| File name: | PCA646VC22.exe |
| Full analysis: | https://app.any.run/tasks/51e7ef06-fbab-434e-8071-19a6c92531c3 |
| Verdict: | Malicious activity |
| Analysis date: | December 16, 2023, 21:24:18 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive |
| MD5: | 22293FEB7A70F74D2645E616022FFE81 |
| SHA1: | DB99B2445C65296FDFC6DC6ADD4BCA42CC63CE40 |
| SHA256: | 1B322887D9651FA392F40443218CD2976E420591A8173891A85E336DE016AED8 |
| SSDEEP: | 49152:0CTOx9wl2kRRsa8ga0ppxtHZ/g6G0zFXIFo0e5RbuW57jLcpWH8BAvgUH0hL0Dfq:0CWel2kRhnHtHZGLcb1lSB8PU1kuJvhd |
MALICIOUS
Drops the executable file immediately after the start
- PCA646VC22.exe (PID: 2416)
- Setup.exe (PID: 1380)
- _INS5576._MP (PID: 1040)
- Setup.exe (PID: 2480)
- _INS5576._MP (PID: 2340)
- PCA646VC22.exe (PID: 1544)
Creates a writable file in the system directory
- _INS5576._MP (PID: 2340)
Steals credentials from Web Browsers
- _INS5576._MP (PID: 2340)
Actions looks like stealing of personal data
- _INS5576._MP (PID: 2340)
SUSPICIOUS
Starts application with an unusual extension
- Setup.exe (PID: 1380)
- Setup.exe (PID: 2480)
Process drops legitimate windows executable
- _INS5576._MP (PID: 1040)
- _INS5576._MP (PID: 2340)
Reads the Windows owner or organization settings
- PCA646VC22.exe (PID: 1544)
- Setup.exe (PID: 2480)
- _INS5576._MP (PID: 2340)
- _ISDel.exe (PID: 2448)
Drops a system driver (possible attempt to evade defenses)
- _INS5576._MP (PID: 2340)
INFO
Checks supported languages
- PCA646VC22.exe (PID: 2416)
- Setup.exe (PID: 1380)
- _INS5576._MP (PID: 1040)
- _ISDel.exe (PID: 1504)
- PCA646VC22.exe (PID: 1544)
- Setup.exe (PID: 2480)
- _INS5576._MP (PID: 2340)
- _ISDel.exe (PID: 2448)
Reads the computer name
- Setup.exe (PID: 1380)
- _INS5576._MP (PID: 1040)
- _ISDel.exe (PID: 1504)
- PCA646VC22.exe (PID: 1544)
- Setup.exe (PID: 2480)
- _ISDel.exe (PID: 2448)
- _INS5576._MP (PID: 2340)
Create files in a temporary directory
- Setup.exe (PID: 1380)
- PCA646VC22.exe (PID: 2416)
- _INS5576._MP (PID: 1040)
- PCA646VC22.exe (PID: 1544)
- Setup.exe (PID: 2480)
- _INS5576._MP (PID: 2340)
Manual execution by a user
- PCA646VC22.exe (PID: 1624)
- PCA646VC22.exe (PID: 1544)
Creates files in the program directory
- _INS5576._MP (PID: 2340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Generic Win/DOS Executable (50) |
|---|---|---|
| .exe | | | DOS Executable Generic (49.9) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1998:03:26 15:31:20+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 5 |
| CodeSize: | 69120 |
| InitializedDataSize: | 75776 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xc110 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.1.5.0 |
| ProductVersionNumber: | 2.1.5.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | InstallShield Software Corporation |
| FileDescription: | PackageForTheWeb Stub |
| FileVersion: | 2.02.001 |
| InternalName: | STUB.EXE |
| LegalCopyright: | Copyright © 1996 InstallShield Software Corporation |
| OriginalFileName: | STUB32.EXE |
| ProductName: | PackageForTheWeb Stub |
| ProductVersion: | 2.02.001 |
Total processes
50
Monitored processes
11
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1040 | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | — | Setup.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield Engine Exit code: 0 Version: 5, 50, 137, 0 Modules
| |||||||||||||||
| 1380 | "C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\Setup.exe" /SMS | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\Setup.exe | — | PCA646VC22.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit Setup Launcher Exit code: 2147311616 Version: 5, 50, 137, 0 Modules
| |||||||||||||||
| 1504 | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\_ISDEL.EXE | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\_ISDel.exe | — | Setup.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit InstallShield Deleter. Exit code: 0 Version: 5, 50, 137, 0 Modules
| |||||||||||||||
| 1544 | "C:\Users\admin\Desktop\PCA646VC22.exe" | C:\Users\admin\Desktop\PCA646VC22.exe | explorer.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: PackageForTheWeb Stub Exit code: 0 Version: 2.02.001 Modules
| |||||||||||||||
| 1624 | "C:\Users\admin\Desktop\PCA646VC22.exe" | C:\Users\admin\Desktop\PCA646VC22.exe | — | explorer.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: MEDIUM Description: PackageForTheWeb Stub Exit code: 3221226540 Version: 2.02.001 Modules
| |||||||||||||||
| 1776 | "C:\Users\admin\Desktop\PCA646VC22.exe" | C:\Users\admin\Desktop\PCA646VC22.exe | — | explorer.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: MEDIUM Description: PackageForTheWeb Stub Exit code: 3221226540 Version: 2.02.001 Modules
| |||||||||||||||
| 2340 | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP | Setup.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield Engine Exit code: 0 Version: 5, 50, 137, 0 Modules
| |||||||||||||||
| 2416 | "C:\Users\admin\Desktop\PCA646VC22.exe" | C:\Users\admin\Desktop\PCA646VC22.exe | explorer.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: PackageForTheWeb Stub Exit code: 0 Version: 2.02.001 Modules
| |||||||||||||||
| 2444 | C:\PROGRA~1\PHILIP~1\PlugIn13.exe Now you can Plug in your Philips USB PC Camera... | C:\Program Files\Philips PC Camera\plugin13.exe | — | _INS5576._MP | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 | |||||||||||||||
| 2448 | C:\Users\admin\AppData\Local\Temp\pft82E7~tmp\_ISDEL.EXE | C:\Users\admin\AppData\Local\Temp\pft82E7~tmp\_ISDel.exe | — | Setup.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: 32-bit InstallShield Deleter. Exit code: 0 Version: 5, 50, 137, 0 Modules
| |||||||||||||||
Total events
1 416
Read events
1 416
Write events
0
Delete events
0
Modification events
Executable files
39
Suspicious files
35
Text files
31
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\pftw1.pkg | compressed | |
MD5:80E4E55251C6F9F55D468EA0BEEA19C6 | SHA256:9B4CA442D640FE0B5454B70C4DDF2C89313AFEFB63ABDB76CE0C181C0D301BD4 | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\layout.bin | binary | |
MD5:073F1438E5E20995724B2A545FE55465 | SHA256:87E50FA2CBF075807FDD7C5E09E6429E7ACFAAF5D5B467B288BDBB7CA5927075 | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\data1.cab | compressed | |
MD5:53CCA080A36B9D37D36E324B6B956053 | SHA256:EE2374EE26E9F8B157FF11DB59928E2329B0333ED995AAC203DB3ABF13300E5F | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\_INST32I.EX_ | ??_ | |
MD5:E69E71765D982275679EA0CBA6DD332C | SHA256:808C49409AA93932909B640AE85223E17AD617A57E734FC956C6C5BF79B7890F | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\Setup.exe | executable | |
MD5:1E013F8D89F59CE39C7FA9BC8BD3A166 | SHA256:A6D2F8B9173FD43F03AABFF0B8CC3FADBD0B15224BCBE5F562A32158A297B502 | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\_ISDel.exe | executable | |
MD5:17B2090FB102634BD1324342933856D3 | SHA256:6809453E3937309E8AB4D4089DFAF1AE7C7D2EF195DD0B7646303FB6ABEB87DA | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\lang.dat | text | |
MD5:CCCAAE5C8A23EAE65DF80531A235F6E8 | SHA256:04F46E56C0D16ED246779698631DD28E81EA0A9D30F8BD9025A7B9996A9E562D | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\os.dat | text | |
MD5:478F65A0B922B6BA0A6CE99E1D15C336 | SHA256:BE2292517342DE82D50CEFBACB185E36558FCDFBF686692E7DF08A80331F9BEE | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\_Setup.dll | executable | |
MD5:ECACC9AB09D7E8898799FE5C4EBBBDD2 | SHA256:1AD637E80A25F6F885604589056814D16CCAD55699BE14920E2B99F2D74C1019 | |||
| 2416 | PCA646VC22.exe | C:\Users\admin\AppData\Local\Temp\pftFBE5~tmp\_sys1.cab | compressed | |
MD5:058DAA069D70E3246747E43DEA95C1D7 | SHA256:EDF07A5C4B50C4BC94496C55FFC78FD132C2375647B47584BC394047002E3608 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |