528
Text files
2 966
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\keys\SoftovRootCA_Base64.cer | text | |
MD5:B9C189CE3111DB5C53BA47F946032224 | SHA256:87B8C8BDECA63D24463796487F2DCCD1A0A693EB084E779A3D658FB67EDC4F5D | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\node_modules\.bin\is-RBE0V.tmp | text | |
MD5:8456BFC29F1721F42722AE7C32561DD4 | SHA256:D3345C505CFAA30F5C581416777D3FEA6E2637E50F37F4E0ED7BEE3E3B7ACA57 | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\node_modules\.bin\is-TK9HE.tmp | text | |
MD5:7A7C84CA6C63B436DB2FFB4AB87BB122 | SHA256:250AE950DD28F91C7A08A9AD7D4919FDD001C0DDB3970D45FF2AE14670B7045C | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\node_modules\.bin\is-M2PJ6.tmp | text | |
MD5:2C9E6BF63327CD4D5125ED81486B4B6C | SHA256:62F6D23F78750BE2C02554C749B8BC515E1B33FA358619A5DF0D112672D0F9FB | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\keys\localhost.crt | text | |
MD5:833ED4F31F68649992E61642050D3B16 | SHA256:5D892E735CB1D389D4471BDD4561131D66CFD2BAAD4B12C0AB87F5F4E814B2B8 | |||
| 116 | PSAgentInstaller.exe | C:\Users\admin\AppData\Local\Temp\is-QD53T.tmp\PSAgentInstaller.tmp | executable | |
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09 | SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C | |||
| 1380 | PSAgentInstaller.exe | C:\Users\admin\AppData\Local\Temp\is-7E2VB.tmp\PSAgentInstaller.tmp | executable | |
MD5:1AFBD25DB5C9A90FE05309F7C4FBCF09 | SHA256:3BB0EE5569FE5453C6B3FA25AA517B925D4F8D1F7BA3475E58FA09C46290658C | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\node_modules\.bin\rimraf | text | |
MD5:7A7C84CA6C63B436DB2FFB4AB87BB122 | SHA256:250AE950DD28F91C7A08A9AD7D4919FDD001C0DDB3970D45FF2AE14670B7045C | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\node_modules\.bin\mime.cmd | text | |
MD5:FAE806FC6FF1A1547050FBD746BA2954 | SHA256:C25DA31C50C5005872A75150C0A41194D57E9470E321ADDCD4DCC4D0BB87CEBC | |||
| 548 | PSAgentInstaller.tmp | C:\Program Files\PSAgent\node_modules\.bin\mime | text | |
MD5:8456BFC29F1721F42722AE7C32561DD4 | SHA256:D3345C505CFAA30F5C581416777D3FEA6E2637E50F37F4E0ED7BEE3E3B7ACA57 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1460 | sipnotify.exe | HEAD | 200 | 23.197.138.118:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133480619888750000 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1560 | chrome.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1384 | chrome.exe | 142.250.184.227:443 | clientservices.googleapis.com | GOOGLE | US | whitelisted |
1384 | chrome.exe | 142.250.185.196:443 | www.google.com | GOOGLE | US | whitelisted |
1384 | chrome.exe | 142.251.5.84:443 | accounts.google.com | GOOGLE | US | unknown |
1384 | chrome.exe | 142.250.185.131:443 | www.gstatic.com | GOOGLE | US | whitelisted |
1384 | chrome.exe | 142.250.185.206:443 | apis.google.com | GOOGLE | US | whitelisted |
1384 | chrome.exe | 142.250.185.227:443 | update.googleapis.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
update.googleapis.com |
| whitelisted |
qa-new.labos.cloud |
| unknown |
query.prod.cms.rt.microsoft.com |
| whitelisted |