| URL: | https://download.garmin.com/omt/express/GarminExpress.exe |
| Full analysis: | https://app.any.run/tasks/2e2902a1-f1e4-4f5a-a88e-12ea66e1f9f1 |
| Verdict: | Malicious activity |
| Analysis date: | October 09, 2019, 18:20:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MD5: | 2CE9AB9DC5C16C771BB97EB61E0FA9B2 |
| SHA1: | 76CE9673349A969A147A1000D1824094930546CA |
| SHA256: | 32D1D9BDC0215AF4F0708B3BB0E7FA6625A4D76BCC24E82705B659FF5EF9D4EC |
| SSDEEP: | 3:N8SEl3IMl6IfYD6L4A:2SKBl68YrA |
MALICIOUS
Application was dropped or rewritten from another process
- GarminExpress.exe (PID: 2508)
- GarminExpress.exe (PID: 1996)
- GarminExpressInstaller.exe (PID: 3028)
- LegacyApplicationsUninstaller.exe (PID: 1460)
- express.exe (PID: 2872)
Loads dropped or rewritten executable
- GarminExpress.exe (PID: 1996)
- rundll32.exe (PID: 2176)
- rundll32.exe (PID: 3892)
- rundll32.exe (PID: 3040)
- rundll32.exe (PID: 1172)
- rundll32.exe (PID: 2692)
- express.exe (PID: 2872)
Changes the autorun value in the registry
- GarminExpressInstaller.exe (PID: 3028)
Loads the Task Scheduler COM API
- rundll32.exe (PID: 2176)
Changes settings of System certificates
- express.exe (PID: 2872)
SUSPICIOUS
Executable content was dropped or overwritten
- GarminExpress.exe (PID: 1996)
- chrome.exe (PID: 732)
- GarminExpress.exe (PID: 2508)
- chrome.exe (PID: 1228)
- GarminExpressInstaller.exe (PID: 3028)
- rundll32.exe (PID: 3040)
- rundll32.exe (PID: 2176)
- msiexec.exe (PID: 1912)
- DrvInst.exe (PID: 3400)
- MsiExec.exe (PID: 2752)
Starts itself from another location
- GarminExpress.exe (PID: 1996)
Executed as Windows Service
- vssvc.exe (PID: 2320)
Searches for installed software
- GarminExpressInstaller.exe (PID: 3028)
Executed via COM
- DrvInst.exe (PID: 4028)
- DrvInst.exe (PID: 2296)
- DrvInst.exe (PID: 3400)
Creates files in the program directory
- GarminExpressInstaller.exe (PID: 3028)
- express.exe (PID: 2872)
Uses RUNDLL32.EXE to load library
- MsiExec.exe (PID: 3720)
Creates a software uninstall entry
- GarminExpressInstaller.exe (PID: 3028)
Uses TASKKILL.EXE to kill process
- MsiExec.exe (PID: 3720)
Creates files in the driver directory
- DrvInst.exe (PID: 3400)
- DrvInst.exe (PID: 2296)
Creates files in the Windows directory
- DrvInst.exe (PID: 3400)
- DrvInst.exe (PID: 2296)
Removes files from Windows directory
- DrvInst.exe (PID: 3400)
- DrvInst.exe (PID: 2296)
Modifies the open verb of a shell class
- msiexec.exe (PID: 1912)
Changes the autorun value in the registry
- msiexec.exe (PID: 1912)
Adds / modifies Windows certificates
- express.exe (PID: 2872)
INFO
Reads the hosts file
- chrome.exe (PID: 1228)
- chrome.exe (PID: 732)
- express.exe (PID: 2872)
Application launched itself
- chrome.exe (PID: 732)
- msiexec.exe (PID: 1912)
Dropped object may contain Bitcoin addresses
- GarminExpress.exe (PID: 1996)
- msiexec.exe (PID: 1912)
Reads Internet Cache Settings
- chrome.exe (PID: 732)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2320)
Loads dropped or rewritten executable
- MsiExec.exe (PID: 3720)
Creates files in the program directory
- MsiExec.exe (PID: 2752)
- msiexec.exe (PID: 1912)
Creates a software uninstall entry
- MsiExec.exe (PID: 2752)
- msiexec.exe (PID: 1912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
77
Monitored processes
33
Malicious processes
13
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 184 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2725320405656820203 --mojo-platform-channel-handle=1048 --ignored=" --type=renderer " /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 732 | "C:\Program Files\Google\Chrome\Application\chrome.exe" "https://download.garmin.com/omt/express/GarminExpress.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 864 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3084 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1172 | rundll32.exe "C:\Windows\Installer\MSIAC89.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1223828 28 ExpressInstallerCustomActions!Garmin.Omt.Service.InstallerCustomActions.CustomActions.DeleteOldFilesAction | C:\Windows\system32\rundll32.exe | — | MsiExec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1228 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=5681374841160907610 --mojo-platform-channel-handle=1604 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | chrome.exe | ||||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1460 | "C:\ProgramData\Package Cache\B1C9339395DA9B716602B1D9B7B455838DD0D934\LegacyApplicationsUninstaller.exe" /q | C:\ProgramData\Package Cache\B1C9339395DA9B716602B1D9B7B455838DD0D934\LegacyApplicationsUninstaller.exe | — | GarminExpressInstaller.exe | |||||||||||
