Malware analysis sih.4.8.0.0.exe Malicious activity | ANY.RUN

Add for printing

File name:	sih.4.8.0.0.exe
Full analysis:	https://app.any.run/tasks/94cf8e76-690e-48a3-b0d2-81a6ad1ceea6
Verdict:	Malicious activity
Analysis date:	September 28, 2024, 23:16:00
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	autoit upx
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:	73FE89DB05D1372C3CD32DA1B7771C75
SHA1:	28CD5E604D4D4D40D24904D4E4E6A913A98C8230
SHA256:	4504C66DBFD4117EA1D2DF6E43EFF497330165750C15D6BBDA76640CE32E3A40
SSDEEP:	98304:P5Drp5VkvdRIPDYaDPRy0D6fiG551WXSt5aUFMGocSdstwdeepJqpN2hxE8f7rw4:/A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Drops 7-zip archiver for unpacking
  - sih.4.8.0.0.exe (PID: 1420)
- Executable content was dropped or overwritten
  - sih.4.8.0.0.exe (PID: 1420)
INFO
- Checks supported languages
  - sih.4.8.0.0.exe (PID: 1420)
- Reads mouse settings
  - sih.4.8.0.0.exe (PID: 1420)
- Create files in a temporary directory
  - sih.4.8.0.0.exe (PID: 1420)
- UPX packer has been detected
  - sih.4.8.0.0.exe (PID: 1420)
- Reads the computer name
  - sih.4.8.0.0.exe (PID: 1420)
- The process uses AutoIt
  - sih.4.8.0.0.exe (PID: 1420)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (39.3)
.exe	\|	Win32 EXE Yoda's Crypter (38.6)
.dll	\|	Win32 Dynamic Link Library (generic) (9.5)
.exe	\|	Win32 Executable (generic) (6.5)
.exe	\|	Generic Win/DOS Executable (2.9)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:01:17 11:37:16+00:00
ImageFileCharacteristics:	Executable, Large address aware, 32-bit
PEType:	PE32
LinkerVersion:	12
CodeSize:	356352
InitializedDataSize:	1646592
UninitializedDataSize:	2174976
EntryPoint:	0x26a310
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	0.0.0.0
ProductVersionNumber:	0.0.0.0
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (British)
CharacterSet:	Unicode

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1420

"C:\Users\admin\AppData\Local\Temp\sih.4.8.0.0.exe"

C:\Users\admin\AppData\Local\Temp\sih.4.8.0.0.exe

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Modules

Images
c:\users\admin\appdata\local\temp\sih.4.8.0.0.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

6112

C:\WINDOWS\system32\msiexec.exe /V

C:\Windows\System32\msiexec.exe

—

services.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows® installer

Version:

5.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll

6772

MsiExec.exe /I{C2C59CAB-8766-4ABD-A8EF-1151A36C41E5}

C:\Windows\SysWOW64\msiexec.exe

—

sih.4.8.0.0.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows® installer

Exit code:

Version:

5.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\aclayers.dll

Add for printing

Total events

2 229

Read events

2 209

Write events

Delete events

Modification events


(PID) Process:	(6112) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Owner
Value: E0170000A410077EFC11DB01
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	SessionHash
Value: F0010A6E088FBC7AB7BCDCA9E20D2DF270612463808A048EBCDBC6FEB01BCBC5
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_USERS\S-1-5-21-1693682860-607145093-2874071422-1001\SOFTWARE\Microsoft\RestartManager\Session0000
Operation:	write	Name:	Sequence
Value: 1
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders
Operation:	write	Name:	C:\Config.Msi\
Value:
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\400604.rbs
Value: 31134204
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts
Operation:	write	Name:	C:\Config.Msi\400604.rbsLow
Value:
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAC95C2C6678DBA48AFE11153AC6145E\InstallProperties
Operation:	write	Name:	DisplayName
Value: Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAC95C2C6678DBA48AFE11153AC6145E\Patches
Operation:	delete value	Name:	AllPatches
Value:
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAC95C2C6678DBA48AFE11153AC6145E\Patches
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6112) msiexec.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\BAC95C2C6678DBA48AFE11153AC6145E\Patches
Operation:	write	Name:	AllPatches
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\aut664B.tmp		binary
		MD5:67F29D8CFC16F5E334C2A91659E00D3B	SHA256:2A77F53FED2711A34328D103C948B3C337FB2171D896F80AE9B3C6947ECD591F
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\peid.exe		executable
		MD5:4B5289D1DBD727C5DD0E247A7D7DB03E	SHA256:E13171D50F45A79BC09B9E4B9FFA38EB02301ACA94A1867A9BF8ACCCC3759030
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\7z.dll		executable
		MD5:3804A90729D2E2339C8E1E5899DFC840	SHA256:346523F444763C5DC814FFA1700C9956284138C7064A89C56511963E522045CD
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\aut663A.tmp		binary
		MD5:F77C4B20B21657949253FC2C0248DA02	SHA256:229D23A641BCC328E6F65B083F44AAC004D37D08BDC0EE9EC8DEB1A4DCF176BB
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\scripts\qt-installer-noninteractive.qs		text
		MD5:A51568D4FCB472E0B4489897E738ED70	SHA256:D409D18825DD3B9D376EB04FB9301A7AE29B3F6FD5056CA76906B6B62C991821
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\aut684F.tmp		binary
		MD5:55FA4197047814A4CC157689B609442C	SHA256:E82E417614D98160E9C3D66901F2D2C14C87B516A7BF41172D48F7805B430FC8
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\7z.exe		executable
		MD5:096442EE840396E1F33492C3E464169B	SHA256:F968CBFFB91ECD328DC7FEC93ECF1ED821A7CFE26F18C50A6C5DCD0595DEAF83
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\aut691C.tmp		binary
		MD5:0C334B880E4250D16F34AF140BDBFDC0	SHA256:FF3A37DA8CD8B662F3818C8B71F0897A54E4D7BDD84350557F3E79C8E7E53675
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\scripts\tixati-install.au3		text
		MD5:8B3EE5E2BEFBD1E7E934AA0A189BFFA8	SHA256:7DD582CC999CD71E8686B95A338C991613A9DECB5F8558C80056B54EF4846F36
1420	sih.4.8.0.0.exe	C:\Users\admin\AppData\Local\Temp\scripts\maxthon5-install.au3		text
		MD5:417D8566E9EF1D1360C24BB4F5EED6DF	SHA256:E0FD748557C07A1B9CE434E379EEF2088AA65BF3ABB5D850A3A7EED64A917777

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2120	MoUsoCoreWorker.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1252	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2824	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
1712	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
1712	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
6564	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
—	—	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4324	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1252	svchost.exe	20.190.159.23:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1252	svchost.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
3260	svchost.exe	40.115.3.253:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59	whitelisted
www.microsoft.com	184.30.21.171 95.101.149.131	whitelisted
google.com	142.250.185.78	whitelisted
login.live.com	20.190.159.23 20.190.159.73 20.190.159.2 40.126.31.73 20.190.159.0 20.190.159.71 40.126.31.67 20.190.159.68	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
go.microsoft.com	184.30.17.189	whitelisted
arc.msn.com	20.223.36.55	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

sih.4.8.0.0.exe

73FE89DB05D1372C3CD32DA1B7771C75

28CD5E604D4D4D40D24904D4E4E6A913A98C8230

4504C66DBFD4117EA1D2DF6E43EFF497330165750C15D6BBDA76640CE32E3A40

98304:P5Drp5VkvdRIPDYaDPRy0D6fiG551WXSt5aUFMGocSdstwdeepJqpN2hxE8f7rw4:/A

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Drops 7-zip archiver for unpacking

Executable content was dropped or overwritten

INFO

Checks supported languages

Reads mouse settings

Create files in a temporary directory

UPX packer has been detected

Reads the computer name

The process uses AutoIt

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings