| File name: | Setup_ePageSafer.exe |
| Full analysis: | https://app.any.run/tasks/1776b374-1e4e-410b-9bd1-49cb80967d24 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 30, 2020, 14:14:47 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | C74B08183519E8BAB1B6968FEA1A234B |
| SHA1: | 1C3F72A996FE4C9102119A55C1D1F5AE62644E0F |
| SHA256: | 4B069011A6587C6617897ECCA1C71FC1FCE67C739E6927B0519EF16888AA0FDE |
| SSDEEP: | 98304:Jom1SYwnGgbB7ZTxMztKXIQMsTF+RhPVZBo6+rDbY2XkmKE2DA2bj:um1U5GtKXG+F+R/bo6AkTV |
MALICIOUS
Loads dropped or rewritten executable
- markany_ImageSafer.exe (PID: 3756)
- Setup_ePageSafer.exe (PID: 4084)
- install.exe (PID: 1712)
- IMGSF50Start_x86.exe (PID: 392)
- explorer.exe (PID: 372)
Application was dropped or rewritten from another process
- MaRPackCheck.exe (PID: 3068)
- markany_ImageSafer.exe (PID: 3756)
- vcredist_x86.exe (PID: 3384)
- install.exe (PID: 1712)
- IMGSF50Svc.exe (PID: 3224)
- IMGSF50Svc.exe (PID: 2692)
- IMGSF50Svc.exe (PID: 580)
- IMGSF50Start_x86.exe (PID: 392)
- MaCBFltInstall.exe (PID: 348)
- CRIMgr_lite.exe (PID: 3740)
Downloads executable files from the Internet
- MaRPackCheck.exe (PID: 3068)
Changes internet zones settings
- CRIMgr_lite.exe (PID: 3740)
Changes settings of System certificates
- msiexec.exe (PID: 2076)
SUSPICIOUS
Executable content was dropped or overwritten
- markany_ImageSafer.exe (PID: 3756)
- MaRPackCheck.exe (PID: 3068)
- Setup_ePageSafer.exe (PID: 4084)
- msiexec.exe (PID: 2076)
- vcredist_x86.exe (PID: 3384)
- MaCBFltInstall.exe (PID: 348)
Reads Internet Cache Settings
- MaRPackCheck.exe (PID: 3068)
Creates files in the Windows directory
- markany_ImageSafer.exe (PID: 3756)
- msiexec.exe (PID: 2076)
- MaCBFltInstall.exe (PID: 348)
- Setup_ePageSafer.exe (PID: 4084)
Removes files from Windows directory
- msiexec.exe (PID: 2076)
- markany_ImageSafer.exe (PID: 3756)
- Setup_ePageSafer.exe (PID: 4084)
Executed as Windows Service
- IMGSF50Svc.exe (PID: 580)
Creates COM task schedule object
- Setup_ePageSafer.exe (PID: 4084)
Creates files in the program directory
- Setup_ePageSafer.exe (PID: 4084)
Creates or modifies windows services
- MaCBFltInstall.exe (PID: 348)
Creates files in the driver directory
- MaCBFltInstall.exe (PID: 348)
Creates a software uninstall entry
- Setup_ePageSafer.exe (PID: 4084)
Modifies the open verb of a shell class
- CRIMgr_lite.exe (PID: 3740)
Adds / modifies Windows certificates
- msiexec.exe (PID: 2076)
INFO
Creates a software uninstall entry
- msiexec.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:07:25 02:55:54+02:00 |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 24576 |
| InitializedDataSize: | 162816 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x310f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.5.1.38 |
| ProductVersionNumber: | 2.5.1.38 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Korean |
| CharacterSet: | Windows, Korea (Shift - KSC 5601) |
| CompanyName: | MarkAny Inc. |
| FileVersion: | 2.5.1.38 |
| LegalCopyright: | MarkAny Inc. |
| ProductName: | ePageSafer |
| ProductVersion: | v2.5 |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 25-Jul-2016 00:55:54 |
| Detected languages: |
|
| CompanyName: | MarkAny Inc. |
| FileVersion: | 2.5.1.38 |
| LegalCopyright: | MarkAny Inc. |
| ProductName: | ePageSafer |
| ProductVersion: | v2.5 |
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000D8 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 5 |
| Time date stamp: | 25-Jul-2016 00:55:54 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x00005FDD | 0x00006000 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.4997 |
.rdata | 0x00007000 | 0x00001352 | 0x00001400 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.20754 |
.data | 0x00009000 | 0x000254F8 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.03235 |
