File name:

UC232A_Windows_Setup.exe

Full analysis: https://app.any.run/tasks/152221f2-aaf3-49ad-b061-69dfc2ef8526
Verdict: Malicious activity
Analysis date: June 17, 2024, 15:21:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, PECompact2 compressed
MD5:

535F2124CBCE3903082E6A391DE3EF86

SHA1:

FB212D2614DE0275FC350B6C8D057525190EA8D8

SHA256:

49280A15191065129E434F96444B29AF83AA54D85FB6912030C62AB7AD2E4440

SSDEEP:

98304:iej5MMjMpeHuhMiIHn+VXOTC5HmcdpkicJypsfLiz5I:D1lCveNH+VXOGAcELypCLb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • UC232A_Windows_Setup.exe (PID: 3984)
      • Win7_x86.exe (PID: 864)
      • DPInst.exe (PID: 1792)
      • drvinst.exe (PID: 1852)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 1852)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • UC232A_Windows_Setup.exe (PID: 3984)
      • Win7_x86.exe (PID: 864)
      • DPInst.exe (PID: 1792)
      • drvinst.exe (PID: 1852)

    • Reads security settings of Internet Explorer

      • UC232A_Windows_Setup.exe (PID: 3984)

    • Reads the Internet Settings

      • UC232A_Windows_Setup.exe (PID: 3984)

    • Searches for installed software

      • Win7_x86.exe (PID: 864)

    • Process drops legitimate windows executable

      • Win7_x86.exe (PID: 864)

    • Reads the Windows owner or organization settings

      • Win7_x86.exe (PID: 864)

    • Executes as Windows Service

      • VSSVC.exe (PID: 116)

    • Drops a system driver (possible attempt to evade defenses)

      • Win7_x86.exe (PID: 864)
      • DPInst.exe (PID: 1792)
      • drvinst.exe (PID: 1852)

    • Creates a software uninstall entry

      • Win7_x86.exe (PID: 864)

    • Creates files in the driver directory

      • drvinst.exe (PID: 1852)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 1852)

  • INFO

    • Checks supported languages

      • UC232A_Windows_Setup.exe (PID: 3984)
      • Win7_x86.exe (PID: 864)
      • DPInst.exe (PID: 1792)
      • drvinst.exe (PID: 1852)

    • Reads the computer name

      • UC232A_Windows_Setup.exe (PID: 3984)
      • Win7_x86.exe (PID: 864)
      • drvinst.exe (PID: 1852)
      • DPInst.exe (PID: 1792)

    • Create files in a temporary directory

      • UC232A_Windows_Setup.exe (PID: 3984)
      • Win7_x86.exe (PID: 864)
      • DPInst.exe (PID: 1792)

    • Reads the machine GUID from the registry

      • Win7_x86.exe (PID: 864)
      • DPInst.exe (PID: 1792)
      • drvinst.exe (PID: 1852)

    • Creates files in the program directory

      • Win7_x86.exe (PID: 864)

    • Reads the software policy settings

      • drvinst.exe (PID: 1852)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (v2.x) (54.1)
.exe | Win32 EXE PECompact compressed (generic) (38)
.exe | Win32 Executable (generic) (4.1)
.exe | Generic Win/DOS Executable (1.8)
.exe | DOS Executable Generic (1.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:03:10 06:44:01+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 44544
InitializedDataSize: 67529216
UninitializedDataSize: -
EntryPoint: 0x32dc
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.0.84.1
ProductVersionNumber: 1.0.82.0
FileFlagsMask: 0x0017
FileFlags: (none)
FileOS: Win32
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Aten International Co., Ltd.
FileDescription: UC232A_Windows_Setup
FileVersion: 1,0,084,001
InternalName: Win32
LegalCopyright: Copyright (R) 2010 Aten International Co., Ltd. All rights reserved.
OriginalFileName: UC232A_Windows_Setup
ProductName: UC232A
ProductVersion: 1,0,084,001
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start uc232a_windows_setup.exe win7_x86.exe no specs win7_x86.exe vssvc.exe no specs dpinst.exe drvinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
116C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
864"C:\Users\admin\AppData\Local\Temp\Win7_x86.exe" C:\Users\admin\AppData\Local\Temp\Win7_x86.exe
UC232A_Windows_Setup.exe
User:
admin
Company:
Acresso Software Inc.
Integrity Level:
HIGH
Description:
Setup.exe
Exit code:
0
Version:
15.0.498
Modules
Images
c:\users\admin\appdata\local\temp\win7_x86.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1792"C:\Program Files\Aten International Co., Ltd\UC232A_Win 7_32bit\DPInst.exe" C:\Program Files\Aten International Co., Ltd\UC232A_Win 7_32bit\DPInst.exe
Win7_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Driver Package Installer
Exit code:
256
Version:
2.1
Modules
Images
c:\program files\aten international co., ltd\uc232a_win 7_32bit\dpinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1852DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{6217f797-fac4-1d57-34dd-1062ba31b669}\ser2at.inf" "0" "69341ca17" "0000056C" "WinSta0\Default" "00000590" "208" "c:\program files\aten international co., ltd\uc232a_win 7_32bit"C:\Windows\System32\drvinst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3984"C:\Users\admin\AppData\Local\Temp\UC232A_Windows_Setup.exe" C:\Users\admin\AppData\Local\Temp\UC232A_Windows_Setup.exe
explorer.exe
User:
admin
Company:
Aten International Co., Ltd.
Integrity Level:
MEDIUM
Description:
UC232A_Windows_Setup
Exit code:
1
Version:
1,0,084,001
Modules
Images
c:\users\admin\appdata\local\temp\uc232a_windows_setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imm32.dll
4016"C:\Users\admin\AppData\Local\Temp\Win7_x86.exe" C:\Users\admin\AppData\Local\Temp\Win7_x86.exeUC232A_Windows_Setup.exe
User:
admin
Company:
Acresso Software Inc.
Integrity Level:
MEDIUM
Description:
Setup.exe
Exit code:
3221226540
Version:
15.0.498
Modules
Images
c:\users\admin\appdata\local\temp\win7_x86.exe
c:\windows\system32\ntdll.dll
Total events
8 227
Read events
8 019
Write events
202
Delete events
6

