| URL: | http://down.easeus.com/product/mobimover_free |
| Full analysis: | https://app.any.run/tasks/e8fa5bd3-87d4-4928-ab88-59492edffa5d |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 10, 2019, 14:44:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | BF68238AC20220A4BD0B25AC576B8C2A |
| SHA1: | A40EA54AE9B9D757D8CEFA44BB8BC937FF5500BB |
| SHA256: | 1F4E0B4A8419E8429C995A46403B6102EB7B635BDC73CBABF7122E1837AC9788 |
| SSDEEP: | 3:N1KaKXtiXaQGRKIqKTtV:CaklRKIxTtV |
MALICIOUS
Application was dropped or rewritten from another process
- test[1].exe (PID: 3340)
- InstallPreProc.exe (PID: 4000)
- AppStoreProc.exe (PID: 4016)
- downloader.exe (PID: 2856)
- uexperice.exe (PID: 692)
- uexperice.exe (PID: 3328)
- uexperice.exe (PID: 3304)
- uexperice.exe (PID: 3812)
- uexperice.exe (PID: 3760)
- uexperice.exe (PID: 3772)
- FixFFmpeg.exe (PID: 4076)
- FixFFmpeg.exe (PID: 4092)
- FixFFmpeg.exe (PID: 936)
- FixFFmpeg.exe (PID: 1476)
- FixFFmpeg.exe (PID: 2392)
- FixFFmpeg.exe (PID: 1888)
- FixFFmpeg.exe (PID: 1644)
- FixFFmpeg.exe (PID: 2704)
- FixFFmpeg.exe (PID: 3832)
- test[1].exe (PID: 2620)
- EDownloader.exe (PID: 2648)
- EDownloader.exe (PID: 3608)
- FixFFmpeg.exe (PID: 2804)
- MobiMoverUI.exe (PID: 3368)
- AppleMobileDeviceService.exe (PID: 3440)
Downloads executable files from the Internet
- EDownloader.exe (PID: 2648)
- iexplore.exe (PID: 3632)
Loads dropped or rewritten executable
- uexperice.exe (PID: 3304)
- uexperice.exe (PID: 692)
- uexperice.exe (PID: 3812)
- uexperice.exe (PID: 3772)
- AppleMobileDeviceService.exe (PID: 3440)
- uexperice.exe (PID: 3328)
- uexperice.exe (PID: 3760)
- MobiMoverUI.exe (PID: 3368)
SUSPICIOUS
Executable content was dropped or overwritten
- iexplore.exe (PID: 3128)
- iexplore.exe (PID: 3632)
- iexplore.exe (PID: 3016)
- test[1].exe (PID: 3340)
- mover_free_easeus.exe (PID: 3100)
- mover_free_easeus.tmp (PID: 3044)
- MsiExec.exe (PID: 3468)
- msiexec.exe (PID: 2892)
- FixFFmpeg.exe (PID: 936)
- FixFFmpeg.exe (PID: 2392)
- FixFFmpeg.exe (PID: 1476)
- FixFFmpeg.exe (PID: 2704)
- FixFFmpeg.exe (PID: 1888)
Reads the Windows organization settings
- mover_free_easeus.tmp (PID: 3044)
Starts Microsoft Installer
- downloader.exe (PID: 2856)
Creates files in the user directory
- mover_free_easeus.tmp (PID: 3044)
- uexperice.exe (PID: 3304)
- uexperice.exe (PID: 3760)
- MobiMoverUI.exe (PID: 3368)
Creates files in the Windows directory
- msiexec.exe (PID: 2892)
- DrvInst.exe (PID: 2508)
- DrvInst.exe (PID: 3248)
Removes files from Windows directory
- msiexec.exe (PID: 2892)
- DrvInst.exe (PID: 2508)
- DrvInst.exe (PID: 3248)
Creates files in the driver directory
- DrvInst.exe (PID: 2508)
- DrvInst.exe (PID: 3248)
Creates COM task schedule object
- msiexec.exe (PID: 2892)
Starts CMD.EXE for commands execution
- mover_free_easeus.tmp (PID: 3044)
- cmd.exe (PID: 2416)
Application launched itself
- cmd.exe (PID: 2416)
- EDownloader.exe (PID: 2648)
Reads Windows owner or organization settings
- mover_free_easeus.tmp (PID: 3044)
Reads internet explorer settings
- EDownloader.exe (PID: 2648)
Creates files in the program directory
- MobiMoverUI.exe (PID: 3368)
Searches for installed software
- MobiMoverUI.exe (PID: 3368)
INFO
Application launched itself
- iexplore.exe (PID: 2972)
- msiexec.exe (PID: 2892)
Reads Internet Cache Settings
- iexplore.exe (PID: 3632)
- iexplore.exe (PID: 3128)
- iexplore.exe (PID: 3016)
Changes internet zones settings
- iexplore.exe (PID: 3016)
- iexplore.exe (PID: 2972)
Reads internet explorer settings
- iexplore.exe (PID: 3632)
Application was dropped or rewritten from another process
- mover_free_easeus.tmp (PID: 3044)
Loads dropped or rewritten executable
- mover_free_easeus.tmp (PID: 3044)
- msiexec.exe (PID: 2892)
Creates a software uninstall entry