.ndata | 0x0002F000 | 0x0000D000 | 0x00000000 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rsrc | 0x0003C000 | 0x00005C90 | 0x00005E00 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 2.7276 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 5.28717 | 1069 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 0 | 3752 | UNKNOWN | English - United States | RT_ICON |
3 | 0 | 2216 | UNKNOWN | English - United States | RT_ICON |
4 | 0 | 1384 | UNKNOWN | English - United States | RT_ICON |
5 | 0 | 1128 | UNKNOWN | English - United States | RT_ICON |
6 | 0 | 744 | UNKNOWN | English - United States | RT_ICON |
7 | 0 | 296 | UNKNOWN | English - United States | RT_ICON |
103 | 3.33655 | 104 | UNKNOWN | English - United States | RT_GROUP_ICON |
105 | 2.67385 | 512 | UNKNOWN | English - United States | RT_DIALOG |
106 | 2.91148 | 248 | UNKNOWN | English - United States | RT_DIALOG |
Imports
ADVAPI32.dll |
COMCTL32.dll |
GDI32.dll |
KERNEL32.dll |
SHELL32.dll |
USER32.dll |
ole32.dll |
Total processes
51
Monitored processes
14
Malicious processes
7
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 348 | C:\Windows\system32\MaCBFltInstall.exe -i_v4_minif | C:\Windows\system32\MaCBFltInstall.exe | Setup_ePageSafer.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: MaCBFltI 응용 프로그램 Exit code: 0 Version: 1, 0, 0, 1 Modules
| |||||||||||||||
| 372 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 392 | "C:\Windows\system32\IMGSF50Start_x86.exe" | C:\Windows\system32\IMGSF50Start_x86.exe | — | IMGSF50Svc.exe | |||||||||||
User: SYSTEM Company: MarkAny Integrity Level: SYSTEM Description: Image SAFER 5.0 Injection Starter for x86 Exit code: 0 Version: 5, 0, 19, 802 Modules
| |||||||||||||||
| 580 | C:\Windows\IMGSF50Svc.exe | C:\Windows\IMGSF50Svc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: MarkAny Integrity Level: SYSTEM Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5, 0, 19, 802 Modules
| |||||||||||||||
| 1712 | c:\c99eb7313ca67ad22968\.\install.exe /q | c:\c99eb7313ca67ad22968\install.exe | — | vcredist_x86.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: External Installer Exit code: 0 Version: 9.0.30729.4148 built by: QFE Modules
| |||||||||||||||
| 1832 | "C:\Users\admin\AppData\Local\Temp\Setup_ePageSafer.exe" | C:\Users\admin\AppData\Local\Temp\Setup_ePageSafer.exe | — | explorer.exe | |||||||||||
User: admin Company: MarkAny Inc. Integrity Level: MEDIUM Exit code: 3221226540 Version: 2.5.1.38 Modules
| |||||||||||||||
| 2076 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2692 | C:\Windows\IMGSF50Svc.exe -start | C:\Windows\IMGSF50Svc.exe | — | markany_ImageSafer.exe | |||||||||||
User: admin Company: MarkAny Integrity Level: HIGH Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5, 0, 19, 802 Modules
| |||||||||||||||
| 3068 | C:\Windows\system32\MaRPackCheck.exe | C:\Windows\system32\MaRPackCheck.exe | markany_ImageSafer.exe | ||||||||||||
User: admin Company: markany Integrity Level: HIGH Description: MaRPackCheck Exit code: 0 Version: 1, 0, 0, 4 Modules
| |||||||||||||||
| 3224 | C:\Windows\IMGSF50Svc.exe -install | C:\Windows\IMGSF50Svc.exe | — | markany_ImageSafer.exe | |||||||||||
User: admin Company: MarkAny Integrity Level: HIGH Description: Image SAFER 5.0 Session Managing Service for x86 Exit code: 0 Version: 5, 0, 19, 802 Modules
| |||||||||||||||
Total events
2 778
Read events
1 073
Write events
1 681
Delete events
24
Modification events
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg |
Value: 본 화면은 보안정책에 의해 보호되었습니다. | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | MsgPosition |
Value: 1 | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | MsgSize |
Value: 32 | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | OnFlag |
Value: 0 | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_KR |
Value: 정보 유출 방지를 위해 화면 캡처 기능을 사용할 수 없습니다. | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_US |
