| File name: | AS-300 Setup v1.0.4.exe |
| Full analysis: | https://app.any.run/tasks/d8ee8af2-fdff-4e1f-9700-2ffb2f87ca10 |
| Verdict: | Malicious activity |
| Analysis date: | February 02, 2024, 03:20:32 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 2D90B8CA4CA69E0CFF8BA65E11B000C5 |
| SHA1: | A06FDD95EED5D0BB79812779D49B48F4C27957D1 |
| SHA256: | 427D378CCB67C7AEC0B3690EA6E6373F4B512006E82638BE54A913A403981E42 |
| SSDEEP: | 24576:K6+yYbeuCmVOwMzVysnDHMiTa39CSnmnHnTU8H9J+NnsUPPBJOcCsG54n1m:K6+yYbeuCmVOwMzVysnDHMiTa39CSnmB |
MALICIOUS
Drops the executable file immediately after the start
- AS-300 Setup v1.0.4.exe (PID: 2628)
- setup.exe (PID: 2088)
Creates a writable file in the system directory
- setup.exe (PID: 2088)
SUSPICIOUS
Process drops legitimate windows executable
- AS-300 Setup v1.0.4.exe (PID: 2628)
- setup.exe (PID: 2088)
Executable content was dropped or overwritten
- AS-300 Setup v1.0.4.exe (PID: 2628)
- setup.exe (PID: 2088)
The process creates files with name similar to system file names
- AS-300 Setup v1.0.4.exe (PID: 2628)
Starts a Microsoft application from unusual location
- Regsvr32.exe (PID: 3248)
INFO
Checks supported languages
- AS-300 Setup v1.0.4.exe (PID: 2628)
- setup.exe (PID: 2088)
- Regsvr32.exe (PID: 3248)
- Program.exe (PID: 2824)
Reads the computer name
- setup.exe (PID: 2088)
- Regsvr32.exe (PID: 3248)
Create files in a temporary directory
- AS-300 Setup v1.0.4.exe (PID: 2628)
Creates files in the program directory
- setup.exe (PID: 2088)
Manual execution by a user
- Program.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (22.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (19.6) |
| .exe | | | UPX compressed Win32 Executable (19.2) |
| .exe | | | Win32 EXE Yoda's Crypter (18.8) |
| .scr | | | Windows screen saver (9.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2002:11:18 16:53:37+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 36864 |
| InitializedDataSize: | 24576 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x49cb |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
44
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1380 | "C:\Users\admin\AppData\Local\Temp\AS-300 Setup v1.0.4.exe" | C:\Users\admin\AppData\Local\Temp\AS-300 Setup v1.0.4.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 2088 | C:\Users\admin\AppData\Local\Temp\ae30444\setup.exe -d "C:\Users\admin\AppData\Local\Temp" | C:\Users\admin\AppData\Local\Temp\ae30444\setup.exe | AS-300 Setup v1.0.4.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2628 | "C:\Users\admin\AppData\Local\Temp\AS-300 Setup v1.0.4.exe" | C:\Users\admin\AppData\Local\Temp\AS-300 Setup v1.0.4.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2824 | "C:\AS\AS-300 V1.0.4\Program.exe" | C:\AS\AS-300 V1.0.4\Program.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3248 | C:\Users\admin\AppData\Local\Temp\ae30444\Regsvr32.exe /s "C:\Windows\system32\Msflxgrd.ocx" | C:\Users\admin\AppData\Local\Temp\ae30444\Regsvr32.exe | — | setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 5.00.1641.1 Modules
| |||||||||||||||
Total events
440
Read events
435
Write events
2
Delete events
3
Modification events
| (PID) Process: | (3248) Regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6262D3A0-531B-11CF-91F6-C2863C385E30} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3248) Regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6319EEA0-531B-11CF-91F6-C2863C385E30} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3248) Regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{275DBBA0-805A-11CF-91F7-C2863C385E30} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3248) Regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\TypeLib |
| Operation: | write | Name: | Version |
Value: 2.0 | |||
| (PID) Process: | (3248) Regsvr32.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib |
| Operation: | write | Name: | Version |
Value: 2.0 | |||
Executable files
9
Suspicious files
7
Text files
2
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2628 | AS-300 Setup v1.0.4.exe | C:\Users\admin\AppData\Local\Temp\ae30444\setup.exe | executable | |
MD5:92BF86AEB433F01AE1DEBC4F773A5697 | SHA256:82886062F2240FF68A3DBF98596B3213957DD5ABB9FDD5E3DFCCD5B34D75F686 | |||
| 2628 | AS-300 Setup v1.0.4.exe | C:\Users\admin\AppData\Local\Temp\ae30444\English.dat | text | |
MD5:11075490B216306D47156DD9C9DB9B52 | SHA256:1F8ADA3C4BBD62495B3747BDFFE6F1745F7484CE86045E7227515F27D2253FE4 | |||
| 2628 | AS-300 Setup v1.0.4.exe | C:\Users\admin\AppData\Local\Temp\ae30444\setup.zip | compressed | |
MD5:431082AC4E00618DB89663F1EFB20AC1 | SHA256:A5B4A2B41EFA9D50C9061F7B7931BB70C30655F98A5934E58DA5E6BA046FE3C5 | |||
| 2628 | AS-300 Setup v1.0.4.exe | C:\Users\admin\AppData\Local\Temp\ae30444\Regsvr32.exe | executable | |
MD5:7B194F51F6B52233C33A7D0D88A91581 | SHA256:7C05339DA12624396D9911263DC7C993FC2E757E130009465A511045BF06D344 | |||
| 2088 | setup.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AS\AS-300 V1.0.4\Uninstall AS-300.lnk | binary | |
MD5:7EC3B5F5691165C13D1B550046489505 | SHA256:25AF2EB9255EEB81154026CA840FD2C328ED2B4563EF4DC158A5B65A0BE922A7 | |||
| 2088 | setup.exe | C:\AS\AS-300 V1.0.4\Program.exe | executable | |
MD5:F50676B81176482D74F70C794824084C | SHA256:F20E9C1671A845D38F123997A3CA98DF559DD57A5589F8496ECBBA6EA3540A7B | |||
| 2088 | setup.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\AS\AS-300 V1.0.4\AS-300.lnk | binary | |
MD5:0B25B94D7840EC577792693D323503BB | SHA256:1BA752C79C9179FE58FA9F99BF1379A6A2FB6C2643424948DB5A38B04584DBE8 | |||
| 2088 | setup.exe | C:\Users\admin\Desktop\AS-300.lnk | binary | |
MD5:D49196DCEB8F4413CCBA8440FFFD237F | SHA256:145DBAF0BEE3B27E76F17E2D17F85D7E4BB4A6E8EA4F5CFEC34A1BB37F55B284 | |||
| 2088 | setup.exe | C:\AS\AS-300 V1.0.4\setup.log | text | |
MD5:05DFB3322C59628245825674062B271E | SHA256:DB98F893165D75FC3274E0110AAFA28F1AC188FC0E3C2FB312FDB3DB39ECF318 | |||
| 2088 | setup.exe | C:\Users\Administrator\Desktop\AS-300.lnk | binary | |
MD5:D49196DCEB8F4413CCBA8440FFFD237F | SHA256:145DBAF0BEE3B27E76F17E2D17F85D7E4BB4A6E8EA4F5CFEC34A1BB37F55B284 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |