File name:

WebCubeAgentSetup_1243.exe

Full analysis: https://app.any.run/tasks/d6135a99-cb4f-4405-afca-31e739778e9e
Verdict: Malicious activity
Analysis date: April 17, 2024, 05:34:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

711DCCA2C12EA94C7FD56C8FCBDE32E2

SHA1:

BEBEC1877562165FFC4D9AB132D9F55254E9C6A1

SHA256:

2E0C35872A42B9FBEF5E1218D1852F5FFDA9F2197DAB4C2F2C5BABBB96B395EB

SSDEEP:

98304:bJ0g7IydvFc25K/jFmtZQ0tyv38h3nwyM7dyP9EAXpDUNbp4/m/0J/8SjxJ/N1NP:x4laMgax3liLApE7R

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WebCubeAgentSetup_1243.exe (PID: 3900)
      • TUCtlMng.exe (PID: 2736)
      • CubeU.exe (PID: 3468)

    • Actions looks like stealing of personal data

      • WebCubeInit.exe (PID: 1504)
      • WebCubeInit.exe (PID: 752)

    • Creates a writable file in the system directory

      • TUCtlMng.exe (PID: 2736)
      • CubeU.exe (PID: 3468)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WebCubeAgentSetup_1243.exe (PID: 3900)
      • TUCtlMng.exe (PID: 2736)
      • CubeU.exe (PID: 3468)

    • The process creates files with name similar to system file names

      • TUCtlMng.exe (PID: 2736)
      • WebCubeAgentSetup_1243.exe (PID: 3900)

    • Executes as Windows Service

      • TUCTLSystem.exe (PID: 584)

    • Drops a system driver (possible attempt to evade defenses)

      • WebCubeAgentSetup_1243.exe (PID: 3900)

    • Changes internet zones settings

      • WebCubeAgentSetup_1243.exe (PID: 3900)

    • Creates a software uninstall entry

      • WebCubeAgentSetup_1243.exe (PID: 3900)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • WebCubeAgentSetup_1243.exe (PID: 3900)

    • Adds/modifies Windows certificates

      • CubeU.exe (PID: 3468)
      • importpfx.exe (PID: 2448)

    • Reads security settings of Internet Explorer

      • CubeU.exe (PID: 3468)

  • INFO

    • Checks supported languages

      • WebCubeAgentSetup_1243.exe (PID: 3900)
      • WebCubeInit.exe (PID: 1504)
      • WebCubeInit.exe (PID: 752)
      • TUCTLSystem.exe (PID: 584)
      • CubeU.exe (PID: 3468)
      • TUCtlMng.exe (PID: 2736)
      • importpfx.exe (PID: 2448)

    • Reads the computer name

      • WebCubeAgentSetup_1243.exe (PID: 3900)
      • WebCubeInit.exe (PID: 1504)
      • WebCubeInit.exe (PID: 752)
      • TUCTLSystem.exe (PID: 584)
      • TUCtlMng.exe (PID: 2736)
      • CubeU.exe (PID: 3468)
      • importpfx.exe (PID: 2448)

    • Creates files in the program directory

      • WebCubeAgentSetup_1243.exe (PID: 3900)
      • CubeU.exe (PID: 3468)
      • importpfx.exe (PID: 2448)

    • Create files in a temporary directory

      • WebCubeAgentSetup_1243.exe (PID: 3900)

    • Reads the machine GUID from the registry

      • importpfx.exe (PID: 2448)
      • CubeU.exe (PID: 3468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2021:09:25 21:57:46+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 27136
InitializedDataSize: 186880
UninitializedDataSize: 2048
EntryPoint: 0x352d
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.2.4.3
ProductVersionNumber: 1.2.4.3
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Teruten
FileDescription: WebCubeAgent
FileVersion: 1.2.4.3
LegalCopyright: Teruten. All rights reserved.
ProductName: WebCubeAgent
ProductVersion: 1.2.4.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
6
Suspicious processes
0

Behavior graph

Click at the process to see the details
start webcubeagentsetup_1243.exe webcubeinit.exe webcubeinit.exe tuctlmng.exe tuctlsystem.exe no specs cubeu.exe importpfx.exe no specs webcubeagentsetup_1243.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
584C:\Windows\system32\TUCTLSystem.exeC:\Windows\System32\TUCTLSystem.exeservices.exe
User:
SYSTEM
Company:
Teruten.inc
Integrity Level:
SYSTEM
Version:
2, 0, 2, 1
Modules
Images
c:\windows\system32\tuctlsystem.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
752"C:\Program Files\Teruten\WebCubeAgent\WebCubeInit.exe" /silentC:\Program Files\Teruten\WebCubeAgent\WebCubeInit.exe
WebCubeAgentSetup_1243.exe
User:
admin
Integrity Level:
HIGH
Description:
WebCubeInit
Exit code:
0
Version:
1, 2, 4, 3
Modules
Images
c:\program files\teruten\webcubeagent\webcubeinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
1504"C:\Program Files\Teruten\WebCubeAgent\WebCubeInit.exe"C:\Program Files\Teruten\WebCubeAgent\WebCubeInit.exe
WebCubeAgentSetup_1243.exe
User:
admin
Integrity Level:
HIGH
Description:
WebCubeInit
Exit code:
0
Version:
1, 2, 4, 3
Modules
Images
c:\program files\teruten\webcubeagent\webcubeinit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
2448 -f "C:\Program Files\Teruten\WebCubeAgent\localhost.p12" -p teruten123 -t MACHINE -s rootC:\Program Files\Teruten\WebCubeAgent\importpfx.exeCubeU.exe
User:
SYSTEM
Integrity Level:
SYSTEM
Exit code:
0
Modules
Images
c:\program files\teruten\webcubeagent\importpfx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\ncrypt.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\bcryptprimitives.dll
2736"C:\Program Files\Teruten\WebCubeAgent\TUCtlMng.exe"C:\Program Files\Teruten\WebCubeAgent\TUCtlMng.exe
WebCubeAgentSetup_1243.exe
User:
admin
Company:
Teruten
Integrity Level:
HIGH
Exit code:
0
Version:
2, 0, 0, 7
Modules
Images
c:\program files\teruten\webcubeagent\tuctlmng.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3252"C:\Users\admin\Desktop\WebCubeAgentSetup_1243.exe" C:\Users\admin\Desktop\WebCubeAgentSetup_1243.exeexplorer.exe
User:
admin
Company:
Teruten
Integrity Level:
MEDIUM
Description:
WebCubeAgent
Exit code:
3221226540
Version:
1.2.4.3
Modules
Images
c:\users\admin\desktop\webcubeagentsetup_1243.exe
c:\windows\system32\ntdll.dll
3468"C:\Program Files\Teruten\WebCubeAgent\CubeU.exe"C:\Program Files\Teruten\WebCubeAgent\CubeU.exe
TUCTLSystem.exe
User:
SYSTEM
Company:
Teruten
Integrity Level:
SYSTEM
Description:
CubeU
Version:
1, 2, 4, 3
Modules
Images
c:\program files\teruten\webcubeagent\cubeu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
3900"C:\Users\admin\Desktop\WebCubeAgentSetup_1243.exe" C:\Users\admin\Desktop\WebCubeAgentSetup_1243.exe
explorer.exe
User:
admin
Company:
Teruten
Integrity Level:
HIGH
Description:
WebCubeAgent
Exit code:
0
Version:
1.2.4.3
Modules
Images
c:\users\admin\desktop\webcubeagentsetup_1243.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
Total events
5 999
Read events
5 912
Write events
72
Delete events
15