- mover_free_easeus.tmp (PID: 3044)
- msiexec.exe (PID: 2892)
Creates files in the program directory
- mover_free_easeus.tmp (PID: 3044)
- msiexec.exe (PID: 2892)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
92
Monitored processes
42
Malicious processes
11
Suspicious processes
6
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 692 | "C:\Program Files\EaseUS\EaseUS MobiMover\bin\uexperice.exe" -t 4098 1 | C:\Program Files\EaseUS\EaseUS MobiMover\bin\uexperice.exe | — | mover_free_easeus.tmp | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 936 | FixFFmpeg avcodec-57.dll | C:\Program Files\EaseUS\EaseUS MobiMover\bin\FixFFmpeg.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1392 | C:\Windows\system32\MsiExec.exe -Embedding 74D71715A45ECF2442611B456FD0A5B7 M Global\MSI0000 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1476 | FixFFmpeg avdevice-57.dll | C:\Program Files\EaseUS\EaseUS MobiMover\bin\FixFFmpeg.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1644 | FixFFmpeg swscale-4.dll | C:\Program Files\EaseUS\EaseUS MobiMover\bin\FixFFmpeg.exe | — | cmd.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1888 | FixFFmpeg avformat-57.dll | C:\Program Files\EaseUS\EaseUS MobiMover\bin\FixFFmpeg.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2392 | FixFFmpeg avfilter-6.dll | C:\Program Files\EaseUS\EaseUS MobiMover\bin\FixFFmpeg.exe | cmd.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2416 | "C:\Windows\system32\cmd.exe" /C ""C:\Program Files\EaseUS\EaseUS MobiMover\bin\windows_xp_ffmpeg_fix.cmd"" | C:\Windows\system32\cmd.exe | — | mover_free_easeus.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2508 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{372953f3-de61-2d36-5d19-90740e1b0f58}\usbaapl.inf" "0" "64270aeef" "000004B0" "WinSta0\Default" "000005B4" "208" "C:\Program Files\Common Files\Apple\Mobile Device Support\Drivers" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2620 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\test[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\test[1].exe | — | iexplore.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
Total events
4 435
Read events
1 620
Write events
2 776
Delete events
39
Modification events
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {444523ED-14E6-11E9-91D7-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 3 | |||
| (PID) Process: | (2972) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E307010004000A000E002C002C000203 | |||
Executable files
303
Suspicious files
78
Text files
2 102
Unknown types
63
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2972 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2972 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF208577AF040A9E9B.TMP | — | |
MD5:— | SHA256:— | |||
| 3016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3016 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2972 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4EC24F9A38AC692A.TMP | — | |
MD5:— | SHA256:— | |||
| 2972 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{444523ED-14E6-11E9-91D7-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 3340 | test[1].exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\1free\skin.zip | compressed | |
MD5:— | SHA256:— | |||
| 3016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\test[1].exe | executable | |
MD5:— | SHA256:— | |||
| 3632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\mover_free_installer_20190110.100000[1].exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
190
TCP/UDP connections
27
DNS requests
13
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3128 | iexplore.exe | GET | — | 163.171.128.147:80 | http://download3.easeus.com/free/mobimover4.5_free_package.exe | US | — | — | suspicious |
