| File name: | wufinstall.exe |
| Full analysis: | https://app.any.run/tasks/bbe1010d-8dbc-4afa-abd2-782ff18f459d |
| Verdict: | Malicious activity |
| Analysis date: | October 26, 2023, 07:16:31 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 10D30C6A1841A640D08A7865BEFCE6B5 |
| SHA1: | 2FF551C029237D71AF3C48697B3B60C23D6183B5 |
| SHA256: | 1EF3074EC5B613CFABDA1D3EB9D85745C5D9086FCF36309111160FFB848A0F4B |
| SSDEEP: | 98304:F+cD4dnlpHc7rd7QVQeimwKuUbYPfXq/LoJUAlfSizTSRUS4ja+UNqPMX/t+M0Dh:2qNiF5BBlte4buRNfpT |
MALICIOUS
Drops the executable file immediately after the start
- wufinstall.exe (PID: 3852)
- wufinstall.exe (PID: 2444)
- wufinstall.tmp (PID: 3196)
Creates a writable file the system directory
- wufinstall.tmp (PID: 3196)
Actions looks like stealing of personal data
- wufinstall.tmp (PID: 3196)
SUSPICIOUS
Reads the Windows owner or organization settings
- wufinstall.tmp (PID: 3196)
Process drops legitimate windows executable
- wufinstall.tmp (PID: 3196)
INFO
Checks supported languages
- wufinstall.exe (PID: 3852)
- wufinstall.tmp (PID: 1864)
- wufinstall.exe (PID: 2444)
- wufinstall.tmp (PID: 3196)
Reads the computer name
- wufinstall.tmp (PID: 1864)
- wufinstall.tmp (PID: 3196)
Create files in a temporary directory
- wufinstall.exe (PID: 3852)
- wufinstall.exe (PID: 2444)
Application was dropped or rewritten from another process
- wufinstall.tmp (PID: 1864)
- wufinstall.tmp (PID: 3196)
Creates files in the program directory
- wufinstall.tmp (PID: 3196)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (67.7) |
|---|---|---|
| .exe | | | Win32 EXE PECompact compressed (generic) (25.6) |
| .exe | | | Win32 Executable (generic) (2.7) |
| .exe | | | Win16/32 Executable Delphi generic (1.2) |
| .exe | | | Generic Win/DOS Executable (1.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2022:04:14 18:10:23+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 147456 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 15.85.0.0 |
| ProductVersionNumber: | 15.85.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | YL Computing |
| FileDescription: | WinUtilities Free Edition Setup |
| FileVersion: | 15.85 |
| LegalCopyright: | |
| OriginalFileName: | |
| ProductName: | WinUtilities Free Edition |
| ProductVersion: | 15.85 |
Total processes
42
Monitored processes
4
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1864 | "C:\Users\admin\AppData\Local\Temp\is-V7NT2.tmp\wufinstall.tmp" /SL5="$1001CA,7311367,890368,C:\Users\admin\AppData\Local\Temp\wufinstall.exe" | C:\Users\admin\AppData\Local\Temp\is-V7NT2.tmp\wufinstall.tmp | — | wufinstall.exe | |||||||||||
User: admin Company: YL Computing Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2444 | "C:\Users\admin\AppData\Local\Temp\wufinstall.exe" /SPAWNWND=$110168 /NOTIFYWND=$1001CA | C:\Users\admin\AppData\Local\Temp\wufinstall.exe | wufinstall.tmp | ||||||||||||
User: admin Company: YL Computing Integrity Level: HIGH Description: WinUtilities Free Edition Setup Exit code: 0 Version: 15.85 Modules
