| File name: | Advanced_IP_Scanner_2.5.4594.1.exe |
| Full analysis: | https://app.any.run/tasks/55c0e826-5aa5-40c1-adbd-43cab7dba23b |
| Verdict: | Malicious activity |
| Analysis date: | August 22, 2024, 09:06:56 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 5537C708EDB9A2C21F88E34E8A0F1744 |
| SHA1: | 86233A285363C2A6863BF642DEAB7E20F062B8EB |
| SHA256: | 26D5748FFE6BD95E3FEE6CE184D388A1A681006DC23A0F08D53C083C593C193B |
| SSDEEP: | 393216:Plu7Txs0NDmNh9D4HaSYz2Kj0Cz1gEVmWdQOjM/y3tFfs5IRRViGmMQZ+Bw5i:A7Th9mT97S7CzNwWCJK05IRTX+Fi |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- Advanced_IP_Scanner_2.5.4594.1.exe (PID: 6672)
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
Drops the executable file immediately after the start
- Advanced_IP_Scanner_2.5.4594.1.exe (PID: 6672)
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
- msiexec.exe (PID: 6268)
Reads the Windows owner or organization settings
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
- msiexec.exe (PID: 6268)
Process drops legitimate windows executable
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
- msiexec.exe (PID: 6268)
Checks Windows Trust Settings
- msiexec.exe (PID: 6268)
The process drops C-runtime libraries
- msiexec.exe (PID: 6268)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 6268)
Detection of a Network Scan
- advanced_ip_scanner.exe (PID: 6832)
There is functionality for taking screenshot (YARA)
- advanced_ip_scanner.exe (PID: 6832)
INFO
Create files in a temporary directory
- Advanced_IP_Scanner_2.5.4594.1.exe (PID: 6672)
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
Checks supported languages
- Advanced_IP_Scanner_2.5.4594.1.exe (PID: 6672)
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
- msiexec.exe (PID: 6268)
- msiexec.exe (PID: 7056)
- advanced_ip_scanner.exe (PID: 6832)
- msiexec.exe (PID: 6896)
Reads the computer name
- Advanced_IP_Scanner_2.5.4594.1.tmp (PID: 6172)
- msiexec.exe (PID: 6268)
- msiexec.exe (PID: 7056)
- msiexec.exe (PID: 6896)
- advanced_ip_scanner.exe (PID: 6832)
Reads the machine GUID from the registry
- msiexec.exe (PID: 6268)
- advanced_ip_scanner.exe (PID: 6832)
Reads the software policy settings
- msiexec.exe (PID: 6268)
Creates files or folders in the user directory
- msiexec.exe (PID: 6268)
Reads Microsoft Office registry keys
- msiexec.exe (PID: 6268)
Creates a software uninstall entry
- msiexec.exe (PID: 6268)
Reads Environment values
- msiexec.exe (PID: 7056)
Executable content was dropped or overwritten
- msiexec.exe (PID: 6268)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (80.2) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (8.4) |
| .exe | | | Win16/32 Executable Delphi generic (3.8) |
| .exe | | | Generic Win/DOS Executable (3.7) |
| .exe | | | DOS Executable Generic (3.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2013:01:30 14:21:56+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 65024 |
| InitializedDataSize: | 73728 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x113bc |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.5.4594.1 |
| ProductVersionNumber: | 2.5.4594.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Famatech Corp. |
| FileDescription: | Advanced IP Scanner Setup |
| FileVersion: | 2.5.4594.1 |
| LegalCopyright: | Copyright © 2002-2022 Famatech Corp. and its licensors. All rights reserved. |
| ProductName: | Advanced IP Scanner |
| ProductVersion: | 2.5.4594.1 |
Total processes
123
