| File name: | Defender_Update_Setup_778795.exe |
| Full analysis: | https://app.any.run/tasks/1989221e-8803-4cc3-8717-7937ef6159c1 |
| Verdict: | Malicious activity |
| Analysis date: | September 19, 2024, 06:38:19 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | C9BAA2A4A6391E1DA55F0183EA74E7A4 |
| SHA1: | D1515AA4508D7EAF99FF868DABBEE2AA20D9BA5A |
| SHA256: | 3BE2ACB935F988318B4743621A6BEA99D55D51497A0834CEEF484901382916B6 |
| SSDEEP: | 98304:Irq3BdwyWmd5PRvWO3CWW0myRCp/N3APgVOicXJzrYMGfw7vNobXvAX7G9Guuw7p:R/WrjovNC |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executable content was dropped or overwritten
- Defender_Update_Setup_778795.exe (PID: 4492)
- Defender_Update_Setup_778795.exe (PID: 6696)
- Defender_Update_Setup_778795.tmp (PID: 2660)
- Defender_Update_Setup_778795.tmp (PID: 2724)
- Defender_Update_Setup_778795.exe (PID: 1748)
Application launched itself
- chrome.exe (PID: 3936)
- chrome.exe (PID: 4364)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:07:12 07:26:53+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 685056 |
| InitializedDataSize: | 171008 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa83bc |
| OSVersion: | 6.1 |
| ImageVersion: | - |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Computer World |
| FileDescription: | Defender Security Update Setup |
| FileVersion: | |
| LegalCopyright: | |
| OriginalFileName: | |
| ProductName: | Defender Security Update |
| ProductVersion: | 1.0.0 |
Total processes
158
Monitored processes
40
Malicious processes
5
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 772 | "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\cmd.exe" /S /C ""C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp/vmaware64.exe" --spoofable -d > "C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\~execwithresult.txt"" | C:\Windows\System32\cmd.exe | — | Defender_Update_Setup_778795.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1236 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1748 | "C:\Users\admin\Desktop\Defender_Update_Setup_778795.exe" /VERYSILENT | C:\Users\admin\Desktop\Defender_Update_Setup_778795.exe | Defender_Update_Setup_778795.tmp | ||||||||||||
User: admin Company: Computer World Integrity Level: HIGH Description: Defender Security Update Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2008 | "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\cmd.exe" /S /C ""C:\Program Files\Google\Chrome\Application/chrome.exe" --pack-extension=C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\utusra > "C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\~execwithresult.txt"" | C:\Windows\System32\cmd.exe | — | Defender_Update_Setup_778795.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2040 | "taskkill.exe" /f /im "msedge.exe" | C:\Windows\System32\taskkill.exe | — | Defender_Update_Setup_778795.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2240 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | setacl.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2476 | "C:\WINDOWS\system32\cmd.exe" "C:\WINDOWS\system32\cmd.exe" /S /C ""openssl.exe" rsa -in .\utkkrt.pem -pubout -outform DER > "C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\~execwithresult.txt"" | C:\Windows\System32\cmd.exe | — | Defender_Update_Setup_778795.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2508 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2660 | "C:\Users\admin\AppData\Local\Temp\is-5F9BT.tmp\Defender_Update_Setup_778795.tmp" /SL5="$9023A,3764700,857088,C:\Users\admin\Desktop\Defender_Update_Setup_778795.exe" /VERYSILENT | C:\Users\admin\AppData\Local\Temp\is-5F9BT.tmp\Defender_Update_Setup_778795.tmp | Defender_Update_Setup_778795.exe | ||||||||||||
User: admin Company: Computer World Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 2724 | "C:\Users\admin\AppData\Local\Temp\is-2MQVI.tmp\Defender_Update_Setup_778795.tmp" /SL5="$603B8,3764700,857088,C:\Users\admin\Desktop\Defender_Update_Setup_778795.exe" /SPAWNWND=$303F8 /NOTIFYWND=$8023A | C:\Users\admin\AppData\Local\Temp\is-2MQVI.tmp\Defender_Update_Setup_778795.tmp | Defender_Update_Setup_778795.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
Total events
46 124
Read events
45 782
Write events
306
Delete events
36
Modification events
| (PID) Process: | (5236) svchost.exe | Key: | HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store |
| Operation: | write | Name: | C:\Users\admin\Desktop\Defender_Update_Setup_778795.exe |
Value: 5341435001000000000000000700000028000000C0B8480012A6490001000000000000000000000A0021000050BB64EDDDACD5010000000000000000 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration |
| Operation: | write | Name: | ETag |
