File name:	Cold_Turkey_Installer.exe
Full analysis:	https://app.any.run/tasks/e8bd2e8b-467b-4573-ac6a-8001570d6b10
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	August 23, 2024, 13:48:10
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	EAA0F3DDD71DB24C3A64ECF58E40DA52
SHA1:	EACDAE7C9AF8FF3BE6BE93E83A8DBF1A101B823A
SHA256:	23A32B9DB00C74B0440132FD6DFD0A2B5F9F522B13F59B491C4BBF98070CDDF2
SSDEEP:	98304:w+QqZ8fzC1Hab+w3QaAWCHXuHy2TpISRJNbYDw6R7WR3hWzcSKX7/WQ9qLZtlJwq:KTs6zZ2Z

.exe	\|	Inno Setup installer (67.7)
.exe	\|	Win32 EXE PECompact compressed (generic) (25.6)
.exe	\|	Win32 Executable (generic) (2.7)
.exe	\|	Win16/32 Executable Delphi generic (1.2)
.exe	\|	Generic Win/DOS Executable (1.2)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2020:09:13 09:00:51+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType:	PE32
LinkerVersion:	2.25
CodeSize:	741376
InitializedDataSize:	95232
UninitializedDataSize:	-
EntryPoint:	0xb5eec
OSVersion:	6.1
ImageVersion:	6
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
Comments:	This installation was built with Inno Setup.
CompanyName:	Cold Turkey Software, Inc.
FileDescription:	Cold Turkey Blocker Setup
FileVersion:
LegalCopyright:
OriginalFileName:
ProductName:	Cold Turkey Blocker
ProductVersion:	4.5


(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:	write	Name:	JustInstalled
Value: true
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Cold Turkey\Blocker\Settings
Operation:	write	Name:	Restarted
Value: false
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION
Operation:	write	Name:	Cold Turkey Blocker.exe
Value: 11000
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING
Operation:	write	Name:	Cold Turkey Blocker.exe
Value: 1
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:	write	Name:	Inno Setup: Setup Version
Value: 6.1.0-beta
(PID) Process:	(6888) Cold_Turkey_Installer.tmp	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1
Operation:	write	Name:	Inno Setup: App Path
Value: C:\Program Files\Cold Turkey

PID	Process	Filename		Type
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-O0HL7.tmp		executable
		MD5:AB5237F34684B22C83CF9860BEE84CCA	SHA256:ABAAD44324E814AB2B36064146CD2E82E9EF2D2492C6F620CB7118D5F9904F40
6772	Cold_Turkey_Installer.exe	C:\Users\admin\AppData\Local\Temp\is-HK3UP.tmp\Cold_Turkey_Installer.tmp		executable
		MD5:03840135BB43E6C3DE3BEE0724C3C187	SHA256:70B5FAC312A869659BD0EF69A7DF1AB46AD7F19F340EB659E57CA71A579DA02A
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-QBQPI.tmp		executable
		MD5:C2E639633D46B0F92518ACD99B2CCA4B	SHA256:5E8FF71AEDF36A995151309A6626FFFADC51194E39EE1B9633810B752E7E59F2
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-50F6N.tmp		executable
		MD5:7A341F52BB71EDDC5B755063C70B33C7	SHA256:98929793F99D72268DC63562EC7A9D3CE8ECACDEAE5D03C0848A8FA88127CE44
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-12V7S.tmp		executable
		MD5:C1C7976BB06BC99331F175C66E2B5EA7	SHA256:97D1B687B92FA518E6F440141286987188EC99904CD11C0E0A207D116CDC1A18
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-KQM9K.tmp		binary
		MD5:9F9FEF0EF707D3B2DCAB79428390B9BE	SHA256:C304EF695BB3A6220ED56E6FD3B0539CED6EE20A90AD9D1237876B46F71D1A16
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\CTMsgHostEdge.exe		executable
		MD5:C1C7976BB06BC99331F175C66E2B5EA7	SHA256:97D1B687B92FA518E6F440141286987188EC99904CD11C0E0A207D116CDC1A18
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\CTMsgHostChrome.json		binary
		MD5:9F9FEF0EF707D3B2DCAB79428390B9BE	SHA256:C304EF695BB3A6220ED56E6FD3B0539CED6EE20A90AD9D1237876B46F71D1A16
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-I2K01.tmp		executable
		MD5:EACE7ACBD5A1A3884819FC2BDC0F937E	SHA256:4C6CD4FB3FA9252D578DCF2C10890223714A01793A9F60E1B152F3971D63B939
6888	Cold_Turkey_Installer.tmp	C:\Program Files\Cold Turkey\is-SHF81.tmp		binary
		MD5:06F8A880BDA481AF8FDE7B1E85276085	SHA256:DB65EF15747F119E6645381F3EF1E7F9C2F7F48B227D5B079C5EE10D64DE79C6