2648 | EDownloader.exe | GET | — | 163.171.128.147:80 | http://download3.easeus.com/free/mobimover4.5_free_installer.exe | US | — | — | suspicious |
2856 | downloader.exe | GET | — | 205.185.216.42:80 | http://download.easeus.com/download/itunes32setup.zip | US | — | — | malicious |
3128 | iexplore.exe | GET | 302 | 163.171.139.149:80 | http://down.easeus.com/product/mobimover_free | US | text | 88 b | malicious |
2648 | EDownloader.exe | POST | 200 | 216.92.47.198:80 | http://track.easeus.com/product/index.php/?a=statistics&p_type=m_mobimover_user_action_table | US | — | — | suspicious |
3632 | iexplore.exe | GET | 302 | 163.171.139.149:80 | http://down.easeus.com/product/mobimover_free | US | text | 88 b | malicious |
2648 | EDownloader.exe | POST | 200 | 216.92.47.198:80 | http://track.easeus.com/product/index.php/?a=statistics&p_type=m_mobimover_user_action_table | US | — | — | suspicious |
3632 | iexplore.exe | GET | 200 | 163.171.128.147:80 | http://download2.easeus.com/test.php | US | executable | 946 Kb | suspicious |
2648 | EDownloader.exe | GET | 206 | 163.171.128.147:80 | http://download3.easeus.com/free/mobimover4.5_free_installer.exe | US | binary | 16.8 Mb | suspicious |
2648 | EDownloader.exe | POST | 200 | 216.92.245.230:80 | http://yiwo.easeus.com/api/index.php/Home/index/productInstall | US | text | 297 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2972 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3128 | iexplore.exe | 163.171.139.149:80 | down.easeus.com | — | US | unknown |
3128 | iexplore.exe | 163.171.128.147:80 | download3.easeus.com | — | US | malicious |
3016 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3632 | iexplore.exe | 163.171.128.147:80 | download3.easeus.com | — | US | malicious |
3632 | iexplore.exe | 163.171.139.149:80 | down.easeus.com | — | US | unknown |
2648 | EDownloader.exe | 216.92.47.198:80 | track.easeus.com | pair Networks | US | suspicious |
2648 | EDownloader.exe | 216.92.245.230:80 | yiwo.easeus.com | pair Networks | US | unknown |
2648 | EDownloader.exe | 163.171.128.147:80 | download3.easeus.com | — | US | malicious |
2856 | downloader.exe | 205.185.216.42:80 | download.easeus.com | Highwinds Network Group, Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
down.easeus.com |
| malicious |
download3.easeus.com |
| suspicious |
download2.easeus.com |
| suspicious |
track.easeus.com |
| suspicious |
yiwo.easeus.com |
| unknown |
download.easeus.com |
| malicious |
update.easeus.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3128 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3632 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3632 | iexplore.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
2648 | EDownloader.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2648 | EDownloader.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
AppleMobileDeviceService.exe | ASL checking for logging parameters in environment variable "AppleMobileDeviceService.exe.log"
|
AppleMobileDeviceService.exe | ASL checking for logging parameters in environment variable "asl.log"
|
uexperice.exe | 2019-01-10 14:47:00:164[UE] --Info. log level=3
|
uexperice.exe | 2019-01-10 14:47:00:164[UE] --Info. join=0
|
uexperice.exe | 2019-01-10 14:47:00:179[UE] --Info. top num =3
|
uexperice.exe | 2019-01-10 14:47:00:179[UE] --Info. try send=1
|
uexperice.exe | 2019-01-10 14:47:00:179[UE] --Info. InstallSpy. inst=6B432158
|
uexperice.exe | 2019-01-10 14:47:00:179[UE] --Info. SetText. id=0x3 (3), text=1, inst=6B432158
|
uexperice.exe | 2019-01-10 14:47:00:195[UE] --Info. SetValue. id=0x2 (2), val=0, inst=6B432158
|
uexperice.exe | 2019-01-10 14:47:00:195[UE] --Info. SetText. id=0x1001 (4097), text=4.5, inst=6B432158
|