Modification events

(PID) Process:(3984) UC232A_Windows_Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3984) UC232A_Windows_Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3984) UC232A_Windows_Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3984) UC232A_Windows_Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(864) Win7_x86.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
4000000000000000A4F7EE0DCAC0DA01600300000C040000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(864) Win7_x86.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
4000000000000000A4F7EE0DCAC0DA01600300000C040000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(864) Win7_x86.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
75
(PID) Process:(864) Win7_x86.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
400000000000000010EFA80ECAC0DA01600300000C040000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(864) Win7_x86.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\VssapiPublisher
Operation:writeName:IDENTIFY (Enter)
Value:
400000000000000010EFA80ECAC0DA01600300005C060000E803000001000000000000000000000060D533F1FE067845AABC8B46276E5E2E0000000000000000
(PID) Process:(116) VSSVC.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer
Operation:writeName:IDENTIFY (Enter)
Value:
40000000000000002C3DB70ECAC0DA017400000074010000E8030000010000000100000000000000000000000000000000000000000000000000000000000000
Executable files
34
Suspicious files
35
Text files
23
Unknown types
6

Dropped files

PID
Process
Filename
Type
3984UC232A_Windows_Setup.exeC:\Users\admin\AppData\Local\Temp\Win7_x86.exeexecutable
MD5:4C651FBB3D6393E7EB351BC817CDD912
SHA256:7505DBDB1EF3515A7FEA4380B66789D38A606EDBE506294906F7E0E57E42FE99
3984UC232A_Windows_Setup.exeC:\Users\admin\AppData\Local\Temp\setup.iss.installtext
MD5:16198647C6015D37EA6E393F71027BAD
SHA256:77C41E3AB0CD2EADB551D2D467C913E77D431FB80BF938A7474B310B8C224694
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\setup.iniini
MD5:0435BE75957769DD251A4B471B3546A8
SHA256:F34D47198FC25AF951F33307367385201706C15D060709B45E789632B7F01C8C
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\data1.cabcompressed
MD5:3CD05E4970687F111B054DF8B398F863
SHA256:24AF0CFE23930B141821B14C82866C52651404F2652DFB5038E363603149253E
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\data1.hdrcompressed
MD5:259251089656D9E95AD016F6C4258F3E
SHA256:D1FD9A1B93666F883E3B9B99DC635E4B45A2DADA30F1651D6D39312E24526868
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\setup.inxbinary
MD5:E4A666806086CBA08FCB0DC6C5D9E332
SHA256:9C355EAE9D02A3BE3A9C1168A5EC892982FE03531694DE4CE06C45F6C3E2A6EA
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\layout.binbinary
MD5:AAA8C5B42385B898BA3B1F4ACED743D4
SHA256:5842C1D215B7C29AED427FAC49CDA9D8D55E035CB5EAC622D0023C68A3FDC570
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\_Setup.dllexecutable
MD5:7DE2D19C870587B8FFC5A446E9B6E29A
SHA256:35EEF33D1890A6E34D647F86F24C730B4F741C9D33FCCE01CFB12D2B8E55B5D1
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\_Setup.dllexecutable
MD5:7DE2D19C870587B8FFC5A446E9B6E29A
SHA256:35EEF33D1890A6E34D647F86F24C730B4F741C9D33FCCE01CFB12D2B8E55B5D1
864Win7_x86.exeC:\Users\admin\AppData\Local\Temp\{5B9268A2-61CD-4280-94BC-2D50AB4E7ED2}\Disk1\setup.exeexecutable
MD5:8D699C26857440661FAD1AED839FFC79
SHA256:350E4CFC8A692FC8382571D64EF00F6F4D4F997B85BB687E67EA222CDB2556AC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
UC232A_Windows_Setup.exe
----- keyreturnvalue : 2 ----
UC232A_Windows_Setup.exe
C:\Users\admin\AppData\Local\Temp\setup.iss.install
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UC232A_Windows_Setup.exe