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6172 | "C:\Users\admin\AppData\Local\Temp\is-51KP0.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp" /SL5="$603C8,20439558,139776,C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe" | C:\Users\admin\AppData\Local\Temp\is-51KP0.tmp\Advanced_IP_Scanner_2.5.4594.1.tmp | Advanced_IP_Scanner_2.5.4594.1.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 6268 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6672 | "C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe" | C:\Users\admin\Desktop\Advanced_IP_Scanner_2.5.4594.1.exe | explorer.exe | ||||||||||||
User: admin Company: Famatech Corp. Integrity Level: MEDIUM Description: Advanced IP Scanner Setup Exit code: 0 Version: 2.5.4594.1 Modules
| |||||||||||||||
| 6832 | "C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe" | C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe | Advanced_IP_Scanner_2.5.4594.1.tmp | ||||||||||||
User: admin Company: Famatech Corp. Integrity Level: MEDIUM Description: Advanced IP Scanner Version: 2.5.4594.1 Modules
| |||||||||||||||
| 6896 | C:\Windows\syswow64\MsiExec.exe -Embedding 3E2FC30F7435F1D8A220DB0CA6803D23 E Global\MSI0000 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7056 | C:\Windows\syswow64\MsiExec.exe -Embedding 1C13CFF1903E64CFE17D7FE98D9A3355 | C:\Windows\SysWOW64\msiexec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
10 403
Read events
10 104
Write events
284
Delete events
15
Modification events
| (PID) Process: | (6172) Advanced_IP_Scanner_2.5.4594.1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 1C180000156AC6AA72F4DA01 | |||
| (PID) Process: | (6172) Advanced_IP_Scanner_2.5.4594.1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 7FCF985C37CC61B93D7D23FA2AE731DB9B768E3A1548C6EBB1AEEF66956FA596 | |||
| (PID) Process: | (6172) Advanced_IP_Scanner_2.5.4594.1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (6172) Advanced_IP_Scanner_2.5.4594.1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files (x86)\Advanced IP Scanner\advanced_ip_scanner.exe | |||
| (PID) Process: | (6172) Advanced_IP_Scanner_2.5.4594.1.tmp | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: EF17731A505F0408374A0D153197AB13F838ABF6F2CF5A9C1F0F48C5D2C5A489 | |||
| (PID) Process: | (6268) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | Owner |
Value: 7C180000B9FFE1B072F4DA01 | |||
| (PID) Process: | (6268) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | SessionHash |
Value: 02DFC2B16E929C01035F83380D94A2E510AA5CC50DB236BC0FC3A33F7AD949E4 | |||
| (PID) Process: | (6268) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0001 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (7056) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings |
| Operation: | write | Name: | JITDebug |
Value: 0 | |||
| (PID) Process: | (7056) msiexec.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\msiexec.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 2B29120000000000 | |||
Executable files
63
Suspicious files
65
Text files
40
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6172 | Advanced_IP_Scanner_2.5.4594.1.tmp | C:\Users\admin\AppData\Local\Temp\is-KR6C1.tmp\is-Q0KBS.tmp | — | |
MD5:— | SHA256:— | |||
| 6172 | Advanced_IP_Scanner_2.5.4594.1.tmp | C:\Users\admin\AppData\Local\Temp\is-KR6C1.tmp\ip_scan_en_us_Release_2.5.4594.1.msi | — | |
MD5:— | SHA256:— | |||
| 6268 | msiexec.exe | C:\Windows\Installer\121eea.msi | — | |
MD5:— | SHA256:— | |||
| 6172 | Advanced_IP_Scanner_2.5.4594.1.tmp | C:\Users\admin\AppData\Local\Temp\is-KR6C1.tmp\_isetup\_setup64.tmp | executable | |
