analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

kis20.0.14.1085abcen_18789.exe

Full analysis: https://app.any.run/tasks/389f9733-fb9f-4e6e-8daf-979a8735cac9
Verdict: Malicious activity
Analysis date: October 13, 2019, 23:54:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

220868EAEB772C3F2AA292BF06523795

SHA1:

261945EB07AD8A41A1BB6DDD5F57702061ED9560

SHA256:

25D7A92BACFB437945A76EBBB162087FCC1AEAAF75F85E3D4881721D1B86619E

SSDEEP:

49152:YgcdSF99HnIW8LMTgVHYqjSsW6yoBwmNcXFGNz4UwSMDv/:+SFHnIf4TOYmSd6r6m+VMz4DSS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • TEST_WPF.EXE (PID: 3784)
      • kis20.0.14.1085abcen_18789.exe (PID: 1404)
      • kis20.0.14.1085abcen_18789.exe (PID: 2720)
    • Application was dropped or rewritten from another process

      • TEST_WPF.EXE (PID: 3784)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • kis20.0.14.1085abcen_18789.exe (PID: 2720)
      • kis20.0.14.1085abcen_18789.exe (PID: 1404)
    • Executable content was dropped or overwritten

      • kis20.0.14.1085abcen_18789.exe (PID: 2720)
      • kis20.0.14.1085abcen_18789.exe (PID: 1404)
      • msiexec.exe (PID: 3096)
      • MsiExec.exe (PID: 3984)
      • MsiExec.exe (PID: 1776)
    • Application launched itself

      • kis20.0.14.1085abcen_18789.exe (PID: 2720)
    • Creates files in the program directory

      • kis20.0.14.1085abcen_18789.exe (PID: 1404)
    • Creates files in the user directory

      • kis20.0.14.1085abcen_18789.exe (PID: 1404)
    • Creates files in the Windows directory

      • MsiExec.exe (PID: 1776)
    • Creates files in the driver directory

      • MsiExec.exe (PID: 1776)
    • Removes files from Windows directory

      • MsiExec.exe (PID: 1776)
  • INFO

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 1776)
      • msiexec.exe (PID: 3096)
      • MsiExec.exe (PID: 3984)
    • Reads settings of System Certificates

      • kis20.0.14.1085abcen_18789.exe (PID: 1404)
    • Application launched itself

      • msiexec.exe (PID: 3096)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

OriginalFileName: Setup.exe
InternalName: Setup
ProductVersion: 20.0.14.1085
ProductName: Kaspersky Internet Security
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
LegalCopyright: © 2019 AO Kaspersky Lab. All Rights Reserved.
FileVersion: 20.0.14.1085
FileDescription: Kaspersky Internet Security [20.0.14.1085.0.2007.0 (a.b.c)]
CompanyName: Kaspersky
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 20.0.14.1085
FileVersionNumber: 20.0.14.1085
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x1f97
UninitializedDataSize: -
InitializedDataSize: 2526720
CodeSize: 194048
LinkerVersion: 14
PEType: PE32
TimeStamp: 2032:09:19 00:20:17+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Sep-2032 22:20:17
Detected languages:
  • English - United States
  • Process Default Language
Debug artifacts:
  • D:\bs\main\21229\Out\Win32\Release\starter.pdb
CompanyName: Kaspersky
FileDescription: Kaspersky Internet Security [20.0.14.1085.0.2007.0 (a.b.c)]
FileVersion: 20.0.14.1085
LegalCopyright: © 2019 AO Kaspersky Lab. All Rights Reserved.
LegalTrademarks: Registered trademarks and service marks are the property of their respective owners
ProductName: Kaspersky Internet Security
ProductVersion: 20.0.14.1085
InternalName: Setup
OriginalFilename: Setup.exe

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 7
Time date stamp: 18-Sep-2032 22:20:17
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0002F42E
0x0002F600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.67281
.rdata
0x00031000
0x00010E82
0x00011000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.35589
.data
0x00042000
0x00004458
0x00000E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.71909
.gfids
0x00047000
0x00000420
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.11013
.tls
0x00048000
0x00000009
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0.0203931
.rsrc
0x00049000
0x00253BB8
0x00253C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.94096
.reloc
0x0029D000
0x00002A60
0x00002C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.52413

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.27937
1606
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.19556
2216
Latin 1 / Western European
Process Default Language
RT_ICON
3
3.04315
1736
Latin 1 / Western European
Process Default Language
RT_ICON
4
2.40839
1384
Latin 1 / Western European
Process Default Language
RT_ICON
5
3.09332
174
Latin 1 / Western European
Process Default Language
RT_GROUP_ICON
6
3.50356
67624
Latin 1 / Western European
Process Default Language
RT_ICON
7
4.14647
38056
Latin 1 / Western European
Process Default Language
RT_ICON
8
3.77256
16936
Latin 1 / Western European
Process Default Language
RT_ICON
9
3.89914
9640
Latin 1 / Western European
Process Default Language
RT_ICON
10
4.15612
4264
Latin 1 / Western European
Process Default Language
RT_ICON

