analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

na.exe

Full analysis: https://app.any.run/tasks/03630374-5fd6-47ec-8d58-7d745fa3fb4b
Verdict: Malicious activity
Analysis date: May 15, 2019, 14:20:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

ED74E277414E5E269959089350B40FF9

SHA1:

A720C5DAACF4BA3AFA8B9AFF094DCDC8114DA39B

SHA256:

1D7EB8F243F62E68BF8FBBA4F2DE38FE598DAB72658A350581879EE8C54C97C9

SSDEEP:

98304:5hERX3fXdv071FCgeg0nJpR6CfiSy/jPI82ShalO9BG0nOtMhA+vZf2Vn9p:5hc+fehs/jPI82S0OFnOtV4Zf2Vn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • na.exe (PID: 2068)

    • Application was dropped or rewritten from another process

      • aa7b8d2c20e2dc20e54c.MSID67F.tmp (PID: 2836)
      • desktop_media_service.exe (PID: 2132)
      • watchdog.exe (PID: 3632)
      • desktop_media_service.exe (PID: 2380)
      • desktop_media_service.exe (PID: 1704)

    • Loads the Task Scheduler COM API

      • MsiExec.exe (PID: 3544)

    • Connects to CnC server

      • MsiExec.exe (PID: 2168)
      • desktop_media_service.exe (PID: 1704)

    • Loads the Task Scheduler DLL interface

      • na.exe (PID: 2068)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • na.exe (PID: 2068)
      • msiexec.exe (PID: 868)
      • MSID67F.tmp (PID: 1936)

    • Reads Environment values

      • MsiExec.exe (PID: 324)
      • MsiExec.exe (PID: 2168)
      • MsiExec.exe (PID: 3544)

    • Creates files in the user directory

      • na.exe (PID: 2068)

    • Starts Microsoft Installer

      • na.exe (PID: 2068)

    • Creates a software uninstall entry

      • desktop_media_service.exe (PID: 1704)

    • Reads internet explorer settings

      • mmc.exe (PID: 1656)

    • Checks for external IP

      • desktop_media_service.exe (PID: 1704)

    • Low-level read access rights to disk partition

      • msconfig.exe (PID: 3364)

  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 868)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3352)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 324)
      • MsiExec.exe (PID: 2168)
      • MsiExec.exe (PID: 3544)

    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 3668)

    • Changes settings of System certificates

      • DrvInst.exe (PID: 3668)

    • Application was dropped or rewritten from another process

      • MSID67F.tmp (PID: 1936)

    • Application launched itself

      • msiexec.exe (PID: 868)

    • Creates files in the program directory

      • msiexec.exe (PID: 868)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 868)

    • Creates a software uninstall entry

      • MsiExec.exe (PID: 2168)
      • msiexec.exe (PID: 868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

ProductName: setup
LegalCopyright: Copyright (C)
InternalName: setup_3.6.0
FileVersion: 1
FileDescription: Installer
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x121965
UninitializedDataSize: -
InitializedDataSize: 598528
CodeSize: 1505792
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2019:03:20 20:48:06+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2019 19:48:06
Detected languages:
  • English - United States
Debug artifacts:
  • C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb
FileDescription: Installer
FileVersion: 1.0
InternalName: setup_3.6.0
LegalCopyright: Copyright (C)
ProductName: setup

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 20-Mar-2019 19:48:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0016F82F
0x0016FA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44146
.rdata
0x00171000
0x0005ED8E
0x0005EE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.5644
.data
0x001D0000
0x00007114
0x00005400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.10655
.rsrc
0x001D8000
0x000151C4
0x00015200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.34268
.reloc
0x001EE000
0x00018DC0
0x00018E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.56636

