analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

e6f77ec185046251bb1a3eb9c899f886

Full analysis: https://app.any.run/tasks/8fef6b3d-e6b0-4808-b101-aaa8b04e5eb7
Verdict: Malicious activity
Analysis date: March 14, 2019, 09:21:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

E6F77EC185046251BB1A3EB9C899F886

SHA1:

47570E9479CB50DF3ECC6278C31BDA3B3ED83253

SHA256:

1EF264F85FDBE3D22E3887A5930971F47552973ADB06D787F3ADA97899E3B32E

SSDEEP:

49152:L7AxPHkce3WYILLIb/iCXgjJWI5D8qNKENjuphxXINSICqmHkwvCTv5S7:ynYaGiDjkI54+KBX+SIChkF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • e6f77ec185046251bb1a3eb9c899f886.exe (PID: 2288)
      • DriverFixer.exe (PID: 584)
    • Application was dropped or rewritten from another process

      • DriverFixer.exe (PID: 3168)
      • drfixer_setup.exe (PID: 3636)
      • helper.exe (PID: 2208)
      • DriverFixer.exe (PID: 584)
    • Changes settings of System certificates

      • e6f77ec185046251bb1a3eb9c899f886.exe (PID: 2288)
      • DriverFixer.exe (PID: 3168)
      • DriverFixer.exe (PID: 584)
    • Changes the autorun value in the registry

      • drfixer_setup.exe (PID: 3636)
      • DriverFixer.exe (PID: 584)
      • DriverFixer.exe (PID: 3168)
  • SUSPICIOUS

    • Creates files in the program directory

      • e6f77ec185046251bb1a3eb9c899f886.exe (PID: 2288)
      • drfixer_setup.exe (PID: 3636)
      • DriverFixer.exe (PID: 584)
    • Adds / modifies Windows certificates

      • e6f77ec185046251bb1a3eb9c899f886.exe (PID: 2288)
      • DriverFixer.exe (PID: 584)
    • Executable content was dropped or overwritten

      • e6f77ec185046251bb1a3eb9c899f886.exe (PID: 2288)
      • drfixer_setup.exe (PID: 3636)
      • DrvInst.exe (PID: 2620)
      • DriverFixer.exe (PID: 584)
    • Reads internet explorer settings

      • DriverFixer.exe (PID: 3168)
      • DriverFixer.exe (PID: 584)
    • Creates a software uninstall entry

      • drfixer_setup.exe (PID: 3636)
    • Application launched itself

      • DriverFixer.exe (PID: 3168)
    • Creates files in the user directory

      • DriverFixer.exe (PID: 3168)
      • DriverFixer.exe (PID: 584)
    • Reads Environment values

      • DriverFixer.exe (PID: 3168)
      • DriverFixer.exe (PID: 584)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 2620)
    • Removes files from Windows directory

      • DrvInst.exe (PID: 2620)
    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 2620)
    • Creates files in the Windows directory

      • DrvInst.exe (PID: 2620)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductName: DriverFixer
LegalCopyright: Copyright (c) 2019 6LOOP LIMITED
FileVersion: 3.0.0.1
FileDescription: DriverFixer
CompanyName: -
CharacterSet: Windows, Latin1
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.0.0.1
FileVersionNumber: 3.0.0.1
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x30fb
UninitializedDataSize: 1024
InitializedDataSize: 120320
CodeSize: 23552
LinkerVersion: 6
PEType: PE32
TimeStamp: 2016:04:02 05:20:05+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 02-Apr-2016 03:20:05
Detected languages:
  • English - United States
CompanyName: -
FileDescription: DriverFixer
FileVersion: 3.0.0.1
LegalCopyright: Copyright (c) 2019 6LOOP LIMITED
ProductName: DriverFixer

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 02-Apr-2016 03:20:05
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00005AEB
0x00005C00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.42231
.rdata
0x00007000
0x00001196
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.20292
.data
0x00009000
0x0001B038
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.04751
.ndata
0x00025000
0x0000A000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0002F000
0x00005A18
0x00005C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.88366

