File name: | na.exe |
Full analysis: | https://app.any.run/tasks/c6b59a5b-2027-40d4-bba9-05b9bd459883 |
Verdict: | Malicious activity |
Analysis date: | May 15, 2019, 14:16:51 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | ED74E277414E5E269959089350B40FF9 |
SHA1: | A720C5DAACF4BA3AFA8B9AFF094DCDC8114DA39B |
SHA256: | 1D7EB8F243F62E68BF8FBBA4F2DE38FE598DAB72658A350581879EE8C54C97C9 |
SSDEEP: | 98304:5hERX3fXdv071FCgeg0nJpR6CfiSy/jPI82ShalO9BG0nOtMhA+vZf2Vn9p:5hc+fehs/jPI82S0OFnOtV4Zf2Vn |
.exe | | | Win32 Executable (generic) (3.6) |
---|---|---|
.exe | | | Generic Win/DOS Executable (1.6) |
.exe | | | DOS Executable Generic (1.5) |
ProductName: | setup |
---|---|
LegalCopyright: | Copyright (C) |
InternalName: | setup_3.6.0 |
FileVersion: | 1 |
FileDescription: | Installer |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | Debug |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 1.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x121965 |
UninitializedDataSize: | - |
InitializedDataSize: | 598528 |
CodeSize: | 1505792 |
LinkerVersion: | 14.16 |
PEType: | PE32 |
TimeStamp: | 2019:03:20 20:48:06+01:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 20-Mar-2019 19:48:06 |
Detected languages: |
|
Debug artifacts: |
|
FileDescription: | Installer |
FileVersion: | 1.0 |
InternalName: | setup_3.6.0 |
LegalCopyright: | Copyright (C) |
ProductName: | setup |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000118 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 20-Mar-2019 19:48:06 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0016F82F | 0x0016FA00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44146 |
.rdata | 0x00171000 | 0x0005ED8E | 0x0005EE00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.5644 |
.data | 0x001D0000 | 0x00007114 | 0x00005400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.10655 |
.rsrc | 0x001D8000 | 0x000151C4 | 0x00015200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.34268 |
.reloc | 0x001EE000 | 0x00018DC0 | 0x00018E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.56636 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.18998 | 1909 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.1591 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.46873 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.54157 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 4.01317 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 3.37783 | 1116 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.35254 | 1888 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.31743 | 760 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.23118 | 1432 | Latin 1 / Western European | English - United States | RT_STRING |
13 | 3.35766 | 820 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
msi.dll (delay-loaded) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
980 | "C:\Users\admin\AppData\Local\Temp\na.exe" | C:\Users\admin\AppData\Local\Temp\na.exe | — | explorer.exe |
User: admin Integrity Level: MEDIUM Description: Installer Exit code: 3221226540 Version: 1.0 | ||||
2592 | "C:\Users\admin\AppData\Local\Temp\na.exe" | C:\Users\admin\AppData\Local\Temp\na.exe | explorer.exe | |
User: admin Integrity Level: HIGH Description: Installer Exit code: 0 Version: 1.0 | ||||
1000 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