Imports

KERNEL32.dll
RPCRT4.dll (delay-loaded)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
6
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start kis20.0.14.1085abcen_18789.exe kis20.0.14.1085abcen_18789.exe test_wpf.exe no specs msiexec.exe msiexec.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
2720"C:\Users\admin\AppData\Local\Temp\kis20.0.14.1085abcen_18789.exe" C:\Users\admin\AppData\Local\Temp\kis20.0.14.1085abcen_18789.exe
explorer.exe
User:
admin
Company:
Kaspersky
Integrity Level:
MEDIUM
Description:
Kaspersky Internet Security [20.0.14.1085.0.2007.0 (a.b.c)]
Version:
20.0.14.1085
1404"C:\Users\admin\AppData\Local\Temp\kis20.0.14.1085abcen_18789.exe" /-elevated=C:\Users\admin\AppData\Local\Temp\kis20.0.14.1085abcen_18789.exe
kis20.0.14.1085abcen_18789.exe
User:
admin
Company:
Kaspersky
Integrity Level:
HIGH
Description:
Kaspersky Internet Security [20.0.14.1085.0.2007.0 (a.b.c)]
Version:
20.0.14.1085
3784"C:\Users\admin\AppData\Local\Temp\F738FC1B-EE14-11E9-AB41-5254004A04AF\TEST_WPF.EXE" "C:\Users\admin\AppData\Local\Temp\91CF837F41EE9E11BA14254500A440FA\setup.dll"C:\Users\admin\AppData\Local\Temp\F738FC1B-EE14-11E9-AB41-5254004A04AF\TEST_WPF.EXEkis20.0.14.1085abcen_18789.exe
User:
admin
Integrity Level:
HIGH
Description:
test_wpf
Exit code:
0
Version:
1.0.0.0
3096C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3984C:\Windows\system32\MsiExec.exe -Embedding A131B79FBBFC17C48100994D96F142F3C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1776C:\Windows\system32\MsiExec.exe -Embedding 5E330327E9591857815303A86174C9F8 M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
1 157
Read events
934
Write events
0
Delete events
0

Modification events

No data
Executable files
44
Suspicious files
40
Text files
65
Unknown types
54

Dropped files

PID
Process
Filename
Type
1404kis20.0.14.1085abcen_18789.exeC:\Users\admin\AppData\Local\Temp\kl-setup-2019-10-14-00-55-43_KIS.20.0.14.1085.log
MD5:
SHA256:
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\common.z
MD5:
SHA256:
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\coreproduct.z
MD5:
SHA256:
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\ksn_ep_en.txtgmc
MD5:D372BECD38E3E87D4EB7D80D4E1C93FD
SHA256:D545D1A71A9D8F012CAAE579523F3D457A7CB47CD6754847660D5DD5112402F1
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\ksde_eula_gdpr_en.txtgmc
MD5:56CE4408CFC4FB96E1AB004F73D28642
SHA256:A21C247691045717C6D63A508EC2C5DC6BC8F89EC95EBC798DFB87014134950A
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\ksde_ksn_ep_en.txtgmc
MD5:E94BD5257A3B9DEC5E7F4A5B640DAD6A
SHA256:3A810C98996F1A274FAE4594957DD19C3B6A4DCFB82640EE27F2E4BF547608B7
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\ksde_rdp_en.txtgmc
MD5:680EF15057FCF145E7A201012D85002E
SHA256:50C4D09004F2B3293E1E800A952B0742149DEF31CD83993509D15BDFACA48639
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\eula_gdpr_en.txtgmc
MD5:31E0217277C858E6F97DB34AC0303CBA
SHA256:8B34659BED4AED4DE431E4276F81419E714EB2DB180EFE653F0D12234D1D1F80
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\ksde_coreproduct.z
MD5:
SHA256:
1404kis20.0.14.1085abcen_18789.exeC:\ProgramData\Kaspersky Lab Setup Files\KIS20.0.14.1085.0.2007.0\ksn_marketing_en.txtgmc
MD5:4E4BF989A561A6BA7477F82E99AA406E
SHA256:E17830ADDC6337B7E40294BC2D42E4A2C5B78EB564372D515B2E1BA03809315A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1404
kis20.0.14.1085abcen_18789.exe
GET
301
77.74.178.40:80
http://www.kaspersky.com/
RU
html
162 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2720
kis20.0.14.1085abcen_18789.exe
212.73.221.196:443
dm.s.kaspersky-labs.com
Level 3 Communications, Inc.
FR
suspicious
1404
kis20.0.14.1085abcen_18789.exe
130.117.190.203:443
redirect.kaspersky.com
Cogent Communications
suspicious
1404
kis20.0.14.1085abcen_18789.exe
77.74.178.40:80
www.kaspersky.com
Kaspersky Lab AO
RU
suspicious
1404
kis20.0.14.1085abcen_18789.exe
77.74.178.40:443
www.kaspersky.com
Kaspersky Lab AO
RU
suspicious
1404
kis20.0.14.1085abcen_18789.exe
185.85.15.47:443
www.kaspersky.co.uk
Kaspersky Lab AO
RU
suspicious
2720
kis20.0.14.1085abcen_18789.exe
130.117.190.147:443
dm.s.kaspersky-labs.com
Cogent Communications
suspicious
1404
kis20.0.14.1085abcen_18789.exe
212.73.221.196:443
dm.s.kaspersky-labs.com
Level 3 Communications, Inc.
FR
suspicious

DNS requests

Domain
IP
Reputation
dm.s.kaspersky-labs.com
  • 212.73.221.196
  • 130.117.190.147
  • 80.231.123.202
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
redirect.kaspersky.com
  • 130.117.190.203
suspicious
www.kaspersky.com
  • 77.74.178.40
whitelisted
www.kaspersky.co.uk
  • 185.85.15.47
suspicious

Threats

PID
Process
Class
Message
1404
kis20.0.14.1085abcen_18789.exe
Misc activity
APP [PTsecurity] Kaspersky Downloader
No debug info