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.21417
958
UNKNOWN
English - United States
RT_MANIFEST
2
5.52074
4264
UNKNOWN
English - United States
RT_ICON
3
3.65393
2216
UNKNOWN
English - United States
RT_ICON
4
0
1384
UNKNOWN
English - United States
RT_ICON
5
0
1128
UNKNOWN
English - United States
RT_ICON
6
0
744
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
103
2.86993
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.69888
548
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start e6f77ec185046251bb1a3eb9c899f886.exe no specs e6f77ec185046251bb1a3eb9c899f886.exe drfixer_setup.exe helper.exe no specs driverfixer.exe driverfixer.exe drvinst.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Users\admin\AppData\Local\Temp\e6f77ec185046251bb1a3eb9c899f886.exe" C:\Users\admin\AppData\Local\Temp\e6f77ec185046251bb1a3eb9c899f886.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
DriverFixer
Exit code:
3221226540
Version:
3.0.0.1
2288"C:\Users\admin\AppData\Local\Temp\e6f77ec185046251bb1a3eb9c899f886.exe" C:\Users\admin\AppData\Local\Temp\e6f77ec185046251bb1a3eb9c899f886.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
DriverFixer
Exit code:
0
Version:
3.0.0.1
3636"C:\Program Files\DriverFixer\Setup\drfixer_setup.exe" /SC:\Program Files\DriverFixer\Setup\drfixer_setup.exe
e6f77ec185046251bb1a3eb9c899f886.exe
User:
admin
Company:
6LOOP LIMITED
Integrity Level:
HIGH
Description:
DriverFixer
Exit code:
0
Version:
2.0.0.1
2208"C:\Program Files\DriverFixer\helper.exe" -driverfixer.exeC:\Program Files\DriverFixer\helper.exedrfixer_setup.exe
User:
admin
Company:
6LOOP LIMITED
Integrity Level:
HIGH
Description:
FirePlayer Uninstall Component
Exit code:
0
Version:
1.0.0.1
3168"C:\Program Files\DriverFixer\DriverFixer.exe" C:\Program Files\DriverFixer\DriverFixer.exe
explorer.exe
User:
admin
Company:
6LOOP LIMITED
Integrity Level:
MEDIUM
Description:
DriverFixer
Exit code:
0
Version:
1.0.0.2
584"C:\Program Files\DriverFixer\DriverFixer.exe" /startScanC:\Program Files\DriverFixer\DriverFixer.exe
DriverFixer.exe
User:
admin
Company:
6LOOP LIMITED
Integrity Level:
HIGH
Description:
DriverFixer
Version:
1.0.0.2
2620DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{18694d34-c33d-5211-6e15-51540cc05278}\ich9usb.inf" "0" "6415d1aa7" "00000394" "WinSta0\Default" "000003C8" "208" "c:\users\admin\appdata\local\temp\driverfixer_rzuzzi0i.iad"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3780rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{6aa93559-c33f-59c6-41fb-b9407c2d912b} Global\{1f7ca9ad-89ad-7e27-b859-19568011e838} C:\Windows\System32\DriverStore\Temp\{5b5fcafc-b6ab-73ec-57ac-0b688d359737}\ich9usb.inf C:\Windows\System32\DriverStore\Temp\{5b5fcafc-b6ab-73ec-57ac-0b688d359737}\ich9usb.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
854
Read events
764
Write events
0
Delete events
0

Modification events

No data
Executable files
15
Suspicious files
118
Text files
14
Unknown types
120

Dropped files

PID
Process
Filename
Type
3636drfixer_setup.exeC:\Users\admin\AppData\Local\Temp\nsp1FEC.tmp\GetVersion.dll
MD5:
SHA256:
2288e6f77ec185046251bb1a3eb9c899f886.exeC:\Users\admin\AppData\Local\Temp\nseECE5.tmp\DriverFixer.tif
MD5:
SHA256:
3636drfixer_setup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFixer\DriverFixer.lnklnk
MD5:50CF7473A989474F4CC15BB5B95168C8
SHA256:653F312DD903BF150F2B321D50BD03ED2384897FAB66616E57FBC24A5A35ABFA
3636drfixer_setup.exeC:\Program Files\DriverFixer\DriverFixer.icoimage
MD5:46006CAC69B2AA6C73CD9DA64A12B760
SHA256:C5AD982F816444E5E7042EC1A4BC5E3D7581D1109E408D7BE4449FD76AB58705
3636drfixer_setup.exeC:\Users\Public\Desktop\DriverFixer.lnklnk
MD5:CDFB8AFC142506096D61BD449E8C4FFB
SHA256:B3910A79531EF5048AF1B86004771C383A9BA59BD24CF291C1DD120D59782928
3636drfixer_setup.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\DriverFixer\Uninstall.lnklnk
MD5:7648543ADB6D8A467D68C957CFE4320F
SHA256:AC2B90DBA26CB635FE91727518D75842BFBD36BEA2C47B4AC5CF95A2FD069211
3636drfixer_setup.exeC:\Program Files\DriverFixer\DriverFixer.exeexecutable
MD5:576D7172CAA84ED216E55F7CB35F20C2
SHA256:5A002F92B975F2462EF56C0BBBA7CC7E060856CD87E421687CBA94EAA879180C
3636drfixer_setup.exeC:\Program Files\DriverFixer\uninstall.exeexecutable
MD5:628EE76F5E62656621A1AF9119E9BB79
SHA256:91F7E59911D051638EE0AB33987D7B56FB48C6BA205E369C6342393102D3AA2E
2288e6f77ec185046251bb1a3eb9c899f886.exeC:\Users\admin\AppData\Local\Temp\nseECE5.tmp\TopLogo1.bmpimage
MD5:045438BA6FC9A2FBCF337505C9063AB3
SHA256:778ACE132752F20A15D697ACE5860AE81D54B9684102E1B2368C6BFF7BE49441
3168DriverFixer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928binary
MD5:821F539206D4146D8C5ED289E5F86789
SHA256:9124B2B0CFDABF013D28FDBCA2C6CED78416822545E7CF831638C5764718CB16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
7
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
584
DriverFixer.exe
GET
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_8086%26dev_2934&OS=7&digitOs=32&date=2006-06-21&version=6.1.7601.17514
US
suspicious
584
DriverFixer.exe
GET
172.245.127.13:80
http://172.245.127.13/drivers/data/Drivers/DriversArch/DP_Chipset_13072/Intel/WinAll/INF_9.4.0.1017.zip
US
unknown
3168
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/version.php
US
text
17 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_8086%26dev_293a&OS=7&digitOs=32&date=2006-06-21&version=6.1.7601.17514
US
text
339 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_8086%26dev_2936&OS=7&digitOs=32&date=2006-06-21&version=6.1.7601.17514
US
text
339 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_8086%26dev_2935&OS=7&digitOs=32&date=2006-06-21&version=6.1.7601.17514
US
text
339 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/version.php
US
text
17 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_8086%26dev_7010&OS=7&digitOs=32&date=2006-06-21&version=6.1.7601.17514
US
text
2 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_8086%26dev_100e&OS=7&digitOs=32&date=2008-05-28&version=8.4.1.1
US
text
2 b
suspicious
584
DriverFixer.exe
GET
200
104.17.234.32:80
http://backend.driver-fixer.com/drivers/update.php?devid=pci%5cven_1af4%26dev_1003%26subsys_00031af4%26rev_00&OS=7&digitOs=32&date=2017-07-19&version=61.74.104.14100
US
text
2 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3168
DriverFixer.exe
104.17.234.32:80
driver-fixer.com
Cloudflare Inc
US
shared
3168
DriverFixer.exe
91.199.212.52:80
crt.comodoca.com
Comodo CA Ltd
GB
suspicious
2288
e6f77ec185046251bb1a3eb9c899f886.exe
104.17.234.32:443
driver-fixer.com
Cloudflare Inc
US
shared
584
DriverFixer.exe
172.245.127.13:80
ColoCrossing
US
unknown
584
DriverFixer.exe
104.17.234.32:80
driver-fixer.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
driver-fixer.com
  • 104.17.234.32
  • 104.17.233.32
suspicious
crt.comodoca.com
  • 91.199.212.52
whitelisted
backend.driver-fixer.com
  • 104.17.234.32
  • 104.17.233.32
suspicious

Threats

PID
Process
Class
Message
2288
e6f77ec185046251bb1a3eb9c899f886.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
584
DriverFixer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake FireFox Version 2.
584
DriverFixer.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake FireFox Version 2.
No debug info