User: admin Company: Garmin Ltd. or its subsidiaries Integrity Level: HIGH Description: Lifetime Uninstaller Exit code: 0 Version: 6.18.0.0 Modules
| |||||||||||||||
| 1588 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1060,8475717110484979740,526156141443692777,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9959677997708964459 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=936 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1912 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1996 | "C:\Users\admin\AppData\Local\Temp\{3D99BB26-DCBB-46C6-A37A-8038FF101F8C}\.cr\GarminExpress.exe" -burn.clean.room="C:\Users\admin\Downloads\GarminExpress.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156 | C:\Users\admin\AppData\Local\Temp\{3D99BB26-DCBB-46C6-A37A-8038FF101F8C}\.cr\GarminExpress.exe | GarminExpress.exe | ||||||||||||
User: admin Company: Garmin Ltd or its subsidiaries Integrity Level: MEDIUM Description: Garmin Express Exit code: 0 Version: 6.18.0.0 Modules
| |||||||||||||||
| 2176 | rundll32.exe "C:\Windows\Installer\MSIAD55.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_1224046 35 ExpressInstallerCustomActions!Garmin.Omt.Express.InstallerCustomActions.ScheduledTaskCustomActions.SetupScheduleUpdateCheckAction | C:\Windows\system32\rundll32.exe | MsiExec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 889
Read events
1 930
Write events
910
Delete events
49
Modification events
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (864) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 732-13215118872907500 |
Value: 259 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 1512-13197841398593750 |
Value: 0 | |||
| (PID) Process: | (732) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
Executable files
208
Suspicious files
105
Text files
206
Unknown types
21
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | — | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old | — | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\912fd922-2205-443a-ba22-3705adc83aa3.tmp | — | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp | — | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF10102e.TMP | text | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF100fe0.TMP | text | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 | — | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
| 732 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\MANIFEST-000001 | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
12
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2872 | express.exe | GET | 403 | 104.18.217.73:80 | http://download.garmin.com/garmindlm/temp.tmp | US | html | 1.45 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1228 | chrome.exe | 172.217.22.3:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1228 | chrome.exe | 104.18.218.73:443 | download.garmin.com | Cloudflare Inc | US | shared |
1228 | chrome.exe | 172.217.22.13:443 | accounts.google.com | Google Inc. | US | whitelisted |
1228 | chrome.exe | 172.217.16.132:443 | www.google.com | Google Inc. | US | whitelisted |
1228 | chrome.exe | 172.217.18.99:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
1228 | chrome.exe | 104.18.217.73:443 | download.garmin.com | Cloudflare Inc | US | shared |
1228 | chrome.exe | 172.217.18.10:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
1228 | chrome.exe | 172.217.22.110:443 | clients1.google.com | Google Inc. | US | whitelisted |
2872 | express.exe | 104.19.213.29:443 | serviceregistry.garmin.com | Cloudflare Inc | US | unknown |
2872 | express.exe | 104.18.77.231:443 | — | Cloudflare Inc | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| whitelisted |
download.garmin.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
safebrowsing.googleapis.com |
| whitelisted |
clients1.google.com |
| whitelisted |
serviceregistry.garmin.com |
| unknown |
omt.garmin.com |
| unknown |