Modification events

(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Operation:writeName:DisabledByDefault
Value:
0
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:writeName:DisabledByDefault
Value:
0
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server
Operation:delete valueName:enabled
Value:
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client
Operation:delete valueName:enabled
Value:
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WebCube
Operation:writeName:URL Protocol
Value:
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\ProtocolExecute\webcube
Operation:writeName:WarnOnOpen
Value:
0
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12CE59A2-E083-4621-9157-E2C66B451F09}
Operation:writeName:AppPath
Value:
C:\Program Files\Teruten\WebCubeAgent
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12CE59A2-E083-4621-9157-E2C66B451F09}
Operation:writeName:AppName
Value:
WebCubeAgent.exe
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12CE59A2-E083-4621-9157-E2C66B451F09}
Operation:writeName:Policy
Value:
3
(PID) Process:(3900) WebCubeAgentSetup_1243.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{440854A1-B4B1-4F7F-9D55-3276FD03E730}
Operation:writeName:AppPath
Value:
C:\Program Files\Teruten\WebCubeAgent
Executable files
87
Suspicious files
4
Text files
6
Unknown types
1

Dropped files

PID
Process
Filename
Type
3900WebCubeAgentSetup_1243.exeC:\Users\admin\AppData\Local\Temp\nsvE7AC.tmp\ioSpecial.iniini
MD5:E2D5070BC28DB1AC745613689FF86067
SHA256:D95AED234F932A1C48A2B1B0D98C60CA31F962310C03158E2884AB4DDD3EA1E0
3900WebCubeAgentSetup_1243.exeC:\Users\admin\AppData\Local\Temp\nsvE7AC.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
1504WebCubeInit.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert_override.txttext
MD5:1B0DCAF1C41BADD60871284DD31E443C
SHA256:48AF99EB279826A8A5B31FC798C08B8253C0979DF57EE9C4D13C9D6ABA09D2D1
3900WebCubeAgentSetup_1243.exeC:\Users\admin\AppData\Local\Temp\nsvE7AC.tmp\InstallOptions.dllexecutable
MD5:ECE25721125D55AA26CDFE019C871476
SHA256:C7FEF6457989D97FECC0616A69947927DA9D8C493F7905DC8475C748F044F3CF
3900WebCubeAgentSetup_1243.exeC:\Program Files\Teruten\WebCubeAgent\CubeManager64.dllexecutable
MD5:A05D504DB9700488ED12E345E4FEA1D4
SHA256:238B2EE7754748172EB0C67975F5A4F173BA54561C19036C293F1299443C1B7D
1504WebCubeInit.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Local Statebinary
MD5:C22CD942E1EB9E6FA0927A914C8BB06B
SHA256:4EE1AAA0F998B84192838687D0A4F8D228B14BCDDC292A0C0A5B42FA90513655
3900WebCubeAgentSetup_1243.exeC:\Program Files\Teruten\WebCubeAgent\CubeU.exeexecutable
MD5:5419C1F393E164CD7EBFDC0B345D58B5
SHA256:FD6141F654BFCC19B653CCEBCC4A96EB61D9B852BA3857A87414B7216B2AED7D
3900WebCubeAgentSetup_1243.exeC:\Program Files\Teruten\WebCubeAgent\WebCubeAgent.exeexecutable
MD5:A2F9F7E106590D6B7FC6AE5A847F70A2
SHA256:76031E583E2EE9FE0C68E88A70E572BC80E67EF9CEFDF015F007D064F9A3D5D3
3900WebCubeAgentSetup_1243.exeC:\Users\admin\AppData\Local\Temp\nsvE7AC.tmp\LangDLL.dll
MD5:68B287F4067BA013E34A1339AFDB1EA8
SHA256:18E8B40BA22C7A1687BD16E8D585380BC2773FFF5002D7D67E9485FCC0C51026
3900WebCubeAgentSetup_1243.exeC:\Program Files\Teruten\WebCubeAgent\WebCubeInit.exeexecutable
MD5:EEFC617DB0984412636449EB0F5DBC95
SHA256:B702EB977196164E8C42C88E6DD9D20C4E86BA9C2FD2C2544748A9B63053B724
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
WebCubeAgentSetup_1243.exe