MD5:C8871EFD8AF2CF4D9D42D1FF8FADBF89 | SHA256:E4FC574A01B272C2D0AED0EC813F6D75212E2A15A5F5C417129DD65D69768F40 | |||
| 6172 | Advanced_IP_Scanner_2.5.4594.1.tmp | C:\Users\admin\AppData\Local\Temp\is-KR6C1.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 6268 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F | binary | |
MD5:5BFA51F3A417B98E7443ECA90FC94703 | SHA256:BEBE2853A3485D1C2E5C5BE4249183E0DDAFF9F87DE71652371700A89D937128 | |||
| 6268 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8828F39C7C0CE9A14B25C7EB321181BA_3DF94EB797096674F7793A562A778C5F | binary | |
MD5:16D52D06E8DF230E75D41D25BB9F7B8D | SHA256:D3EE2AA9A01031F4B4D2A520D74BDCE158516F0C293890FC57270AC2D920E0F7 | |||
| 6268 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A3D5BF1283C2E63D8C8A8C72F0051F5A | der | |
MD5:A0AF4D81B2B19A99A3D01BE89D5F99D9 | SHA256:DE9F05CEB1610CF9964F0DEF09D525005569602993C82A647743F192E9414D4A | |||
| 6268 | msiexec.exe | C:\Windows\Installer\MSI2C59.tmp | binary | |
MD5:5B8E7F1B0F33483B3622382DAD467E94 | SHA256:5AF7D3FCF55AD1F3D56877E2AAB27BC59F00D3C9D8B5ED8AF3AF9B951E350C30 | |||
| 6268 | msiexec.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A3D5BF1283C2E63D8C8A8C72F0051F5A | binary | |
MD5:09556FC887BEF063398BDA23F7950B7A | SHA256:2E68CB0E5BBA0526B8E0A0F690F019D6E7E48A9342EDEFB0B3AE0C2EAB39672C | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
17
DNS requests
10
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6268 | msiexec.exe | GET | 200 | 152.199.19.74:80 | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D | unknown | — | — | whitelisted |
6268 | msiexec.exe | GET | 200 | 152.199.19.74:80 | http://s.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD%2BOyl%2B0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEBkaMst1nJe4z6wRjdUSf0k%3D | unknown | — | — | whitelisted |
6268 | msiexec.exe | GET | 200 | 152.199.19.74:80 | http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEGiQCmGXQyqAc98MLL9U12U%3D | unknown | — | — | whitelisted |
6268 | msiexec.exe | GET | 200 | 192.229.221.95:80 | http://s.symcb.com/pca3-g5.crl | unknown | — | — | whitelisted |
6268 | msiexec.exe | GET | 200 | 152.199.19.74:80 | http://sw.symcd.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSbgiNwvmjR4M%2B9oE39sZR%2FxyzMPwQUFmbeSjTjUKcRhgOxbKnGrM1ZbpsCEGiQCmGXQyqAc98MLL9U12U%3D | unknown | — | — | whitelisted |
6268 | msiexec.exe | GET | 200 | 192.229.221.95:80 | http://sw.symcb.com/sw.crl | unknown | — | — | whitelisted |
6832 | advanced_ip_scanner.exe | GET | 200 | 188.40.30.100:80 | http://www.advanced-ip-scanner.com/checkupdate.php?lng=en&ver=2-5-4594-1&beta=n&type=upd&rmode=i&product=aips | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3412 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
6268 | msiexec.exe | 152.199.19.74:80 | s.symcd.com | EDGECAST | US | unknown |
6268 | msiexec.exe | 192.229.221.95:80 | s.symcb.com | EDGECAST | US | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6832 | advanced_ip_scanner.exe | 188.40.30.100:80 | www.advanced-ip-scanner.com | Hetzner Online GmbH | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
s.symcd.com |
| shared |
s.symcb.com |
| whitelisted |
sw.symcd.com |
| whitelisted |
sw.symcb.com |
| whitelisted |
www.advanced-ip-scanner.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6832 | advanced_ip_scanner.exe | Detection of a Network Scan | ET ADWARE_PUP IP Scanner Tool Update Request (GET) |
1 ETPRO signatures available at the full report