| |||||||||||||||
| 3196 | "C:\Users\admin\AppData\Local\Temp\is-UTB6A.tmp\wufinstall.tmp" /SL5="$B01D0,7311367,890368,C:\Users\admin\AppData\Local\Temp\wufinstall.exe" /SPAWNWND=$110168 /NOTIFYWND=$1001CA | C:\Users\admin\AppData\Local\Temp\is-UTB6A.tmp\wufinstall.tmp | wufinstall.exe | ||||||||||||
User: admin Company: YL Computing Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3852 | "C:\Users\admin\AppData\Local\Temp\wufinstall.exe" | C:\Users\admin\AppData\Local\Temp\wufinstall.exe | — | explorer.exe | |||||||||||
User: admin Company: YL Computing Integrity Level: MEDIUM Description: WinUtilities Free Edition Setup Exit code: 0 Version: 15.85 Modules
| |||||||||||||||
Total events
898
Read events
898
Write events
0
Delete events
0
Modification events
Executable files
694
Suspicious files
4
Text files
422
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3196 | wufinstall.tmp | C:\Windows\System32\W95INF16.DLL | executable | |
MD5:7210D5407A2D2F52E851604666403024 | SHA256:337D2FB5252FC532B7BF67476B5979D158CA2AC589E49C6810E2E1AFEBE296AF | |||
| 2444 | wufinstall.exe | C:\Users\admin\AppData\Local\Temp\is-UTB6A.tmp\wufinstall.tmp | executable | |
MD5:7FE90D143248094DD1C137B54B2FB734 | SHA256:26B8F76D4BA188521B44743121ED1E7B0BBAD950719280B277C2E199C41F67BE | |||
| 3196 | wufinstall.tmp | C:\Windows\system32\is-07183.tmp | executable | |
MD5:7210D5407A2D2F52E851604666403024 | SHA256:337D2FB5252FC532B7BF67476B5979D158CA2AC589E49C6810E2E1AFEBE296AF | |||
| 3196 | wufinstall.tmp | C:\Windows\system32\is-AN3R3.tmp | executable | |
MD5:B9C2EB1291BACAF8D979D7DF06D1E4EE | SHA256:45E7070BB56530AC910160BA703428EB1F1A390C508C04DEB894A5B921D04C62 | |||
| 3196 | wufinstall.tmp | C:\Program Files\WinUtilities\unins000.exe | executable | |
MD5:4AB1418B9F2167A4D29E398E4D9AC26B | SHA256:A3A615216FFC51F400D2C2B23425FEC0858160630566E27E268FAABC55D17438 | |||
| 3196 | wufinstall.tmp | C:\Windows\system32\is-LIR2S.tmp | executable | |
MD5:7D4A0D6C685107AC1B5089806CD4273B | SHA256:6C6FD79C7F2E248BCE830F08937625D4D16466FD7A3E72163F0528D058B31DE5 | |||
| 3196 | wufinstall.tmp | C:\Windows\System32\shfolder.inf | text | |
MD5:CF295F9A323B1EC8B196E598636E78E4 | SHA256:3D2C39C2275A2DCF0200CEE799956C8D3DF2CA9B9C9F2D5CA744143AA58EEED3 | |||
| 3852 | wufinstall.exe | C:\Users\admin\AppData\Local\Temp\is-V7NT2.tmp\wufinstall.tmp | executable | |
MD5:7FE90D143248094DD1C137B54B2FB734 | SHA256:26B8F76D4BA188521B44743121ED1E7B0BBAD950719280B277C2E199C41F67BE | |||
| 3196 | wufinstall.tmp | C:\Windows\system32\is-L8LLC.tmp | text | |
MD5:CF295F9A323B1EC8B196E598636E78E4 | SHA256:3D2C39C2275A2DCF0200CEE799956C8D3DF2CA9B9C9F2D5CA744143AA58EEED3 | |||
| 3196 | wufinstall.tmp | C:\Windows\System32\anim.dll | executable | |
MD5:B9C2EB1291BACAF8D979D7DF06D1E4EE | SHA256:45E7070BB56530AC910160BA703428EB1F1A390C508C04DEB894A5B921D04C62 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |