analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

na.exe

Full analysis: https://app.any.run/tasks/c6b59a5b-2027-40d4-bba9-05b9bd459883
Verdict: Malicious activity
Analysis date: May 15, 2019, 14:16:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

ED74E277414E5E269959089350B40FF9

SHA1:

A720C5DAACF4BA3AFA8B9AFF094DCDC8114DA39B

SHA256:

1D7EB8F243F62E68BF8FBBA4F2DE38FE598DAB72658A350581879EE8C54C97C9

SSDEEP:

98304:5hERX3fXdv071FCgeg0nJpR6CfiSy/jPI82ShalO9BG0nOtMhA+vZf2Vn9p:5hc+fehs/jPI82S0OFnOtV4Zf2Vn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • na.exe (PID: 2592)
    • Application was dropped or rewritten from another process

      • 983b543c20e16c20e864.MSIBCAE.tmp (PID: 3124)
      • desktop_media_service.exe (PID: 2688)
      • watchdog.exe (PID: 2732)
    • Connects to CnC server

      • MsiExec.exe (PID: 3140)
      • desktop_media_service.exe (PID: 2688)
    • Loads the Task Scheduler DLL interface

      • na.exe (PID: 2592)
    • Loads the Task Scheduler COM API

      • MsiExec.exe (PID: 3032)
  • SUSPICIOUS

    • Creates files in the user directory

      • na.exe (PID: 2592)
    • Starts Microsoft Installer

      • na.exe (PID: 2592)
    • Reads Environment values

      • MsiExec.exe (PID: 1288)
      • MsiExec.exe (PID: 3140)
      • MsiExec.exe (PID: 3032)
    • Executable content was dropped or overwritten

      • na.exe (PID: 2592)
      • MSIBCAE.tmp (PID: 2312)
      • msiexec.exe (PID: 1000)
    • Checks for external IP

      • desktop_media_service.exe (PID: 2688)
    • Creates a software uninstall entry

      • desktop_media_service.exe (PID: 2688)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 1088)
  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 1288)
      • MsiExec.exe (PID: 3140)
      • MsiExec.exe (PID: 3032)
    • Application launched itself

      • msiexec.exe (PID: 1000)
      • chrome.exe (PID: 1088)
    • Searches for installed software

      • msiexec.exe (PID: 1000)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2568)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 1580)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 1580)
    • Application was dropped or rewritten from another process

      • MSIBCAE.tmp (PID: 2312)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 1000)
    • Creates a software uninstall entry

      • MsiExec.exe (PID: 3140)
      • msiexec.exe (PID: 1000)
    • Creates files in the program directory

      • msiexec.exe (PID: 1000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (3.6)
.exe | Generic Win/DOS Executable (1.6)
.exe | DOS Executable Generic (1.5)

EXIF

EXE

ProductName: setup
LegalCopyright: Copyright (C)
InternalName: setup_3.6.0
FileVersion: 1
FileDescription: Installer
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 1.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x121965
UninitializedDataSize: -
InitializedDataSize: 598528
CodeSize: 1505792
LinkerVersion: 14.16
PEType: PE32
TimeStamp: 2019:03:20 20:48:06+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 20-Mar-2019 19:48:06
Detected languages:
  • English - United States
Debug artifacts:
  • C:\JobRelease\win\Release\stubs\x86\ExternalUi.pdb
FileDescription: Installer
FileVersion: 1.0
InternalName: setup_3.6.0
LegalCopyright: Copyright (C)
ProductName: setup

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000118

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 20-Mar-2019 19:48:06
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LARGE_ADDRESS_AWARE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0016F82F
0x0016FA00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44146
.rdata
0x00171000
0x0005ED8E
0x0005EE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.5644
.data
0x001D0000
0x00007114
0x00005400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.10655
.rsrc
0x001D8000
0x000151C4
0x00015200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.34268
.reloc
0x001EE000
0x00018DC0
0x00018E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.56636

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.18998
1909
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.1591
9640
Latin 1 / Western European
English - United States
RT_ICON
3
3.46873
4264
Latin 1 / Western European
English - United States
RT_ICON
4
3.54157
2440
Latin 1 / Western European
English - United States
RT_ICON
5
4.01317
1128
Latin 1 / Western European
English - United States
RT_ICON
9
3.37783
1116
Latin 1 / Western European
English - United States
RT_STRING
10
3.35254
1888
Latin 1 / Western European
English - United States
RT_STRING
11
3.31743
760
Latin 1 / Western European
English - United States
RT_STRING
12
3.23118
1432
Latin 1 / Western European
English - United States
RT_STRING
13
3.35766
820
Latin 1 / Western European
English - United States
RT_STRING