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18998
1909
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.1591
9640
Latin 1 / Western European
English - United States
RT_ICON
3
3.46873
4264
Latin 1 / Western European
English - United States
RT_ICON
4
3.54157
2440
Latin 1 / Western European
English - United States
RT_ICON
5
4.01317
1128
Latin 1 / Western European
English - United States
RT_ICON
9
3.37783
1116
Latin 1 / Western European
English - United States
RT_STRING
10
3.35254
1888
Latin 1 / Western European
English - United States
RT_STRING
11
3.31743
760
Latin 1 / Western European
English - United States
RT_STRING
12
3.23118
1432
Latin 1 / Western European
English - United States
RT_STRING
13
3.35766
820
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
msi.dll (delay-loaded)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
21
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start na.exe no specs na.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe msid67f.tmp aa7b8d2c20e2dc20e54c.msid67f.tmp no specs msiexec.exe no specs HNetCfg.FwPolicy2 no specs desktop_media_service.exe msconfig.exe no specs msconfig.exe desktop_media_service.exe no specs watchdog.exe no specs desktop_media_service.exe no specs taskmgr.exe no specs mmc.exe no specs mmc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2060"C:\Users\admin\AppData\Local\Temp\na.exe" C:\Users\admin\AppData\Local\Temp\na.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Installer
Exit code:
3221226540
Version:
1.0
2068"C:\Users\admin\AppData\Local\Temp\na.exe" C:\Users\admin\AppData\Local\Temp\na.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Installer
Exit code:
0
Version:
1.0
868C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
324C:\Windows\system32\MsiExec.exe -Embedding 49B2DCA73881A45FB1FCC48934DDD043 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2540"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\na.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup " C:\Windows\system32\msiexec.exena.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3352C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3668DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005D4" "000005D0"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2168C:\Windows\system32\MsiExec.exe -Embedding 741C57D0CF1B51D76317854E85C1BA03C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1936"C:\Windows\Installer\MSID67F.tmp" /p="C:\Users\admin\AppData\Local\Temp\na.exe" /p="C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" /p="C:\Program Files\Jetmedia\NativeDesktopMediaService" /p="" /p=""C:\Windows\Installer\MSID67F.tmp
msiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2836"C:\Users\admin\AppData\Local\Temp\aa7b8d2c20e2dc20e54c.MSID67F.tmp" $MlIRblznbChQCNYZKQjiNSj0_j1LSZr5Qf_B3jaq34QPEnVP3F5udIe8IpzR7dKZME6qzvZZ6cfuBQFizPgDj7yz7WBrANWqQ2nFWt1y_X7z56cK_LYzjktevxujDd7_mGAdMSwgLLhCYgLw5zmZL9KRIyV4_krc6z3lRDjidOJCF7wUQv72etV7A7TUzn9N4IF40ojv0REcRnV4rgIIMhzlxXYJSvjKXA6lEUnMb6411X22NXJYlRj5wZOp7R1i-VgckZ7rx4Q1vWoRhv-9T05H6FFSEuZSRSL0Cxz8161cjb5lTEZovRmJPbCJrgFfIfgPxdF5JvIJGXDJwUVRozZymtm-7D24MIw8jKVKqUSB5D3Ga9Gxzg1BEy6mQ-VvsydeIL1zQbT91iLnR3dKlxVt7pdRovmPRIB6QQzqGpLgGKAfQ_d2UzRZLnznOABsqA57hBNSjc0Sd_EoCX8RmMRa7t6LY7pdN464z6qRjCeYs7nfjILhLBz7tiXJxVweiKVwN4aZBzTfxHkOfeiyUnsdcXTGtzxgTNkw-nBdTCWbU90COP5-7wfYgakCTbFTVOjSsa9uLBQpM6ZEFj4KF7GcH8owNm_nfAAxJndNVYlz3oAZv0wbADMiVGQ5BSrnDsffqC3em60AVQ7aSlnEfFQh_rSjqFk_IuI2n7AeWt88R54KSXHqQL3WFBu6h7dr9RMwo8k0$C:\Users\admin\AppData\Local\Temp\aa7b8d2c20e2dc20e54c.MSID67F.tmpTrustedInstaller.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Total events
1 145
Read events
802
Write events
0
Delete events
0

Modification events

No data
Executable files
16
Suspicious files
9
Text files
126
Unknown types
1

Dropped files

PID
Process
Filename
Type
2068na.exeC:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi
MD5:
SHA256:
2068na.exeC:\Users\admin\AppData\Local\Temp\MSI8550.tmp
MD5:
SHA256:
868msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
868msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:35C7E687DC39CD319965DFDF643439B3
SHA256:72EDC3DC4E23F42369D90FFC30343C578FDF090F1909D9E8DFE165CF106C5F0A
3668DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
868msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{8a687300-95a4-43a3-8172-df1d533883c1}_OnDiskSnapshotPropbinary
MD5:35C7E687DC39CD319965DFDF643439B3
SHA256:72EDC3DC4E23F42369D90FFC30343C578FDF090F1909D9E8DFE165CF106C5F0A
3668DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:B790CD773DD3C810043564709B9FA5B8
SHA256:6C65C4CA2E4EBFE602582178F75F04A1E061639BFE40843568C58A1D13F6F61F
3668DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:C975141FA0F736986110168C337C8926
SHA256:33850CF686D1EA827A94B85FBCC35170A92FBB427DB3F738975C2539D604E716
2068na.exeC:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\holder0.aiphgmc
MD5:31A76BD10A9AA71DAAC792AAB9620A32
SHA256:140F47ECBFA7776027EBEFF81D2DA22BEB3B4E86270249040F2142C3AFBDA0C0
2068na.exeC:\Users\admin\AppData\Local\Temp\MSI861C.tmpexecutable
MD5:3DF1A130B263DAF320AABFC98B2F0206
SHA256:DB8CFAAFF769FA7117372E2C051A4A5E9646A20777C1C04CBF2F9A42E4799490
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
22
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1704
desktop_media_service.exe
POST
200
104.27.140.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
1704
desktop_media_service.exe
GET
200
207.38.88.89:80
http://efiwuniq.com/npcomdata.dat
US
binary
6.33 Kb
unknown
1704
desktop_media_service.exe
POST
200
104.27.140.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
1704
desktop_media_service.exe
POST
200
104.27.140.75:80
http://ss1.eventincoandhar.info/
US
text
128 b
malicious
2168
MsiExec.exe
POST
200
199.217.118.146:40000
http://knsemis.com:40000/tickets
US
malicious
1704
desktop_media_service.exe
POST
200
199.217.118.146:40000
http://ylsuest.com:40000/tickets
US
malicious
1704
desktop_media_service.exe
POST
200
104.27.140.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
1704
desktop_media_service.exe
POST
200
104.27.140.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
2168
MsiExec.exe
POST
200
104.27.140.75:80
http://tm1.eventincoandhar.info/
US
text
152 b
malicious
2168
MsiExec.exe
POST
200
104.27.140.75:80
http://ins1.eventincoandhar.info/
US
text
128 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1704
desktop_media_service.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
1704
desktop_media_service.exe
104.27.140.75:80
tm1.eventincoandhar.info
Cloudflare Inc
US
shared
2168
MsiExec.exe
104.27.140.75:80
tm1.eventincoandhar.info
Cloudflare Inc
US
shared
1704
desktop_media_service.exe
93.184.216.34:80
example.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1704
desktop_media_service.exe
209.126.117.38:443
server4you Inc.
US
unknown
1704
desktop_media_service.exe
199.217.118.146:40000
knsemis.com
server4you Inc.
US
malicious
1704
desktop_media_service.exe
207.38.88.89:80
efiwuniq.com
server4you Inc.
US
unknown
2168
MsiExec.exe
199.217.118.146:40000
knsemis.com
server4you Inc.
US
malicious
1704
desktop_media_service.exe
8.8.8.8:53
Google Inc.
US
whitelisted
2168
MsiExec.exe
104.27.141.75:80
tm1.eventincoandhar.info
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
tm1.eventincoandhar.info
  • 104.27.140.75
  • 104.27.141.75
malicious
knsemis.com
  • 199.217.118.146
malicious
ins1.eventincoandhar.info
  • 104.27.140.75
  • 104.27.141.75
malicious
ip-api.com
  • 185.194.141.58
shared
example.com
  • 93.184.216.34
whitelisted
sc1.eventincoandhar.info
  • 104.27.140.75
  • 104.27.141.75
malicious
ss1.eventincoandhar.info
  • 104.27.140.75
  • 104.27.141.75
malicious
ylsuest.com
  • 199.217.118.146
malicious
efiwuniq.com
  • 207.38.88.89
unknown
krsewiq.com
  • 199.217.118.146
malicious

Threats

PID
Process
Class
Message
2168
MsiExec.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
2168
MsiExec.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Jetmedia.A
2168
MsiExec.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1704
desktop_media_service.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
1704
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1704
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1704
desktop_media_service.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Jetmedia.A
1704
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1704
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
1704
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
10 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
na.exe