File name:

1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0

Full analysis: https://app.any.run/tasks/f641fcbb-b53e-4abe-9e55-ac472aae252a
Verdict: Malicious activity
Analysis date: December 06, 2022, 03:09:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

519BE4854BF61C1199C50974B74FF3F5

SHA1:

7AE6AB717D2E44FB02F493FBD2ED1DE9FC5D7050

SHA256:

1C749421CFF2C00B4D18E08EEACFB970A3D2FE4636B324BEC711A172C0A487B0

SSDEEP:

12288:pljDkWrnvA1/hEcya1p07k2GNehSQ2okRDVbaehj/CD:pVDjrvwlyaBJsYxouDcehrCD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Changes the autorun value in the registry

      • MonitorFPKPVer.exe (PID: 3200)
    • Application was dropped or rewritten from another process

      • MonitorFPKPVer.exe (PID: 3200)
  • SUSPICIOUS

    • Drops a file with too old compile date

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Executable content was dropped or overwritten

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Reads the Windows owner or organization settings

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Reads the Internet Settings

      • MonitorFPKPVer.exe (PID: 3200)
  • INFO

    • Checks supported languages

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe (PID: 2988)
      • MonitorFPKPVer.exe (PID: 3200)
    • Reads the computer name

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
      • MonitorFPKPVer.exe (PID: 3200)
    • Drops a file that was compiled in debug mode

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Loads dropped or rewritten executable

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Application was dropped or rewritten from another process

      • 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp (PID: 3204)
    • Reads Environment values

      • MonitorFPKPVer.exe (PID: 3200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (71.1)
.exe | Win32 Executable Delphi generic (9.1)
.scr | Windows screen saver (8.4)
.dll | Win32 Dynamic Link Library (generic) (4.2)
.exe | Win32 Executable (generic) (2.9)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 1992-Jun-19 22:22:17
Detected languages:
  • Chinese - PRC
  • Dutch - Netherlands
  • English - United States
Comments: ´Ë°²×°³ÌÐòÓÉ Inno Setup ¹¹½¨¡£
CompanyName: 深圳航天信息有限公司
FileDescription: MonitorFPKPVer.exe
FileVersion: 1.0.21.1230
LegalCopyright: 2018 深圳航信
ProductName: MonitorFPKPVer
ProductVersion: 1.0.21.1230

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: 0
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 26
e_oemid: 0
e_oeminfo: 0
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 1992-Jun-19 22:22:17
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
CODE
4096
41828
41984
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.70808
DATA
49152
592
1024
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.75232
BSS
53248
3720
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
57344
2380
2560
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.42897
.tls
61440
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
65536
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
0.190489
.reloc
69632
2244
0
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
.rsrc
73728
9555
9728
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_SHARED
4.99151

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.25755
296
UNKNOWN
Dutch - Netherlands
RT_ICON
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4089
5.50613
322
UNKNOWN
UNKNOWN
RT_STRING
4090
5.62693
278
UNKNOWN
UNKNOWN
RT_STRING
4091
5.87174
254
UNKNOWN
UNKNOWN
RT_STRING
4093
2.86149
104
UNKNOWN
UNKNOWN
RT_STRING
4094
3.20731
180
UNKNOWN
UNKNOWN
RT_STRING
4095
3.04592
174
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
oleaut32.dll
user32.dll
user32.dll (#2)
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe no specs 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp monitorfpkpver.exe

Process information

PID
CMD
Path
Indicators
Parent process
1580"C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe" C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exeExplorer.EXE
User:
admin
Company:
深圳航天信息有限公司
Integrity Level:
MEDIUM
Description:
MonitorFPKPVer.exe
Exit code:
3221226540
Version:
1.0.21.1230
Modules
Images
c:\users\admin\appdata\local\temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
c:\windows\system32\ntdll.dll
2988"C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe" C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
Explorer.EXE
User:
admin
Company:
深圳航天信息有限公司
Integrity Level:
HIGH
Description:
MonitorFPKPVer.exe
Exit code:
0
Version:
1.0.21.1230
Modules
Images
c:\users\admin\appdata\local\temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3204"C:\Users\admin\AppData\Local\Temp\is-676AO.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp" /SL5="$60198,258993,56832,C:\Users\admin\AppData\Local\Temp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe" C:\Users\admin\AppData\Local\Temp\is-676AO.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp
1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exe
User:
admin
Integrity Level:
HIGH
Description:
°²×°/жÔØ
Exit code:
0
Version:
51.52.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-676ao.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\ole32.dll
3200"C:\MonitorFPKPVer\Run\MonitorFPKPVer.exe" WaitC:\MonitorFPKPVer\Run\MonitorFPKPVer.exe
1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmp
User:
admin
Integrity Level:
HIGH
Description:
MonitorFPKPVer
Version:
1.0.21.1230
Modules
Images
c:\monitorfpkpver\run\monitorfpkpver.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
524
Read events
500
Write events
18
Delete events
6

