| File name: | win-Miru-5.5.6-installer.exe |
| Full analysis: | https://app.any.run/tasks/f2dcf3ff-39bd-4338-b5a8-109d43919084 |
| Verdict: | Malicious activity |
| Analysis date: | October 13, 2024, 22:02:50 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 9DE769D9D389754FA8A787BA3266437D |
| SHA1: | D77DBB09F9474EB6EE831526237A07A2135981F3 |
| SHA256: | 330471973044D1FF265456FB532DC2C391780848277BA445648EE7E49829B469 |
| SSDEEP: | 1572864:iAOIJq1j8+VL9zA+rmzq7up2E6t/f0oUm:iArJyY8LNyq7tEm/fPB |
MALICIOUS
No malicious indicators.SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- win-Miru-5.5.6-installer.exe (PID: 6904)
Drops 7-zip archiver for unpacking
- win-Miru-5.5.6-installer.exe (PID: 6904)
Reads security settings of Internet Explorer
- win-Miru-5.5.6-installer.exe (PID: 6904)
Process drops legitimate windows executable
- win-Miru-5.5.6-installer.exe (PID: 6904)
Executable content was dropped or overwritten
- win-Miru-5.5.6-installer.exe (PID: 6904)
The process creates files with name similar to system file names
- win-Miru-5.5.6-installer.exe (PID: 6904)
Creates a software uninstall entry
- win-Miru-5.5.6-installer.exe (PID: 6904)
Uses WMIC.EXE
- Miru.exe (PID: 5168)
Uses WMIC.EXE to obtain network information
- Miru.exe (PID: 5168)
Potential Corporate Privacy Violation
- Miru.exe (PID: 5168)
Application launched itself
- Miru.exe (PID: 3008)
INFO
Checks supported languages
- win-Miru-5.5.6-installer.exe (PID: 6904)
Reads the computer name
- win-Miru-5.5.6-installer.exe (PID: 6904)
Create files in a temporary directory
- win-Miru-5.5.6-installer.exe (PID: 6904)
Creates files or folders in the user directory
- win-Miru-5.5.6-installer.exe (PID: 6904)
Manual execution by a user
- Miru.exe (PID: 3008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:12:15 22:26:14+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 473088 |
| UninitializedDataSize: | 16384 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.5.6.0 |
| ProductVersionNumber: | 5.5.6.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | ThaUnknown_ |
| FileDescription: | Stream anime torrents, real-time with no waiting for downloads. |
| FileVersion: | 5.5.6 |
| LegalCopyright: | Copyright © 2024 ThaUnknown_ |
| ProductName: | Miru |
| ProductVersion: | 5.5.6 |
Total processes
125
Monitored processes
11
Malicious processes
1
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1160 | wmic path Win32_NetworkAdapter where Index=10 get NetConnectionID,MACAddress /format:table | C:\Windows\System32\wbem\WMIC.exe | — | Miru.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1580 | "C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --disable-gpu-sandbox --no-sandbox --disable-logging --double-buffer-compositing --use-angle=default --force_high_performance_gpu --user-data-dir="C:\Users\admin\AppData\Roaming\Miru" --gpu-preferences=WAAAAAAAAADoAAAcAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --disable-logging --mojo-platform-channel-handle=3184 --field-trial-handle=1932,i,8862815886081472595,16291749116451009508,262144 --enable-features=CanvasOopRasterization,PlatformEncryptedDolbyVision,ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes,UseSkiaRenderer,WebAssemblyLazyCompilation,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,Vulkan,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8 | C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe | — | Miru.exe | |||||||||||
User: admin Company: ThaUnknown_ Integrity Level: MEDIUM Description: Miru Exit code: 0 Version: 5.5.6 Modules
| |||||||||||||||
| 3008 | "C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe" | C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe | — | explorer.exe | |||||||||||
User: admin Company: ThaUnknown_ Integrity Level: MEDIUM Description: Miru Version: 5.5.6 Modules
| |||||||||||||||
| 3128 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | WMIC.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4076 | "C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe" --type=gpu-process --disable-gpu-sandbox --no-sandbox --disable-logging --double-buffer-compositing --use-angle=default --force_high_performance_gpu --user-data-dir="C:\Users\admin\AppData\Roaming\Miru" --gpu-preferences=WAAAAAAAAADgAAAcAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --disable-logging --mojo-platform-channel-handle=1928 --field-trial-handle=1932,i,8862815886081472595,16291749116451009508,262144 --enable-features=CanvasOopRasterization,PlatformEncryptedDolbyVision,ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes,UseSkiaRenderer,WebAssemblyLazyCompilation,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,Vulkan,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2 | C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe | — | Miru.exe | |||||||||||
User: admin Company: ThaUnknown_ Integrity Level: MEDIUM Description: Miru Version: 5.5.6 Modules
| |||||||||||||||
| 5168 | "C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe" --type=renderer --user-data-dir="C:\Users\admin\AppData\Roaming\Miru" --bypasscsp-schemes --app-user-model-id=com.github.thaunknown.miru --app-path="C:\Users\admin\AppData\Local\Programs\Miru\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --autoplay-policy=no-user-gesture-required --disable-logging --disable-notifications --disable-permissions-api --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-zero-copy --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2264 --field-trial-handle=1932,i,8862815886081472595,16291749116451009508,262144 --enable-features=CanvasOopRasterization,PlatformEncryptedDolbyVision,ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes,UseSkiaRenderer,WebAssemblyLazyCompilation,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,Vulkan,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:1 | C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe | Miru.exe | ||||||||||||