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	204	34.117.188.166:443	https://contile.services.mozilla.com/v1/tiles	unknown	—	—	—
—	—	GET	101	34.107.243.93:443	https://push.services.mozilla.com/	unknown	—	—	—
6344	firefox.exe	GET	200	34.107.221.82:80	http://detectportal.firefox.com/canonical.html	unknown	—	—	whitelisted
—	—	GET	401	13.107.6.158:443	https://business.bing.com/api/v1/user/token/microsoftgraph?&clienttype=edge-omnibox	unknown	—	—	—
—	—	GET	200	188.114.96.3:443	https://getcoldturkey.com/version/windows/	unknown	text	3 b	—
—	—	GET	200	188.114.97.3:443	https://getcoldturkey.com/support/extensions/firefox/	unknown	html	29.8 Kb	—
—	—	GET	200	142.250.185.234:443	https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST&$req=ChUKE25hdmNsaWVudC1hdXRvLWZmb3gaJwgFEAEaGwoNCAUQBhgBIgMwMDEwARD31RUaAhgJ1ShmESICIAIoARonCAEQARobCg0IARAGGAEiAzAwMTABEJz_DRoCGAnWZvpiIgIgAigBGicIAxABGhsKDQgDEAYYASIDMDAxMAEQpPYNGgIYCRiY-6YiAiACKAEaJwgHEAEaGwoNCAcQBhgBIgMwMDEwARDLxQ4aAhgJeFtrxyICIAIoARolCAkQARoZCg0ICRAGGAEiAzAwMTABECMaAhgJi9M7nSICIAIoAQ==	unknown	binary	8.20 Mb	—
—	—	GET	200	34.160.144.191:443	https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-2024-03-20-10-07-03.chain	unknown	text	5.23 Kb	—
—	—	GET	200	34.149.100.209:443	https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/ms-language-packs/records/cfr-v1-en-US	unknown	binary	329 b	—
—	—	GET	200	188.114.96.3:443	https://getcoldturkey.com/support/extensions/edge/	unknown	html	36.3 Kb	—

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	192.168.100.255:138	—	—	—	whitelisted
3308	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2096	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2096	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted

Domain	IP	Reputation
google.com	142.250.184.206	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
getcoldturkey.com	188.114.97.3 188.114.96.3 2a06:98c1:3120::3 2a06:98c1:3121::3	whitelisted
detectportal.firefox.com	34.107.221.82	whitelisted
prod.detectportal.prod.cloudops.mozgcp.net	34.107.221.82 2600:1901:0:38d7::	whitelisted
contile.services.mozilla.com	34.117.188.166	whitelisted
spocs.getpocket.com	34.117.188.166	whitelisted
content-signature-2.cdn.mozilla.net	34.160.144.191	whitelisted
push.services.mozilla.com	34.107.243.93	whitelisted
prod.ads.prod.webservices.mozgcp.net	34.117.188.166	unknown

Process	Message
ServiceHub.Power.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
ServiceHub.Helper.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...
Cold Turkey Blocker.exe	Native library pre-loader is trying to load native SQLite library "C:\Program Files\Cold Turkey\x64\SQLite.Interop.dll"...

General Info

Cold_Turkey_Installer.exe

EAA0F3DDD71DB24C3A64ECF58E40DA52

EACDAE7C9AF8FF3BE6BE93E83A8DBF1A101B823A

23A32B9DB00C74B0440132FD6DFD0A2B5F9F522B13F59B491C4BBF98070CDDF2

98304:w+QqZ8fzC1Hab+w3QaAWCHXuHy2TpISRJNbYDw6R7WR3hWzcSKX7/WQ9qLZtlJwq:KTs6zZ2Z

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Actions looks like stealing of personal data

SUSPICIOUS

Drops the executable file immediately after the start

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Reads the date of Windows installation

Uses NETSH.EXE to add a firewall rule or allowed programs

Process drops legitimate windows executable

Changes Internet Explorer settings (feature browser emulation)

Reads the Windows owner or organization settings

Executes as Windows Service

Reads Internet Explorer settings

The process verifies whether the antivirus software is installed

Reads Microsoft Outlook installation path

The process executes via Task Scheduler

INFO

Checks supported languages

Create files in a temporary directory

Reads the computer name

Process checks computer location settings

Creates a software uninstall entry

Creates files in the program directory

Reads the machine GUID from the registry

Checks proxy server information

Reads Environment values

Reads the software policy settings

Disables trace logs

Process checks Internet Explorer phishing filters

Application launched itself

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests