| File name: | treyner-dlya-revival-ipGqYfZv2evW.exe |
| Full analysis: | https://app.any.run/tasks/a2b27e3c-0bd8-41c7-8ee9-f4f7efd20e8f |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | December 02, 2023, 07:59:00 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 0506FC4A6BE0582218901B0CA7E9CCB6 |
| SHA1: | 90FFBE58D4CCCE1490736B36D4D94260740CC8BC |
| SHA256: | 2092596EE23C8F9B42369130C846C52B15748F9449E0FA727D9E15CDF9E38516 |
| SSDEEP: | 98304:mWtd6LKvqT/8WahImM+dcIfTYD5Wi+rQTusqbdvKZb3YLJ0qMfixm1dfYCVbIVd8:0mDUS7duMxVkNg8 |
MALICIOUS
Drops the executable file immediately after the start
- treyner-dlya-revival-ipGqYfZv2evW.exe (PID: 3048)
- treyner-dlya-revival-ipGqYfZv2evW.exe (PID: 2644)
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
Uses Task Scheduler to run other applications
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
DOWNLOADASSISTANT has been detected (SURICATA)
- STRLibCRT.exe (PID: 2600)
SUSPICIOUS
Process drops legitimate windows executable
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
Reads the Windows owner or organization settings
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
The process drops C-runtime libraries
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
Reads the Internet Settings
- STRLibCRT.exe (PID: 2920)
INFO
Create files in a temporary directory
- treyner-dlya-revival-ipGqYfZv2evW.exe (PID: 2644)
- treyner-dlya-revival-ipGqYfZv2evW.exe (PID: 3048)
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
- STRLibCRT.exe (PID: 2920)
Checks supported languages
- treyner-dlya-revival-ipGqYfZv2evW.exe (PID: 2644)
- treyner-dlya-revival-ipGqYfZv2evW.exe (PID: 3048)
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 2412)
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
- STRLibCRT.exe (PID: 2920)
- STRLibCRT.exe (PID: 2600)
- wmpnscfg.exe (PID: 3940)
Reads the computer name
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 2412)
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
- STRLibCRT.exe (PID: 2920)
- STRLibCRT.exe (PID: 2600)
- wmpnscfg.exe (PID: 3940)
Creates files in the program directory
- treyner-dlya-revival-ipGqYfZv2evW.tmp (PID: 1864)
Manual execution by a user
- wmpnscfg.exe (PID: 3940)
Reads the machine GUID from the registry
- STRLibCRT.exe (PID: 2600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:12:02 11:41:02+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 37888 |
| InitializedDataSize: | 17920 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x9c40 |
| OSVersion: | 1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | STRLibCRT Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | STRLibCRT |
| ProductVersion: |
Total processes
50
Monitored processes
9
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1344 | "C:\Windows\system32\schtasks.exe" /Query | C:\Windows\System32\schtasks.exe | — | treyner-dlya-revival-ipGqYfZv2evW.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1556 | "C:\Windows\system32\schtasks.exe" /Delete /F /TN "STRCRT1221" | C:\Windows\System32\schtasks.exe | — | treyner-dlya-revival-ipGqYfZv2evW.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1864 | "C:\Users\admin\AppData\Local\Temp\is-TMGP3.tmp\treyner-dlya-revival-ipGqYfZv2evW.tmp" /SL5="$1C0158,6722564,54272,C:\Users\admin\AppData\Local\Temp\treyner-dlya-revival-ipGqYfZv2evW.exe" /SPAWNWND=$10015A /NOTIFYWND=$25013A | C:\Users\admin\AppData\Local\Temp\is-TMGP3.tmp\treyner-dlya-revival-ipGqYfZv2evW.tmp | — | treyner-dlya-revival-ipGqYfZv2evW.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2412 | "C:\Users\admin\AppData\Local\Temp\is-NM3VG.tmp\treyner-dlya-revival-ipGqYfZv2evW.tmp" /SL5="$25013A,6722564,54272,C:\Users\admin\AppData\Local\Temp\treyner-dlya-revival-ipGqYfZv2evW.exe" | C:\Users\admin\AppData\Local\Temp\is-NM3VG.tmp\treyner-dlya-revival-ipGqYfZv2evW.tmp | — | treyner-dlya-revival-ipGqYfZv2evW.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.52.0.0 Modules
| |||||||||||||||
| 2600 | "C:\Program Files\STRLibCRT\STRLibCRT.exe" 420423b5ba9ed3abae000b31809f7d14 | C:\Program Files\STRLibCRT\STRLibCRT.exe | treyner-dlya-revival-ipGqYfZv2evW.tmp | ||||||||||||