1288 | C:\Windows\system32\MsiExec.exe -Embedding 43C449D615FC595E992789540E33AD5E C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3936 | "C:\Windows\system32\msiexec.exe" /i "C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" AI_SETUPEXEPATH=C:\Users\admin\AppData\Local\Temp\na.exe SETUPEXEDIR=C:\Users\admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup " | C:\Windows\system32\msiexec.exe | — | na.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2568 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1580 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005D4" "000005D0" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3140 | C:\Windows\system32\MsiExec.exe -Embedding B99231D03CB61753D4A8DCC12944B629 | C:\Windows\system32\MsiExec.exe | msiexec.exe | |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2312 | "C:\Windows\Installer\MSIBCAE.tmp" /p="C:\Users\admin\AppData\Local\Temp\na.exe" /p="C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi" /p="C:\Program Files\Jetmedia\NativeDesktopMediaService" /p="" /p="" | C:\Windows\Installer\MSIBCAE.tmp | msiexec.exe | |
User: admin Integrity Level: HIGH Exit code: 0 | ||||
3124 | "C:\Users\admin\AppData\Local\Temp\983b543c20e16c20e864.MSIBCAE.tmp" $MlIRblznbChQCNYZKQjiNSj0_j1LSZr5QxYDtZ9q34QPEnVP3F5udIe8IpzR7dKZME6qzvZZ6cfuBQFizPgDj7yz7WBrAOCnlTUFWt1y_X7z56cK_LYzjktevxujDd7_mGAdMSwgLLhCYgLw5zmZL9KRIyV4_krc6z3lRDjidOJCF7wUQv72etV7A7TUzn9N4IF40ojv0REcRnV4rgIIMhzlxXYJSvjKXA6oEUdgb6411X22NXJYlRj5wZOp7R1i-VgckZ7rx4Q1vWoRhv-9T05H6FFSEuZSRSL0Cxz8161cjb5lTEZovRmJPbCJrgFfIfgPxdF5JvIJGXDJwUVRozZymtm-7D24MIw8jKVKqUSB5D3Ga9Gxzg1BEy6mQ-VvsydeIL1zQbT91iLnR3dKlxVt7pdRovmPRIB6QQzmhhsgyBAfQ_d2UzRZLnznOABsqA57hBNSjc0Sd_EoCX8RmMRa7t6LY7pdN464z6qRjCeYs7nfjILhLBz7tiXJxVweiKVwN4aZBzTfxHkOfeiyUnsdcXTGtzxgTNkw-nBdTCWbU90COP5-7wfYgakCTbFTVOjSsa9uLBQpM6ZEFj4KF7GcH8owNm_nfAAxJndNVYlz3oAZv0wbADMiVGQ5BSrnDsffqC3em60AVQ7aSlnEfFQh_rSjqFk_IuI2n7AeWt88R54KSXHqQL3WFBu6h7dr9RMwo8k0$ | C:\Users\admin\AppData\Local\Temp\983b543c20e16c20e864.MSIBCAE.tmp | — | TrustedInstaller.exe |
User: SYSTEM Integrity Level: SYSTEM Exit code: 0 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2592 | na.exe | C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\2CF5F20\NetworkDesktopMedia.msi | — | |
MD5:— | SHA256:— | |||
1000 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
1580 | DrvInst.exe | C:\Windows\INF\setupapi.ev1 | binary | |
MD5:D6ADE5B9B76B92949B4FEAFF2D9571C1 | SHA256:B4602377EBEADB1906A8BEC2AA531DBF930E07FA2DF861528AECC1A6878F6891 | |||
1000 | msiexec.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{8a687300-95a4-43a3-8172-df1d533883c1}_OnDiskSnapshotProp | binary | |
MD5:851E2B1B144507C59ABC040CD58A0F3A | SHA256:08E529E311EFC8F1F6EE9F9848554A2B75DA428EF958451FF67EB1E66DD5649B | |||
1000 | msiexec.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:851E2B1B144507C59ABC040CD58A0F3A | SHA256:08E529E311EFC8F1F6EE9F9848554A2B75DA428EF958451FF67EB1E66DD5649B | |||
2592 | na.exe | C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\holder0.aiph | gmc | |
MD5:31A76BD10A9AA71DAAC792AAB9620A32 | SHA256:140F47ECBFA7776027EBEFF81D2DA22BEB3B4E86270249040F2142C3AFBDA0C0 | |||
1580 | DrvInst.exe | C:\Windows\INF\setupapi.ev3 | binary | |
MD5:76DCC60F78B3DFF1AE3627619074F465 | SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0 | |||
1580 | DrvInst.exe | C:\Windows\INF\setupapi.dev.log | ini | |
MD5:F5B165204E4D4B38D398670076977881 | SHA256:4FB95096C4077AE6027B83DC8048030AC4D666CBB7EF344896B66DB155A5E034 | |||
2592 | na.exe | C:\Users\admin\AppData\Roaming\Jetmedia\NativeDesktopMediaService 3.6.0\install\decoder.dll | executable | |
MD5:7DBA3F67223E1DB36CCF17C010B5CEA5 | SHA256:32899D4642474607AC17534BD799E3C78182FD975AB6E9F5F0DB77D52ACDC09F | |||
2592 | na.exe | C:\Users\admin\AppData\Local\Temp\MSI80AE.tmp | executable | |
MD5:3DF1A130B263DAF320AABFC98B2F0206 | SHA256:DB8CFAAFF769FA7117372E2C051A4A5E9646A20777C1C04CBF2F9A42E4799490 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3140 | MsiExec.exe | POST | 200 | 104.27.141.75:80 | http://tm1.eventincoandhar.info/ | US | text | 152 b | malicious |
