download: | slido_switcher_1_2_2_2125.exe |
Full analysis: | https://app.any.run/tasks/323576a0-c209-4644-9d2f-593224c26768 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 21, 2019, 11:26:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1C569C7E45CC3606612D31C755CE9A64 |
SHA1: | F065A78998AFA363048F5C76711F43150C689542 |
SHA256: | 4ADB250C06E383EC1342C549B423134CA1BEC0A55BA0B8EC77944EFB762E2FB8 |
SSDEEP: | 49152:n+5h2OEdrACViPAqmOFojXQO3aWwORWNZ9jBPrzXQMGETon:9nACViPAqmMojAOt |
.exe | | | Win64 Executable (generic) (76.4) |
---|---|---|
.exe | | | Win32 Executable (generic) (12.4) |
.exe | | | Generic Win/DOS Executable (5.5) |
.exe | | | DOS Executable Generic (5.5) |
ProductVersion: | 1.2.2.2125 |
---|---|
ProductName: | Slido Switcher |
OriginalFileName: | slido_switcher_1_2_2_2125.exe |
LegalCopyright: | Copyright (C) 2018 sli.do |
InternalName: | slido_switcher_1_2_2_2125 |
FileVersion: | 1.2.2.2125 |
FileDescription: | Slido Switcher Installer |
CompanyName: | sli.do |
CharacterSet: | Unicode |
LanguageCode: | English (U.S.) |
FileSubtype: | - |
ObjectFileType: | Dynamic link library |
FileOS: | Win32 |
FileFlags: | Debug |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 1.2.2.2125 |
FileVersionNumber: | 1.2.2.2125 |
Subsystem: | Windows GUI |
SubsystemVersion: | 5.1 |
ImageVersion: | - |
OSVersion: | 5.1 |
EntryPoint: | 0x1220a4 |
UninitializedDataSize: | - |
InitializedDataSize: | 597504 |
CodeSize: | 1505280 |
LinkerVersion: | 14.15 |
PEType: | PE32 |
TimeStamp: | 2018:09:11 18:24:57+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 11-Sep-2018 16:24:57 |
Detected languages: |
|
Debug artifacts: |
|
CompanyName: | sli.do |
FileDescription: | Slido Switcher Installer |
FileVersion: | 1.2.2.2125 |
InternalName: | slido_switcher_1_2_2_2125 |
LegalCopyright: | Copyright (C) 2018 sli.do |
OriginalFileName: | slido_switcher_1_2_2_2125.exe |
ProductName: | Slido Switcher |
ProductVersion: | 1.2.2.2125 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0090 |
Pages in file: | 0x0003 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x0000 |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x0000 |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000120 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 5 |
Time date stamp: | 11-Sep-2018 16:24:57 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x0016F74F | 0x0016F800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.44245 |
.rdata | 0x00171000 | 0x0005E526 | 0x0005E600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.56154 |
.data | 0x001D0000 | 0x0000705C | 0x00005400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.07409 |
.rsrc | 0x001D8000 | 0x00015310 | 0x00015400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.35776 |
.reloc | 0x001EE000 | 0x00018F90 | 0x00019000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ | 6.57157 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.221 | 1915 | Latin 1 / Western European | English - United States | RT_MANIFEST |
2 | 3.1591 | 9640 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 3.46873 | 4264 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 3.54157 | 2440 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 4.01317 | 1128 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 3.37783 | 1116 | Latin 1 / Western European | English - United States | RT_STRING |
10 | 3.35254 | 1888 | Latin 1 / Western European | English - United States | RT_STRING |
11 | 3.31743 | 760 | Latin 1 / Western European | English - United States | RT_STRING |
12 | 3.23118 | 1432 | Latin 1 / Western European | English - United States | RT_STRING |