Imports

KERNEL32.dll
msi.dll (delay-loaded)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
77
Monitored processes
35
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start na.exe no specs na.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe msibcae.tmp 983b543c20e16c20e864.msibcae.tmp no specs msiexec.exe no specs HNetCfg.FwPolicy2 no specs desktop_media_service.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs watchdog.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
980"C:\Users\admin\AppData\Local\Temp\na.exe" C:\Users\admin\AppData\Local\Temp\na.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Installer
Exit code:
3221226540
Version:
1.0
2592"C:\Users\admin\AppData\Local\Temp\na.exe" C:\Users\admin\AppData\Local\Temp\na.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Installer
Exit code:
0
Version:
1.0
1000C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1288C:\Windows\system32\MsiExec.exe -Embedding 43C449D615FC595E992789540E33AD5E CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3936"C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\na.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup " C:\Windows\system32\msiexec.exena.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2568C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1580DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005D4" "000005D0"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3140C:\Windows\system32\MsiExec.exe -Embedding B99231D03CB61753D4A8DCC12944B629C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2312"C:\Windows\Installer\MSIBCAE.tmp" /p="C:\Users\admin\AppData\Local\Temp\na.exe" /p="C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" /p="C:\Program Files\Jetmedia\NativeDesktopMediaService" /p="" /p=""C:\Windows\Installer\MSIBCAE.tmp
msiexec.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3124"C:\Users\admin\AppData\Local\Temp\983b543c20e16c20e864.MSIBCAE.tmp" $MlIRblznbChQCNYZKQjiNSj0_j1LSZr5QxYDtZ9q34QPEnVP3F5udIe8IpzR7dKZME6qzvZZ6cfuBQFizPgDj7yz7WBrAOCnlTUFWt1y_X7z56cK_LYzjktevxujDd7_mGAdMSwgLLhCYgLw5zmZL9KRIyV4_krc6z3lRDjidOJCF7wUQv72etV7A7TUzn9N4IF40ojv0REcRnV4rgIIMhzlxXYJSvjKXA6oEUdgb6411X22NXJYlRj5wZOp7R1i-VgckZ7rx4Q1vWoRhv-9T05H6FFSEuZSRSL0Cxz8161cjb5lTEZovRmJPbCJrgFfIfgPxdF5JvIJGXDJwUVRozZymtm-7D24MIw8jKVKqUSB5D3Ga9Gxzg1BEy6mQ-VvsydeIL1zQbT91iLnR3dKlxVt7pdRovmPRIB6QQzmhhsgyBAfQ_d2UzRZLnznOABsqA57hBNSjc0Sd_EoCX8RmMRa7t6LY7pdN464z6qRjCeYs7nfjILhLBz7tiXJxVweiKVwN4aZBzTfxHkOfeiyUnsdcXTGtzxgTNkw-nBdTCWbU90COP5-7wfYgakCTbFTVOjSsa9uLBQpM6ZEFj4KF7GcH8owNm_nfAAxJndNVYlz3oAZv0wbADMiVGQ5BSrnDsffqC3em60AVQ7aSlnEfFQh_rSjqFk_IuI2n7AeWt88R54KSXHqQL3WFBu6h7dr9RMwo8k0$C:\Users\admin\AppData\Local\Temp\983b543c20e16c20e864.MSIBCAE.tmpTrustedInstaller.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Total events
1 552
Read events
1 122
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
54
Text files
295
Unknown types
5