2688 | desktop_media_service.exe | POST | 200 | 199.217.118.146:40000 | http://ylsuest.com:40000/tickets | US | — | — | malicious |
2688 | desktop_media_service.exe | POST | 200 | 104.27.141.75:80 | http://sc1.eventincoandhar.info/ | US | text | 128 b | malicious |
3140 | MsiExec.exe | POST | 200 | 199.217.118.146:40000 | http://ylsuest.com:40000/tickets | US | — | — | malicious |
1088 | chrome.exe | GET | 200 | 74.125.173.233:80 | http://r4---sn-4g5ednz7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.76.9.72&mm=28&mn=sn-4g5ednz7&ms=nvh&mt=1557929912&mv=m&pl=24&shardbypass=yes | US | crx | 842 Kb | whitelisted |
2688 | desktop_media_service.exe | POST | 200 | 104.27.141.75:80 | http://sc1.eventincoandhar.info/ | US | text | 128 b | malicious |
2688 | desktop_media_service.exe | POST | 200 | 104.27.141.75:80 | http://sc1.eventincoandhar.info/ | US | text | 128 b | malicious |
1088 | chrome.exe | GET | 302 | 216.58.205.238:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 502 b | whitelisted |
2688 | desktop_media_service.exe | POST | 200 | 199.217.118.146:40000 | http://ylsuest.com:40000/tickets | US | — | — | malicious |
2688 | desktop_media_service.exe | GET | 200 | 207.38.88.89:80 | http://efiwuniq.com/npcomdata.dat | US | binary | 6.33 Kb | unknown |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2688 | desktop_media_service.exe | 185.194.141.58:80 | ip-api.com | netcup GmbH | DE | unknown |
2688 | desktop_media_service.exe | 207.38.88.89:80 | efiwuniq.com | server4you Inc. | US | unknown |
2688 | desktop_media_service.exe | 93.184.216.34:80 | example.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2688 | desktop_media_service.exe | 8.8.8.8:53 | — | Google Inc. | US | whitelisted |
2688 | desktop_media_service.exe | 199.217.118.146:40000 | ylsuest.com | server4you Inc. | US | malicious |
— | — | 104.27.141.75:80 | tm1.eventincoandhar.info | Cloudflare Inc | US | shared |
3140 | MsiExec.exe | 199.217.118.146:40000 | ylsuest.com | server4you Inc. | US | malicious |
2688 | desktop_media_service.exe | 62.138.0.98:443 | — | Host Europe GmbH | DE | unknown |
3140 | MsiExec.exe | 104.27.141.75:80 | tm1.eventincoandhar.info | Cloudflare Inc | US | shared |
3140 | MsiExec.exe | 104.27.140.75:80 | tm1.eventincoandhar.info | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
tm1.eventincoandhar.info |
| malicious |
ylsuest.com |
| malicious |
ins1.eventincoandhar.info |
| malicious |
ip-api.com |
| shared |
example.com |
| whitelisted |
sc1.eventincoandhar.info |
| malicious |
ss1.eventincoandhar.info |
| malicious |
efiwuniq.com |
| unknown |
nthnuest.com |
| malicious |
krsewiq.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3140 | MsiExec.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |
3140 | MsiExec.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Jetmedia.A |
3140 | MsiExec.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |
2688 | desktop_media_service.exe | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2688 | desktop_media_service.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |
2688 | desktop_media_service.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |
2688 | desktop_media_service.exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/Jetmedia.A |
2688 | desktop_media_service.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |
2688 | desktop_media_service.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |
2688 | desktop_media_service.exe | Misc activity | ADWARE [PTsecurity] Win32.Risk.Uws.SystemHealer |