File name:

VSCodeUserSetup-x64-1.91.0.exe

Full analysis: https://app.any.run/tasks/9ea9d4ef-251d-45cc-89e7-c30c2ec89bca
Verdict: Malicious activity
Analysis date: July 06, 2024, 20:10:25
OS: Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

66DAEC4AE27A6B36636307CD2F150BC9

SHA1:

6A2E1A22A4D44EF5AEE036B070AFEF1BF57B00AD

SHA256:

2766CF5487E3CD2F103F6EED4BD8B859EFA6820FC8769D263E0473D49F464CCF

SSDEEP:

786432:ECkJN1yOaw0y5i0/uVfMHFRwr/ChsFqt54K+:ECgaw0ci0k86jZw4K+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • VSCodeUserSetup-x64-1.91.0.exe (PID: 3724)
      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • VSCodeUserSetup-x64-1.91.0.exe (PID: 3724)
      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Reads the Windows owner or organization settings

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Reads security settings of Internet Explorer

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Reads the date of Windows installation

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Get information on the list of running processes

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Starts POWERSHELL.EXE for commands execution

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Uses ICACLS.EXE to modify access control lists

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Kill processes via PowerShell

      • powershell.exe (PID: 3108)
    • Process drops legitimate windows executable

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
  • INFO

    • Checks supported languages

      • VSCodeUserSetup-x64-1.91.0.exe (PID: 3724)
      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Reads the computer name

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Create files in a temporary directory

      • VSCodeUserSetup-x64-1.91.0.exe (PID: 3724)
      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Process checks computer location settings

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
    • Creates files or folders in the user directory

      • VSCodeUserSetup-x64-1.91.0.tmp (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (67.7)
.exe | Win32 EXE PECompact compressed (generic) (25.6)
.exe | Win32 Executable (generic) (2.7)
.exe | Win16/32 Executable Delphi generic (1.2)
.exe | Generic Win/DOS Executable (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:05:21 05:56:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741376
InitializedDataSize: 86016
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6
ImageVersion: 6
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.91.0.0
ProductVersionNumber: 1.91.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Microsoft Corporation
FileDescription: Visual Studio Code Setup
FileVersion: 1.91.0
LegalCopyright:
OriginalFileName:
ProductName: Visual Studio Code
ProductVersion: 1.91.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
114
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vscodeusersetup-x64-1.91.0.exe vscodeusersetup-x64-1.91.0.tmp powershell.exe no specs conhost.exe no specs icacls.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2260\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3108"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "Get-WmiObject Win32_Process | Where-Object { $_.ExecutablePath -eq 'C:\Users\admin\AppData\Local\Programs\Microsoft VS Code\bin\code-tunnel.exe' } | Select @{Name='Id'; Expression={$_.ProcessId}} | Stop-Process -Force"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeVSCodeUserSetup-x64-1.91.0.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3724"C:\Users\admin\Desktop\VSCodeUserSetup-x64-1.91.0.exe" C:\Users\admin\Desktop\VSCodeUserSetup-x64-1.91.0.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual Studio Code Setup
Version:
1.91.0
Modules
Images
c:\users\admin\desktop\vscodeusersetup-x64-1.91.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
3776"C:\Users\admin\AppData\Local\Temp\is-VKN6K.tmp\VSCodeUserSetup-x64-1.91.0.tmp" /SL5="$701E0,98483558,828416,C:\Users\admin\Desktop\VSCodeUserSetup-x64-1.91.0.exe" C:\Users\admin\AppData\Local\Temp\is-VKN6K.tmp\VSCodeUserSetup-x64-1.91.0.tmp
VSCodeUserSetup-x64-1.91.0.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vkn6k.tmp\vscodeusersetup-x64-1.91.0.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
5052"C:\WINDOWS\system32\icacls.exe" "C:\Users\admin\AppData\Local\Programs\Microsoft VS Code" /inheritancelevel:r /grant:r "*S-1-5-18:(OI)(CI)F" /grant:r "*S-1-5-32-544:(OI)(CI)F" /grant:r "*S-1-5-11:(OI)(CI)RX" /grant:r "*S-1-5-32-545:(OI)(CI)RX" /grant:r "*S-1-3-0:(OI)(CI)F" /grant:r "admin:(OI)(CI)F"C:\Windows\System32\icacls.exeVSCodeUserSetup-x64-1.91.0.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
5932\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeicacls.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
6 692
Read events
6 679
Write events
13
Delete events
0

Modification events

(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
C00E000042339CA5E0CFDA01
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
447DA67216DF7102BD41FE96CC802B0E59D277E8F990D888851DEDEB795A2E16
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Users\admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
(PID) Process:(3776) VSCodeUserSetup-x64-1.91.0.tmpKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
41A5E002DE4ABF652FFA3ACE9368C97EDDC06E4D8BE05A174F6DA3DFEA9524A7
Executable files
64
Suspicious files
946
Text files
842
Unknown types
33

Dropped files

PID
Process
Filename
Type
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\is-FBNG1.tmp
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\Code.exe
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\is-HO8OQ.tmp
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\icudtl.dat
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\is-ACOKF.tmpbinary
MD5:E02160C24B8077B36FF06DC05A9DF057
SHA256:4D5B51F720F7D3146E131C54A6F75E4E826C61B2FF15C8955F6D6DD15BEDF106
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\is-ONV94.tmptext
MD5:B6D19543586A80A26E488B2F4D6E4441
SHA256:F70BE988B1C8C40F3C8A7D8C8964FB5FB44FE9C5A2527AA5C980F8C8EFF6C9B6
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\is-O086C.tmp
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\LICENSES.chromium.html
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\is-BF8FJ.tmp
MD5:
SHA256:
3776VSCodeUserSetup-x64-1.91.0.tmpC:\Users\admin\AppData\Local\Programs\Microsoft VS Code\resources.pak
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1776
svchost.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
444
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
444
MoUsoCoreWorker.exe
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
GET
200
23.48.23.194:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
POST
200
20.189.173.24:443
https://self.events.data.microsoft.com/OneCollector/1.0/
unknown
binary
9 b
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
239.255.255.250:1900
unknown
444
MoUsoCoreWorker.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1776
svchost.exe
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
23.48.23.194:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
444
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
unknown
192.168.100.255:137
unknown
3040
OfficeClickToRun.exe
20.189.173.27:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.48.23.194
  • 23.48.23.177
  • 23.48.23.164
  • 23.48.23.141
  • 23.48.23.143
unknown
www.microsoft.com
  • 23.35.229.160
unknown
settings-win.data.microsoft.com
  • 4.231.128.59
unknown
self.events.data.microsoft.com
  • 20.189.173.27
unknown

Threats

No threats detected
No debug info