Value: "66A2A386BBA04BD5A6331A0AD7AF8FD8389BA07DAF02CB8E5F846CAC" | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration |
| Operation: | write | Name: | refreshInterval |
Value: 889 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration |
| Operation: | write | Name: | refreshAfter |
Value: F3927EB5270BDB01 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICEHEALTHPLUGIN |
| Operation: | write | Name: | ORDER |
Value: 1 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SCHEDULEDTASKSPLUGIN |
| Operation: | write | Name: | MAXUPTIMETHRESHOLD |
Value: 20 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICEHEALTHPLUGIN |
| Operation: | write | Name: | MINUPTIMETHRESHOLD |
Value: 0 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SERVICINGCLEANUPPLUGIN |
| Operation: | write | Name: | RUNONMANAGED |
Value: | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\SCHEDULEDTASKSPLUGIN |
| Operation: | write | Name: | INTERVALINHOURS |
Value: 24 | |||
| (PID) Process: | (6784) svchost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\WaaS\WaaSMedic\Configuration\DISKCLEANUPPLUGIN |
| Operation: | write | Name: | THREADEXECUTIONTIMEOUTINSECONDS |
Value: 7200 | |||
Executable files
18
Suspicious files
31
Text files
25
Unknown types
18
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2660 | Defender_Update_Setup_778795.tmp | C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\_isetup\_isdecmp.dll | executable | |
MD5:077CB4461A2767383B317EB0C50F5F13 | SHA256:8287D0E287A66EE78537C8D1D98E426562B95C50F569B92CEA9CE36A9FA57E64 | |||
| 2660 | Defender_Update_Setup_778795.tmp | C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\vmaware64.exe | executable | |
MD5:4ADC348CF014D5C2EACCA085FC6BD8B1 | SHA256:3D3E48E16326F5AB718E63BFF2A4BB109B3C1942147F14E103467E2EC42A1401 | |||
| 6696 | Defender_Update_Setup_778795.exe | C:\Users\admin\AppData\Local\Temp\is-HC2SM.tmp\Defender_Update_Setup_778795.tmp | executable | |
MD5:9CF66B9BA3DAACCB510CE72604DB4203 | SHA256:10FA4F46ACD467FF5ECF3C19ACB0663F275FEC8334259C8236A325C8124EA6AD | |||
| 772 | cmd.exe | C:\Users\admin\AppData\Local\Temp\is-V14F9.tmp\~execwithresult.txt | text | |
MD5:21438EF4B9AD4FC266B6129A2F60DE29 | SHA256:13BF7B3039C63BF5A50491FA3CFD8EB4E699D1BA1436315AEF9CBE5711530354 | |||
| 6608 | RUXIMICS.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.032.etl | etl | |
MD5:079890A8EC8D5CB6523FCEC2209780AA | SHA256:0E12D2D76DD738CE196BED522E35F75E2CC91294F78CDDCBE8CE7787AAA70049 | |||
| 6608 | RUXIMICS.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.026.etl | binary | |
MD5:5EA68411BF8E9EAF4621BAF73F61449E | SHA256:9D4CA5A1D871F819C139A498BB910A63576C2FE6367853544F8D172D8B6EBFF7 | |||
| 1748 | Defender_Update_Setup_778795.exe | C:\Users\admin\AppData\Local\Temp\is-5F9BT.tmp\Defender_Update_Setup_778795.tmp | executable | |
MD5:9CF66B9BA3DAACCB510CE72604DB4203 | SHA256:10FA4F46ACD467FF5ECF3C19ACB0663F275FEC8334259C8236A325C8124EA6AD | |||
| 6608 | RUXIMICS.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.031.etl | etl | |
MD5:2F36C598EBFF5B5CDD898C9691D6BCCB | SHA256:8900C5931ED8E0D1B68082B45CF2F4E8C1025D36825508E0804C916D781B9F50 | |||
| 6608 | RUXIMICS.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.029.etl | etl | |
MD5:44A0E917AD0C126931B1BCD959285A9A | SHA256:DDFBE47E7DFD6D8B7517F2F6FF9808ECF3C0A25F588A9F96D04F4E2B4A578573 | |||
| 6608 | RUXIMICS.exe | C:\ProgramData\PLUG\Logs\RUXIMLog.035.etl | etl | |
MD5:FA358BFEE9B4E1FFB7394D13CBBC4898 | SHA256:6FF97BBF8A56286A4C71623829514CC14B7F8CBBCF09748D939F733968478A22 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
18
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6784 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4044 | RUXIMICS.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 104.21.94.105:443 | https://statssrv.com/310ca5d/postback?subid=2ja5e9t1a6oc4&status=sale&sub_id_8=2ja5e9t1a6oc4&sub_id_5=&sub_id_1=10.0.19045.256&sub_id_2=0&sub_id_3=1&sub_id_4=1 | unknown | text | 7 b | — |
— | — | GET | 200 | 104.21.94.105:443 | https://statssrv.com/310ca5d/postback?subid=2ja5e9t1a6oc4&status=lead&sub_id_8=2ja5e9t1a6oc4&sub_id_5=&sub_id_1=10.0.19045.256&sub_id_2=-1&sub_id_3=1&sub_id_4=1 | unknown | text | 7 b | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6784 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2120 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4044 | RUXIMICS.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6784 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4044 | RUXIMICS.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
2120 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2660 | Defender_Update_Setup_778795.tmp | 104.21.94.105:443 | statssrv.com | CLOUDFLARENET | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
statssrv.com |
| unknown |