13 | 3.35766 | 820 | Latin 1 / Western European | English - United States | RT_STRING |
KERNEL32.dll |
msi.dll (delay-loaded) |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
1360 | "C:\Users\admin\AppData\Local\Temp\slido_switcher_1_2_2_2125.exe" | C:\Users\admin\AppData\Local\Temp\slido_switcher_1_2_2_2125.exe | explorer.exe | |
User: admin Company: sli.do Integrity Level: MEDIUM Description: Slido Switcher Installer Exit code: 0 Version: 1.2.2.2125 | ||||
1552 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2812 | C:\Windows\system32\MsiExec.exe -Embedding A75422334D243427EF0E4E17475FB2F4 C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
3248 | C:\Users\admin\AppData\Local\Temp\slido_switcher_1_2_2_2125.exe /i http://assets.sli.do/download/switcher-win/1_2_2_2125/setup.msi AI_EUIMSI=1 APPDIR="C:\Users\admin\AppData\Local\Slido\Slido Switcher" CLIENTPROCESSID="1360" SECONDSEQUENCE="1" CHAINERUIPROCESSID="1360Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_DETECTED_DOTNET_VERSION="4.6.1" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\slido_switcher_1_2_2_2125.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates " AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\AppData\Local\Temp\slido_switcher_1_2_2_2125.exe" AI_INSTALL="1" TARGETDIR="C:\" | C:\Users\admin\AppData\Local\Temp\slido_switcher_1_2_2_2125.exe | slido_switcher_1_2_2_2125.exe | |
User: admin Company: sli.do Integrity Level: MEDIUM Description: Slido Switcher Installer Exit code: 0 Version: 1.2.2.2125 | ||||
2904 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
292 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005C0" "000005B4" | C:\Windows\system32\DrvInst.exe | — | svchost.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1564 | C:\Windows\system32\MsiExec.exe -Embedding 0EC1F5DBF576B68624661CA7A5385754 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
2284 | cmd /c ""C:\Users\admin\AppData\Local\Temp\EXEE62D.tmp.bat" " | C:\Windows\system32\cmd.exe | — | slido_switcher_1_2_2_2125.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2916 | ATTRIB -r "C:\Users\admin\AppData\Local\Temp\AIED21.tmp" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3044 | ATTRIB -r "C:\Users\admin\AppData\Local\Temp\EXEE62D.tmp.bat" | C:\Windows\system32\attrib.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Attribute Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\AIEDFB8.tmp.part | — | |
MD5:— | SHA256:— | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\MSIE5B5.tmp | — | |
MD5:— | SHA256:— | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\MSIE604.tmp | — | |
MD5:— | SHA256:— | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\MSIE634.tmp | — | |
MD5:— | SHA256:— | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\MSIE6E2.tmp | — | |
MD5:— | SHA256:— | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\MSIE712.tmp | — | |
MD5:— | SHA256:— | |||
3248 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\AIED21.tmp.part | — | |
MD5:— | SHA256:— | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\AIEDFB8.tmp | executable | |
MD5:E7A95BFFA5CE5CB56868160B34FAD66A | SHA256:B9B820B5529A683CD90DE3D02337D2EC2D1D57147905B043745308F694C1C5C5 | |||
1360 | slido_switcher_1_2_2_2125.exe | C:\Users\admin\AppData\Local\Temp\AI_EXTUI_BIN_1360\dialog | image | |
MD5:D5702532E7754E1B16EB207641CC01EF | SHA256:897EDD31C7083646127D9F6D36D6008CF6D09B057620496FE0C1E588853C6B2D | |||
1552 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3248 | slido_switcher_1_2_2_2125.exe | GET | 200 | 13.32.223.246:80 | http://assets.sli.do/download/switcher-win/1_2_2_2125/setup.msi | US | executable | 1.14 Mb | whitelisted |