Dropped files

PID
Process
Filename
Type
2592na.exeC:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi
MD5:
SHA256:
1000msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1580DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:D6ADE5B9B76B92949B4FEAFF2D9571C1
SHA256:B4602377EBEADB1906A8BEC2AA531DBF930E07FA2DF861528AECC1A6878F6891
1000msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{8a687300-95a4-43a3-8172-df1d533883c1}_OnDiskSnapshotPropbinary
MD5:851E2B1B144507C59ABC040CD58A0F3A
SHA256:08E529E311EFC8F1F6EE9F9848554A2B75DA428EF958451FF67EB1E66DD5649B
1000msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:851E2B1B144507C59ABC040CD58A0F3A
SHA256:08E529E311EFC8F1F6EE9F9848554A2B75DA428EF958451FF67EB1E66DD5649B
2592na.exeC:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\holder0.aiphgmc
MD5:31A76BD10A9AA71DAAC792AAB9620A32
SHA256:140F47ECBFA7776027EBEFF81D2DA22BEB3B4E86270249040F2142C3AFBDA0C0
1580DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
1580DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:F5B165204E4D4B38D398670076977881
SHA256:4FB95096C4077AE6027B83DC8048030AC4D666CBB7EF344896B66DB155A5E034
2592na.exeC:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\decoder.dllexecutable
MD5:7DBA3F67223E1DB36CCF17C010B5CEA5
SHA256:32899D4642474607AC17534BD799E3C78182FD975AB6E9F5F0DB77D52ACDC09F
2592na.exeC:\Users\admin\AppData\Local\Temp\MSI80AE.tmpexecutable
MD5:3DF1A130B263DAF320AABFC98B2F0206
SHA256:DB8CFAAFF769FA7117372E2C051A4A5E9646A20777C1C04CBF2F9A42E4799490
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
37
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3140
MsiExec.exe
POST
200
104.27.141.75:80
http://tm1.eventincoandhar.info/
US
text
152 b
malicious
2688
desktop_media_service.exe
POST
200
199.217.118.146:40000
http://ylsuest.com:40000/tickets
US
malicious
2688
desktop_media_service.exe
POST
200
104.27.141.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
3140
MsiExec.exe
POST
200
199.217.118.146:40000
http://ylsuest.com:40000/tickets
US
malicious
1088
chrome.exe
GET
200
74.125.173.233:80
http://r4---sn-4g5ednz7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.76.9.72&mm=28&mn=sn-4g5ednz7&ms=nvh&mt=1557929912&mv=m&pl=24&shardbypass=yes
US
crx
842 Kb
whitelisted
2688
desktop_media_service.exe
POST
200
104.27.141.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
2688
desktop_media_service.exe
POST
200
104.27.141.75:80
http://sc1.eventincoandhar.info/
US
text
128 b
malicious
1088
chrome.exe
GET
302
216.58.205.238:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
502 b
whitelisted
2688
desktop_media_service.exe
POST
200
199.217.118.146:40000
http://ylsuest.com:40000/tickets
US
malicious
2688
desktop_media_service.exe
GET
200
207.38.88.89:80
http://efiwuniq.com/npcomdata.dat
US
binary
6.33 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2688
desktop_media_service.exe
185.194.141.58:80
ip-api.com
netcup GmbH
DE
unknown
2688
desktop_media_service.exe
207.38.88.89:80
efiwuniq.com
server4you Inc.
US
unknown
2688
desktop_media_service.exe
93.184.216.34:80
example.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2688
desktop_media_service.exe
8.8.8.8:53
Google Inc.
US
whitelisted
2688
desktop_media_service.exe
199.217.118.146:40000
ylsuest.com
server4you Inc.
US
malicious
104.27.141.75:80
tm1.eventincoandhar.info
Cloudflare Inc
US
shared
3140
MsiExec.exe
199.217.118.146:40000
ylsuest.com
server4you Inc.
US
malicious
2688
desktop_media_service.exe
62.138.0.98:443
Host Europe GmbH
DE
unknown
3140
MsiExec.exe
104.27.141.75:80
tm1.eventincoandhar.info
Cloudflare Inc
US
shared
3140
MsiExec.exe
104.27.140.75:80
tm1.eventincoandhar.info
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
tm1.eventincoandhar.info
  • 104.27.141.75
  • 104.27.140.75
malicious
ylsuest.com
  • 199.217.118.146
malicious
ins1.eventincoandhar.info
  • 104.27.141.75
  • 104.27.140.75
malicious
ip-api.com
  • 185.194.141.58
shared
example.com
  • 93.184.216.34
whitelisted
sc1.eventincoandhar.info
  • 104.27.141.75
  • 104.27.140.75
malicious
ss1.eventincoandhar.info
  • 104.27.141.75
  • 104.27.140.75
malicious
efiwuniq.com
  • 207.38.88.89
unknown
nthnuest.com
  • 199.217.118.146
malicious
krsewiq.com
  • 199.217.118.146
malicious

Threats

PID
Process
Class
Message
3140
MsiExec.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
3140
MsiExec.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Jetmedia.A
3140
MsiExec.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
2688
desktop_media_service.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2688
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
2688
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
2688
desktop_media_service.exe
A Network Trojan was detected
MALWARE [PTsecurity] Win32/Jetmedia.A
2688
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
2688
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
2688
desktop_media_service.exe
Misc activity
ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer
10 ETPRO signatures available at the full report
No debug info