User: admin Company: DataNumen, Inc. Integrity Level: HIGH Exit code: 0 Version: 1.2.0.1 Modules
| |||||||||||||||
| 2644 | "C:\Users\admin\AppData\Local\Temp\treyner-dlya-revival-ipGqYfZv2evW.exe" | C:\Users\admin\AppData\Local\Temp\treyner-dlya-revival-ipGqYfZv2evW.exe | — | explorer.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: STRLibCRT Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2920 | "C:\Program Files\STRLibCRT\STRLibCRT.exe" | C:\Program Files\STRLibCRT\STRLibCRT.exe | treyner-dlya-revival-ipGqYfZv2evW.tmp | ||||||||||||
User: admin Company: DataNumen, Inc. Integrity Level: HIGH Exit code: 0 Version: 1.2.0.1 Modules
| |||||||||||||||
| 3048 | "C:\Users\admin\AppData\Local\Temp\treyner-dlya-revival-ipGqYfZv2evW.exe" /SPAWNWND=$10015A /NOTIFYWND=$25013A | C:\Users\admin\AppData\Local\Temp\treyner-dlya-revival-ipGqYfZv2evW.exe | treyner-dlya-revival-ipGqYfZv2evW.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: STRLibCRT Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3940 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
1 272
Read events
1 272
Write events
0
Delete events
0
Modification events
Executable files
155
Suspicious files
2
Text files
24
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Users\admin\AppData\Local\Temp\is-PFD02.tmp\_isetup\_iscrypt.dll | executable | |
MD5:A69559718AB506675E907FE49DEB71E9 | SHA256:2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC | |||
| 3048 | treyner-dlya-revival-ipGqYfZv2evW.exe | C:\Users\admin\AppData\Local\Temp\is-TMGP3.tmp\treyner-dlya-revival-ipGqYfZv2evW.tmp | executable | |
MD5:F448D7F4B76E5C9C3A4EAFF16A8B9B73 | SHA256:7233B85EB0F8B3AA5CAE3811D727AA8742FEC4D1091C120A0FE15006F424CC49 | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\is-S4A3V.tmp | executable | |
MD5:22F9162E6F2F3CF2E03A99BAB3FCABEF | SHA256:800F0681284E887E127BC5AF32F09A4960DDF2F959D5CB85F7C1195FD79D75FE | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\is-65SER.tmp | executable | |
MD5:FF8026DAB5D3DABCA8F72B6FA7D258FA | SHA256:535E9D20F00A2F1A62F843A4A26CFB763138D5DFE358B0126D33996FBA9CA4D1 | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Users\admin\AppData\Local\Temp\is-PFD02.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\unins000.exe | executable | |
MD5:22F9162E6F2F3CF2E03A99BAB3FCABEF | SHA256:800F0681284E887E127BC5AF32F09A4960DDF2F959D5CB85F7C1195FD79D75FE | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\is-KA3PC.tmp | executable | |
MD5:CFE87D58F973DAEDA4EE7D2CF4AE521D | SHA256:4997FDA5D0E90B8A0AB7DA314CB56F25D1450B366701C45C294D8DD3254DE483 | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\api-ms-win-core-heap-l1-1-0.dll | executable | |
MD5:FF8026DAB5D3DABCA8F72B6FA7D258FA | SHA256:535E9D20F00A2F1A62F843A4A26CFB763138D5DFE358B0126D33996FBA9CA4D1 | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\api-ms-win-core-localization-l1-2-0.dll | executable | |
MD5:23BD405A6CFD1E38C74C5150EEC28D0A | SHA256:A7FA48DE6C06666B80184AFEE7E544C258E0FB11399AB3FE47D4E74667779F41 | |||
| 1864 | treyner-dlya-revival-ipGqYfZv2evW.tmp | C:\Program Files\STRLibCRT\is-A9AJ8.tmp | executable | |
MD5:0C48220A4485F36FEED84EF5DD0A5E9C | SHA256:2DD4EBAA12CBBA142B5D61A0EBF84A14D0D1BB8826BA42B63E303FE6721408DF | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
7
DNS requests
3
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2920 | STRLibCRT.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?43534543 | unknown | compressed | 65.2 Kb | unknown |
2600 | STRLibCRT.exe | POST | — | 104.21.51.211:80 | http://millionjobs.works/new/net_api | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
868 | svchost.exe | 23.35.228.137:80 | — | AKAMAI-AS | DE | unknown |
2920 | STRLibCRT.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
2600 | STRLibCRT.exe | 104.21.51.211:80 | millionjobs.works | CLOUDFLARENET | — | unknown |
868 | svchost.exe | 184.30.20.134:80 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
ctldl.windowsupdate.com |
| whitelisted |
millionjobs.works |
| unknown |
armmf.adobe.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2600 | STRLibCRT.exe | Misc activity | ADWARE [ANY.RUN] DownloadAssistant |