Value: Screencapture is prohibited to prevent information leak. | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_GB |
Value: Screencapture is prohibited to prevent information leaks. | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_CN |
Value: 禁止抓屏以防止信息泄露。 | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_HK |
Value: 禁止螢幕擷取是為預防資料外洩。 | |||
| (PID) Process: | (3756) markany_ImageSafer.exe | Key: | HKEY_CURRENT_USER\Software\MarkAny\ImageSAFERv5\CaptureMsg |
| Operation: | write | Name: | Msg_PT |
Value: A captura de ecra e proibida para evitar fuga de informacao. | |||
Executable files
66
Suspicious files
8
Text files
28
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3384 | vcredist_x86.exe | C:\c99eb7313ca67ad22968\vc_red.cab | compressed | |
MD5:F84E6C9EFA97C4DBF8EB9AAD0FC019DE | SHA256:66F27DC82A9DCE30E5BD74AEA9CC00D8D25D5F473666715D829162FE527BF1F9 | |||
| 4084 | Setup_ePageSafer.exe | C:\Users\admin\AppData\Local\Temp\nsu7921.tmp\modern-header.bmp | image | |
MD5:3EA89CCB97AD9ADEFA56CA94336A3A6D | SHA256:5D4664902AD2851D5BDF85AD6040D2083B251B45A15E5BD497EF1AF445678022 | |||
| 4084 | Setup_ePageSafer.exe | C:\Users\admin\AppData\Local\Temp\nsu7921.tmp\FindProcDLL.dll | executable | |
MD5:8614C450637267AFACAD1645E23BA24A | SHA256:0FA04F06A6DE18D316832086891E9C23AE606D7784D5D5676385839B21CA2758 | |||
| 3756 | markany_ImageSafer.exe | C:\Users\admin\AppData\Local\Temp\nsa7BFF.tmp\nsProcess.dll | executable | |
MD5:05450FACE243B3A7472407B999B03A72 | SHA256:95FE9D92512FF2318CC2520311EF9145B2CEE01209AB0E1B6E45C7CE1D4D0E89 | |||
| 4084 | Setup_ePageSafer.exe | C:\Users\admin\AppData\Local\Temp\markany_ImageSafer.exe | executable | |
MD5:704920EFA72BF8FE743EABC6B217047D | SHA256:C436E21F9EAB1294B7548C097781700684A2EAA576F318E2F8C1D0215E90C22D | |||
| 3384 | vcredist_x86.exe | C:\c99eb7313ca67ad22968\vc_red.msi | executable | |
MD5:E493A21C57D160F4FA023C63145FE580 | SHA256:2CC196BED01619B5498A974C19CFCBA6A04B7746E84808F06D9E4DE3129AB4DB | |||
| 3068 | MaRPackCheck.exe | C:\Users\Public\Documents\vcredist_x86.exe | executable | |
MD5:FD30ACC7A696C32F661B33668E73BF7B | SHA256:97C260D35BCFE18E046A1C413B9FC5A2754B8F790F7ACE669A3BE2500C0DF229 | |||
| 3384 | vcredist_x86.exe | C:\c99eb7313ca67ad22968\install.res.1042.dll | executable | |
MD5:0CF1CE042664ED53231A1ABD3C3ACD4A | SHA256:D1871469703578F35FB770F295D705ED54E2257AD4DAF8CC319D15D4792F9723 | |||
| 3384 | vcredist_x86.exe | C:\c99eb7313ca67ad22968\install.exe | executable | |
MD5:828F082302E94CBFBB1F3F13E491C706 | SHA256:E63A5274B437B55C65BF1259A25BBF602335F466F5D01E4AD0291BE21E3EDF3C | |||
| 3384 | vcredist_x86.exe | C:\c99eb7313ca67ad22968\install.res.1049.dll | executable | |
MD5:BB8CC77EED188B459AD376A2FE755ACD | SHA256:AA4B5C8C52DF5482C9C9C51EA95FD0408DA5856DFA0DA24363C03D07DFAB72EE | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
1
DNS requests
1
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3068 | MaRPackCheck.exe | GET | 200 | 104.101.100.142:80 | http://download.microsoft.com/download/9/7/7/977B481A-7BA6-4E30-AC40-ED51EB2028F2/vcredist_x86.exe | US | executable | 4.28 Mb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3068 | MaRPackCheck.exe | 104.101.100.142:80 | download.microsoft.com | TRUE INTERNET Co.,Ltd. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3068 | MaRPackCheck.exe | A Network Trojan was detected | ET MALWARE User-Agent (HTTP) |
3068 | MaRPackCheck.exe | Misc activity | ET INFO Packed Executable Download |
3068 | MaRPackCheck.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
Setup_ePageSafer.exe | !bRet5 == [1]
|
Setup_ePageSafer.exe | bRet4 == [0]
|
Setup_ePageSafer.exe | bRet3 == [0]
|
Setup_ePageSafer.exe | bRet2 == [0]
|
Setup_ePageSafer.exe | bRet1 == [0]
|
Setup_ePageSafer.exe | pStr == []
|
Setup_ePageSafer.exe | pStr == []
|
Setup_ePageSafer.exe | pStr == []
|