User: admin Company: ThaUnknown_ Integrity Level: MEDIUM Description: Miru Version: 5.5.6 Modules
| |||||||||||||||
| 5284 | wmic path Win32_NetworkAdapterConfiguration where IPEnabled=true get DefaultIPGateway,GatewayCostMetric,IPConnectionMetric,Index /format:table | C:\Windows\System32\wbem\WMIC.exe | — | Miru.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6340 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | WMIC.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6564 | "C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --use-angle=default --user-data-dir="C:\Users\admin\AppData\Roaming\Miru" --bypasscsp-schemes --disable-logging --mojo-platform-channel-handle=1936 --field-trial-handle=1932,i,8862815886081472595,16291749116451009508,262144 --enable-features=CanvasOopRasterization,PlatformEncryptedDolbyVision,ThrottleDisplayNoneAndVisibilityHiddenCrossOriginIframes,UseSkiaRenderer,WebAssemblyLazyCompilation,kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,Vulkan,WidgetLayering,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3 | C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe | Miru.exe | ||||||||||||
User: admin Company: ThaUnknown_ Integrity Level: MEDIUM Description: Miru Version: 5.5.6 Modules
| |||||||||||||||
| 6904 | "C:\Users\admin\Desktop\win-Miru-5.5.6-installer.exe" | C:\Users\admin\Desktop\win-Miru-5.5.6-installer.exe | explorer.exe | ||||||||||||
User: admin Company: ThaUnknown_ Integrity Level: MEDIUM Description: Stream anime torrents, real-time with no waiting for downloads. Exit code: 0 Version: 5.5.6 Modules
| |||||||||||||||
Total events
3 266
Read events
3 234
Write events
14
Delete events
18
Modification events
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Programs\Miru | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | KeepShortcuts |
Value: true | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | ShortcutName |
Value: Miru | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | DisplayName |
Value: Miru 5.5.6 | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\Miru\Uninstall Miru.exe" /currentuser | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Users\admin\AppData\Local\Programs\Miru\Uninstall Miru.exe" /currentuser /S | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | DisplayVersion |
Value: 5.5.6 | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | DisplayIcon |
Value: C:\Users\admin\AppData\Local\Programs\Miru\Miru.exe,0 | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | Publisher |
Value: ThaUnknown_ | |||
| (PID) Process: | (6904) win-Miru-5.5.6-installer.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\dfa2ed72-71bd-56ef-a676-b435325e7bc6 |
| Operation: | write | Name: | NoModify |
Value: 1 | |||
Executable files
28
Suspicious files
184
Text files
43
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\app-64.7z | — | |
MD5:— | SHA256:— | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\7z-out\icudtl.dat | — | |
MD5:— | SHA256:— | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\7z-out\LICENSES.chromium.html | — | |
MD5:— | SHA256:— | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\System.dll | executable | |
MD5:0D7AD4F45DC6F5AA87F606D0331C6901 | SHA256:3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\UAC.dll | executable | |
MD5:ADB29E6B186DAA765DC750128649B63D | SHA256:2F7F8FC05DC4FD0D5CDA501B47E4433357E887BBFED7292C028D99C73B52DC08 | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\nsExec.dll | executable | |
MD5:EC0504E6B8A11D5AAD43B296BEEB84B2 | SHA256:5D9CEB1CE5F35AEA5F9E5A0C0EDEEEC04DFEFE0C77890C80C70E98209B58B962 | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\modern-wizard.bmp | image | |
MD5:52FF52EEE3B944B862C11C268A02C196 | SHA256:2079F7A3EBA60E0D9EE827A7208AA052A71B384873B641DE5E299AEB8E733109 | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\StdUtils.dll | executable | |
MD5:C6A6E03F77C313B267498515488C5740 | SHA256:B72E9013A6204E9F01076DC38DABBF30870D44DFC66962ADBF73619D4331601E | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\7z-out\LICENSE.electron.txt | text | |
MD5:F6AC9EE74AEE55E606A9BD6AC7339D0D | SHA256:FD8FBA3293B11D24886743418BFB624DE8C46F81772B60A7E1B08A029E24C5B9 | |||
| 6904 | win-Miru-5.5.6-installer.exe | C:\Users\admin\AppData\Local\Temp\nsy27C1.tmp\nsis7z.dll | executable | |
MD5:80E44CE4895304C6A3A831310FBF8CD0 | SHA256:B393F05E8FF919EF071181050E1873C9A776E1A0AE8329AEFFF7007D0CADF592 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
63
DNS requests
31
Threats
7
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6944 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.52.120.96:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 302 | 172.67.203.138:443 | https://esm.sh/anisearch | unknown | — | — | — |
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/ThaUnknown/miru/releases/latest | unknown | — | — | — |
— | — | POST | 204 | 2.16.110.123:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.17.6.3:443 | https://s4.anilist.co/file/anilistcdn/media/anime/cover/large/bx170942-B77wUSM1jQTu.jpg | unknown | image | 116 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 2.16.110.123:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6944 | svchost.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.52.120.96:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
github.com |
| shared |
raw.githubusercontent.com |
| shared |
api.github.com |
| whitelisted |
feed.animetosho.org |
| whitelisted |
graphql.anilist.co |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6564 | Miru.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
6564 | Miru.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
5168 | Miru.exe | Potential Corporate Privacy Violation | ET P2P BitTorrent DHT ping request |
6564 | Miru.exe | Misc activity | ET INFO Observed DNS Query to .zip TLD |
6564 | Miru.exe | Misc activity | ET INFO Observed DNS Query to .zip TLD |
2 ETPRO signatures available at the full report