| File name: | 33594725.zip |
| Full analysis: | https://app.any.run/tasks/aa065eca-7dd6-4253-990a-4a4f3e39f6e7 |
| Verdict: | Malicious activity |
| Analysis date: | November 08, 2023, 09:35:11 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 79D92DBCF30737B39F784C62E6023F6F |
| SHA1: | B0D87484F6121A8E00A68A5DCAF00614F1B83E94 |
| SHA256: | 39CD6E9EF0E67FCB7A7F7BD3C7C629743C2D375621056B0DFD84C82EACB1EB38 |
| SSDEEP: | 98304:DNoG+Zu1fzi2qGWcnbbqD7Hm734vpb5kjhnli41WBQAd77OZ/TDRPynEldy5htXf:VeJCxYIx8ft8VMget0yPWyJznV |
MALICIOUS
Drops the executable file immediately after the start
- DefenderMouserSetup.exe (PID: 3540)
- DefenderMouserSetup.exe (PID: 3400)
- drvinst.exe (PID: 3908)
- DefenderMouserSetup.tmp (PID: 3276)
- VInputInstall.exe (PID: 3864)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 1088)
- drvinst.exe (PID: 860)
Creates a writable file the system directory
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 1088)
- drvinst.exe (PID: 860)
SUSPICIOUS
Reads the Windows owner or organization settings
- DefenderMouserSetup.tmp (PID: 3276)
Drops a system driver (possible attempt to evade defenses)
- VInputInstall.exe (PID: 3864)
- DefenderMouserSetup.tmp (PID: 3276)
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 1088)
- drvinst.exe (PID: 860)
Process drops legitimate windows executable
- VInputInstall.exe (PID: 3864)
- DefenderMouserSetup.tmp (PID: 3276)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
Checks Windows Trust Settings
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
- VInputInstall.exe (PID: 3864)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 1088)
- drvinst.exe (PID: 292)
- drvinst.exe (PID: 860)
Creates files in the driver directory
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 1088)
- drvinst.exe (PID: 860)
Reads settings of System Certificates
- rundll32.exe (PID: 3988)
- rundll32.exe (PID: 1508)
- rundll32.exe (PID: 2300)
- VInputInstall.exe (PID: 3864)
Executes as Windows Service
- VSSVC.exe (PID: 3968)
Reads security settings of Internet Explorer
- VInputInstall.exe (PID: 3864)
Reads the Internet Settings
- rundll32.exe (PID: 2252)
- downloader.exe (PID: 3008)
INFO
Checks supported languages
- DefenderMouserSetup.exe (PID: 3540)
- DefenderMouserSetup.tmp (PID: 2904)
- DefenderMouserSetup.exe (PID: 3400)
- DefenderMouserSetup.tmp (PID: 3276)
- VInputInstall.exe (PID: 3864)
- drvinst.exe (PID: 3908)
- mouse_hardware_id.exe (PID: 3756)
- mouse_hardware_id.exe (PID: 3852)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 292)
- drvinst.exe (PID: 860)
- drvinst.exe (PID: 1088)
- DefenderGameCenter.exe (PID: 3392)
- downloader.exe (PID: 3008)
- DefenderGameCenter.exe (PID: 3224)
- wmpnscfg.exe (PID: 3056)
- DefenderGameCenter.exe (PID: 3508)
- DefenderGameCenter.exe (PID: 3988)
- DefenderGameCenter.exe (PID: 1496)
- DefenderGameCenter.exe (PID: 3844)
- DefenderGameCenter.exe (PID: 3888)
- DefenderGameCenter.exe (PID: 3840)
- DefenderGameCenter.exe (PID: 2584)
- DefenderGameCenter.exe (PID: 3252)
- DefenderGameCenter.exe (PID: 916)
- DefenderGameCenter.exe (PID: 2068)
- DefenderGameCenter.exe (PID: 4088)
- DefenderGameCenter.exe (PID: 3760)
- DefenderGameCenter.exe (PID: 1376)
Reads the computer name
- DefenderMouserSetup.tmp (PID: 2904)
- DefenderMouserSetup.tmp (PID: 3276)
- VInputInstall.exe (PID: 3864)
- mouse_hardware_id.exe (PID: 3756)
- mouse_hardware_id.exe (PID: 3852)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 292)
- drvinst.exe (PID: 860)
- drvinst.exe (PID: 1088)
- downloader.exe (PID: 3008)
- wmpnscfg.exe (PID: 3056)
- DefenderGameCenter.exe (PID: 3392)
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3460)
Create files in a temporary directory
- DefenderMouserSetup.exe (PID: 3400)
- DefenderMouserSetup.exe (PID: 3540)
- DefenderMouserSetup.tmp (PID: 3276)
- VInputInstall.exe (PID: 3864)
- downloader.exe (PID: 3008)
Creates files in the program directory
- DefenderMouserSetup.tmp (PID: 3276)
Reads the machine GUID from the registry
- VInputInstall.exe (PID: 3864)
- drvinst.exe (PID: 3908)
- drvinst.exe (PID: 1988)
- drvinst.exe (PID: 1608)
- drvinst.exe (PID: 1088)
- drvinst.exe (PID: 292)
- downloader.exe (PID: 3008)
- drvinst.exe (PID: 860)
- wmpnscfg.exe (PID: 3056)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 3988)
- rundll32.exe (PID: 1508)
- rundll32.exe (PID: 2300)
Checks proxy server information
- downloader.exe (PID: 3008)
Manual execution by a user
- DefenderGameCenter.exe (PID: 3392)
- wmpnscfg.exe (PID: 3056)
- DefenderGameCenter.exe (PID: 3224)
- DefenderGameCenter.exe (PID: 3508)
- DefenderGameCenter.exe (PID: 1496)
- DefenderGameCenter.exe (PID: 3844)
- DefenderGameCenter.exe (PID: 3840)
- DefenderGameCenter.exe (PID: 3888)
- DefenderGameCenter.exe (PID: 2584)
- DefenderGameCenter.exe (PID: 3988)
- DefenderGameCenter.exe (PID: 3252)
- DefenderGameCenter.exe (PID: 916)
- DefenderGameCenter.exe (PID: 4088)
- DefenderGameCenter.exe (PID: 2068)
- DefenderGameCenter.exe (PID: 3760)
- DefenderGameCenter.exe (PID: 1376)
Creates files or folders in the user directory
- downloader.exe (PID: 3008)
Reads Microsoft Office registry keys
- WinRAR.exe (PID: 3460)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2022:08:23 16:32:28 |
| ZipCRC: | 0xe7cb243c |
| ZipCompressedSize: | 3242346 |
| ZipUncompressedSize: | 3271168 |
| ZipFileName: | DefenderMouser/Defender GameCenter Software Manual ENG.docx |
Total processes
86
Monitored processes
39
Malicious processes
14
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 292 | DrvInst.exe "1" "200" "VINPUT\MOUSE\1&79f5d87&0" "" "" "652d2674f" "00000000" "000005DC" "000005F0" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 824 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa3460.24179\Defender GameCenter Software Manual RUS-1.doc" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 860 | DrvInst.exe "1" "200" "VINPUT\KEYBOARD\1&79f5d87&0" "" "" "67758afa3" "00000000" "0000062C" "00000628" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 916 | "C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe" GameMouseOnly | C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe | — | explorer.exe | |||||||||||
User: admin Company: Defender Integrity Level: MEDIUM Exit code: 0 Version: 0.0.3.144 Modules
| |||||||||||||||
| 1088 | DrvInst.exe "2" "201" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem2.inf" "vinputbus.inf:Standard.NTx86:VInputBus_Device:6.1.7600.16385:root\vinputbus" "6ca16dc37" "0000054C" "000005DC" "000005E0" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1248 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIa3460.25959\Defender GameCenter Software Manual ENG.docx" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | WinRAR.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 Modules
| |||||||||||||||
| 1376 | "C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe" OfficeMouseOnly | C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe | — | explorer.exe | |||||||||||
User: admin Company: Defender Integrity Level: MEDIUM Exit code: 0 Version: 0.0.3.144 Modules
| |||||||||||||||
| 1496 | "C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe" GameMouseOnly | C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe | — | explorer.exe | |||||||||||
User: admin Company: Defender Integrity Level: MEDIUM Exit code: 0 Version: 0.0.3.144 Modules
| |||||||||||||||
| 1508 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{4db60523-a818-6cc0-3ff3-1d74aa07f06f} Global\{5a742e04-a125-53bf-b03e-a9404f0bd16b} C:\Windows\System32\DriverStore\Temp\{6e04f06b-a4df-255a-e8cf-f2696b33af35}\VInputMouse.inf C:\Windows\System32\DriverStore\Temp\{6e04f06b-a4df-255a-e8cf-f2696b33af35}\VInput.cat | C:\Windows\System32\rundll32.exe | — | drvinst.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1608 | DrvInst.exe "4" "20" "C:\Users\admin\AppData\Local\Temp\{3eb03a91-ad61-37b2-42c0-1f24d34fa850}\VInputMouse.inf" "0" "6c7418f7b" "00000388" "WinSta0\Default" "0000054C" "208" "C:\Program Files\Defender\DefenderMouser\Vinput\WinXP\x86chk\VInput" | C:\Windows\System32\drvinst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
46 046
Read events
44 984
Write events
812
Delete events
250
Modification events
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3460) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
99
Suspicious files
99
Text files
576
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3276 | DefenderMouserSetup.tmp | C:\Program Files\Defender\DefenderMouser\DefenderGameCenter.exe | executable | |
MD5:AFA2CBC7C54E8A2777CC778A2C83EE19 | SHA256:9FE0348A6B14E12E5BAE080ECD2531B07E181F549012CD998EC8FAE2C529DC1F | |||
| 3276 | DefenderMouserSetup.tmp | C:\ProgramData\Defender\DefenderMouser\Profiles\is-P87QH.tmp | text | |
MD5:F723EBA5A6EA2DECF1398CF4907EE333 | SHA256:07FCB34399C5A80447E034A1E4EA23A882D763F4BB35D5DE9E5B7CE204E6AC35 | |||
| 3540 | DefenderMouserSetup.exe | C:\Users\admin\AppData\Local\Temp\is-TVAHR.tmp\DefenderMouserSetup.tmp | executable | |
MD5:60F296313E15B4DE307FE024786825BA | SHA256:618C1EAF3867BBDC7673AA4C8C88DDBE73B73CA38ECD3DEB0F975E5C4F6AC63C | |||
| 3460 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa3460.13889\DefenderMouser\Defender GameCenter Software Manual ENG.docx | document | |
MD5:84E64275F2E50DBB91C9175F76DA6707 | SHA256:CF88EF7EBEDFA9F9A0CF0545D413B287C5456F90A58AD0F49875D99D140B37F5 | |||
| 3276 | DefenderMouserSetup.tmp | C:\Program Files\Defender\DefenderMouser\unins000.exe | executable | |
MD5:0FAF24DD324B470C2D3E9DF55BD78EE3 | SHA256:6E0AD3613C1771F39C7CCCC908A7BF08210EFF361070049F7E1AD2EE6E201753 | |||
| 3400 | DefenderMouserSetup.exe | C:\Users\admin\AppData\Local\Temp\is-3FS73.tmp\DefenderMouserSetup.tmp | executable | |
MD5:60F296313E15B4DE307FE024786825BA | SHA256:618C1EAF3867BBDC7673AA4C8C88DDBE73B73CA38ECD3DEB0F975E5C4F6AC63C | |||
| 3276 | DefenderMouserSetup.tmp | C:\Program Files\Defender\DefenderMouser\Images\GamingMouse.ini | text | |
MD5:36C709C611C83A1390762EC21A83AE9C | SHA256:5A68C75780B600D0363FA08B80092AE59EFE9EF5A9517A330AD033048DD8CDAB | |||
| 3276 | DefenderMouserSetup.tmp | C:\Users\admin\AppData\Local\Temp\is-E1KK3.tmp\license-ru.rtf | text | |
MD5:6F724138F5CE4D32E2326456F8D559A4 | SHA256:3A10F12C4A9EC6A13145BD73A74B374DF47AC3B151AE08470D667A26F6865DF1 | |||
| 3276 | DefenderMouserSetup.tmp | C:\ProgramData\Defender\DefenderMouser\Macros\is-7BMEN.tmp | text | |
MD5:1E4554AE174B0DF215F2A49895962E38 | SHA256:31BF5644F9B28CE0007FC7D9AB5CA812E7725745EC32F011DC57A0C67820A957 | |||
| 3276 | DefenderMouserSetup.tmp | C:\Program Files\Defender\DefenderMouser\is-O3JEC.tmp | executable | |
MD5:0FAF24DD324B470C2D3E9DF55BD78EE3 | SHA256:6E0AD3613C1771F39C7CCCC908A7BF08210EFF361070049F7E1AD2EE6E201753 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
4
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3008 | downloader.exe | GET | 302 | 5.45.205.245:80 | http://downloader.yandex.net/yandex-pack/downloader/info.rss | unknown | — | — | unknown |
3008 | downloader.exe | GET | 302 | 5.45.205.245:80 | http://downloader.yandex.net/yandex-pack/8971/YandexPackSetup.exe | unknown | — | — | unknown |
3008 | downloader.exe | GET | — | 149.5.241.43:80 | http://ext-cachev2-cogent03.cdn.yandex.net/downloader.yandex.net/yandex-pack/8971/YandexPackSetup.exe?lid=1503 | unknown | — | — | unknown |
3008 | downloader.exe | GET | 200 | 185.70.202.14:80 | http://ext-cachev2-itt02.cdn.yandex.net/downloader.yandex.net/yandex-pack/downloader/info.rss?lid=1529 | unknown | xml | 267 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3008 | downloader.exe | 5.45.205.245:80 | downloader.yandex.net | YANDEX LLC | RU | unknown |
3008 | downloader.exe | 185.70.202.14:80 | ext-cachev2-itt02.cdn.yandex.net | TELECOM ITALIA SPARKLE S.p.A. | IT | unknown |
3008 | downloader.exe | 149.5.241.43:80 | ext-cachev2-cogent03.cdn.yandex.net | COGENT-174 | FR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
downloader.yandex.net |
| whitelisted |
ext-cachev2-itt02.cdn.yandex.net |
| whitelisted |
ext-cachev2-cogent03.cdn.yandex.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3008 | downloader.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.00.311] DIF_INSTALLDEVICE: Pre-Processing
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.00.327] ReadComponents: WdfSection for Driver Service VInputBus using KMDF lib version Major 0x1, minor 0x9
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.04.092] DIF_INSTALLDEVICE: Post-Processing
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.05.432] DIF_INSTALLDEVICE: Pre-Processing
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.05.479] ReadComponents: WdfSection for Driver Service VInputFunc using KMDF lib version Major 0x1, minor 0x9
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.05.620] DIF_INSTALLDEVICE: Post-Processing
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.06.010] DIF_INSTALLDEVICE: Pre-Processing
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.06.015] ReadComponents: WdfSection for Driver Service VInputFunc using KMDF lib version Major 0x1, minor 0x9
|
drvinst.exe | WdfCoInstaller: [11/08/2023 09:37.06.114] DIF_INSTALLDEVICE: Post-Processing
|