1360 | slido_switcher_1_2_2_2125.exe | GET | 200 | 13.32.223.246:80 | http://assets.sli.do/download/switcher-win/1_2_2_2125/setup.msi | US | executable | 1.14 Mb | whitelisted |
1552 | msiexec.exe | GET | 200 | 13.32.223.246:80 | http://assets.sli.do/download/switcher-win/1_2_2_2125/setup.msi | US | executable | 1.14 Mb | whitelisted |
3304 | Slido Switcher.exe | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
3304 | Slido Switcher.exe | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
3304 | Slido Switcher.exe | GET | 200 | 13.32.222.245:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
1552 | msiexec.exe | GET | 200 | 13.32.223.246:80 | http://assets.sli.do/download/switcher-win/1_2_2_2125/setup1.cab | US | compressed | 48.6 Mb | whitelisted |
3304 | Slido Switcher.exe | GET | 200 | 13.32.222.245:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3304 | Slido Switcher.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
1552 | msiexec.exe | 13.32.223.246:80 | assets.sli.do | Amazon.com, Inc. | US | suspicious |
1360 | slido_switcher_1_2_2_2125.exe | 13.32.223.246:80 | assets.sli.do | Amazon.com, Inc. | US | suspicious |
3304 | Slido Switcher.exe | 52.210.105.234:443 | slidesdrive.sli.do | Amazon.com, Inc. | IE | unknown |
3304 | Slido Switcher.exe | 13.32.223.16:443 | accounts-switcher.sli.do | Amazon.com, Inc. | US | unknown |
3304 | Slido Switcher.exe | 54.217.226.19:20000 | api.logentries.com | Amazon.com, Inc. | IE | unknown |
3304 | Slido Switcher.exe | 13.32.222.245:80 | x.ss2.us | Amazon.com, Inc. | US | whitelisted |
3248 | slido_switcher_1_2_2_2125.exe | 13.32.223.246:80 | assets.sli.do | Amazon.com, Inc. | US | suspicious |
3304 | Slido Switcher.exe | 52.211.165.81:443 | slidesdrive.sli.do | Amazon.com, Inc. | IE | unknown |
3304 | Slido Switcher.exe | 172.217.22.42:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
assets.sli.do |
| whitelisted |
api.logentries.com |
| unknown |
slidesdrive.sli.do |
| unknown |
accounts-switcher.sli.do |
| whitelisted |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
help.sli.do |
| malicious |
www.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
1552 | msiexec.exe | Potential Corporate Privacy Violation | SUSPICIOUS [PTsecurity] Executable application_x-msi Download |
1552 | msiexec.exe | Misc activity | SUSPICIOUS [PTsecurity] Using msiexec.exe for Downloading non-MSI file |
Process | Message |
---|---|
Slido Switcher.exe | LE: Adding Line: { "Date": "2019-03-21T11:28:34.3928750+00:00", "Machine": "USER-PC", "ProcessId": "3304", "AppVersion": "Win 1.2.2.2125", "Level": "Info", "Class": "Slido_Switcher.App", "Message": "App started. Instance ID: 47c44f08-b7b5-4c49-831c-5acb125936bf" }
|
Slido Switcher.exe | Getting "LOGENTRIES_TOKEN" from ServiceRuntime: FAIL.
|
Slido Switcher.exe | Getting "LOGENTRIES_TOKEN" from ConfigurationManager: FAIL.
|
Slido Switcher.exe | LE: Unable to find Logentries Configuration Setting for LOGENTRIES_TOKEN.
|
Slido Switcher.exe | Getting "Logentries.Token" from ServiceRuntime: FAIL.
|
Slido Switcher.exe | Getting "Logentries.Token" from ConfigurationManager: PASS.
|
Slido Switcher.exe | LE: Found Cloud Configuration settings for Logentries.Token
|
Slido Switcher.exe | LE: Starting Logentries asynchronous socket client.
|
Slido Switcher.exe | LE: Queueing: { "Date": "2019-03-21T11:28:34.3928750+00:00", "Machine": "USER-PC", "ProcessId": "3304", "AppVersion": "Win 1.2.2.2125", "Level": "Info", "Class": "Slido_Switcher.App", "Message": "App started. Instance ID: 47c44f08-b7b5-4c49-831c-5acb125936bf" }
|
Slido Switcher.exe | LE: ReopenConnection
|