Modification events

(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
840C000012C1C2382009D901
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
FBC4213FBA97769CD959B08D92CCA80DE0E462E39F40736F28FB3CC14E094716
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\MonitorFPKPVer\Run\MonitorFPKPVer.exe
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
30D7D57A3ABBC5CED12BC4C93415754910E30AF648A74D11635A48855799C0B5
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFilesHash
Value:
30D7D57A3ABBC5CED12BC4C93415754910E30AF648A74D11635A48855799C0B5
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:RegFiles0000
Value:
C:\MonitorFPKPVer\Run\MonitorFPKPVer.exe
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Sequence
Value:
1
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:SessionHash
Value:
FBC4213FBA97769CD959B08D92CCA80DE0E462E39F40736F28FB3CC14E094716
(PID) Process:(3204) 1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:delete valueName:Owner
Value:
840C000012C1C2382009D901
Executable files
11
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\Users\admin\AppData\Local\Temp\is-2RUHU.tmp\IsTaskEx.dllexecutable
MD5:C42DC406FE541F9801F1F27ECB9864A8
SHA256:5A7ECE17CA1F0AB3266F5CE01EDAA76A093744C7F507DEDFB8AA6AC1F714FDDA
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\Users\admin\AppData\Local\Temp\is-2RUHU.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-TUMNB.tmpexecutable
MD5:70ECB43C490ED5B16DAFAFF662BF7653
SHA256:B4CBA17E1123333356BF7E80A20E3ADFFD8EC335C14DA1A249D1B10F3D7CFD0B
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-3JVR4.tmpexecutable
MD5:DD0CCA1A7B55EC57A999F51845064941
SHA256:3D3574E5190D9C2ECCFB8258D0478936D4F4B1ABEF48D2D787C90EFAFAC82F48
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\MonitorFPKPVer.exeexecutable
MD5:DD0CCA1A7B55EC57A999F51845064941
SHA256:3D3574E5190D9C2ECCFB8258D0478936D4F4B1ABEF48D2D787C90EFAFAC82F48
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\ICSharpCode.SharpZipLib.dllexecutable
MD5:70ECB43C490ED5B16DAFAFF662BF7653
SHA256:B4CBA17E1123333356BF7E80A20E3ADFFD8EC335C14DA1A249D1B10F3D7CFD0B
29881c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.exeC:\Users\admin\AppData\Local\Temp\is-676AO.tmp\1c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpexecutable
MD5:E470DC0989B8713EA215450228E0C714
SHA256:838CB7D51005265C61F14D9F22281903A8BD8B0BAC134B9EE0CB42DCBE7D0635
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-L73BM.tmpexecutable
MD5:7E1B749EB09C62748DF22EB61756EF7D
SHA256:767F30AC2372F1C350307BE7D4900CA3A85EAD4065B9A68234045C9BAF775D89
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\is-0UDLL.tmpexecutable
MD5:22D17D02CA0C5BD9ECA14C2F9B216C47
SHA256:2ABD39E50FE45774F9CA687006A0BE6C7C5FA66E04E5E41B561869A002C2C0D1
32041c749421cff2c00b4d18e08eeacfb970a3d2fe4636b324bec711a172c0a487b0.tmpC:\MonitorFPKPVer\Run\MonitorFPKPVer.exe.configxml
MD5:FEB8A12F54CDBCA11133449147E40B28
SHA256:B115CF3BC35C222B952386A332BB3B827C6DCB48FA0A12BB3A8AC4E9B334C5F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3200
MonitorFPKPVer.exe
GET
119.147.23.75:80
http://update.szhtxx.com.cn/Upgrade/UpgradeApp/MonitorFPKP/updateVerEx.ini
CN
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3200
MonitorFPKPVer.exe
119.147.23.75:80
update.szhtxx.com.cn
Chinanet
CN
unknown

DNS requests

Domain
IP
Reputation
update.szhtxx.com.cn
  • 119.147.23.75
unknown

Threats

No threats detected
No debug info