File name:

DashlaneInst.exe

Full analysis: https://app.any.run/tasks/e06b3deb-8b4b-44e3-83c3-0655ff6bff69
Verdict: Malicious activity
Analysis date: December 06, 2022, 06:18:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

3BE372C290A12BD343C25E94ABDC89AC

SHA1:

E8840F3703DA7E737BC15C950ED768F2B1BD50E1

SHA256:

4F71407A42B514140D5FCE3F122C428484ADCD20CF1A45A8C8D28380C5120426

SSDEEP:

12288:STwwc/MsA2k+l3BNYXwDN9ytoXY6vCCzCE2UPDGiA6brQxzM/PFP79BeI0:aw/MB+3YXuidACyCKDGEozM/PFz9wI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops the executable file immediately after the start

      • DashlaneInst.exe (PID: 856)
      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1836)
      • DashlaneInst.exe (PID: 1604)
    • Loads dropped or rewritten executable

      • DashlaneInst.exe (PID: 856)
      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1836)
      • DashlaneInst.exe (PID: 1604)
  • SUSPICIOUS

    • Application launched itself

      • DashlaneInst.exe (PID: 856)
      • DashlaneInst.exe (PID: 1836)
    • Executable content was dropped or overwritten

      • DashlaneInst.exe (PID: 856)
      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1836)
      • DashlaneInst.exe (PID: 1604)
    • Reads the Internet Settings

      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1604)
    • Drops a file with too old compile date

      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1836)
    • Checks Windows Trust Settings

      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1604)
    • Reads settings of System Certificates

      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1604)
    • Reads security settings of Internet Explorer

      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1604)
  • INFO

    • Reads the computer name

      • DashlaneInst.exe (PID: 856)
      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1604)
      • DashlaneInst.exe (PID: 1836)
    • Checks supported languages

      • DashlaneInst.exe (PID: 856)
      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1836)
      • DashlaneInst.exe (PID: 1604)
    • Checks proxy server information

      • DashlaneInst.exe (PID: 3348)
      • DashlaneInst.exe (PID: 1604)
    • Manual execution by a user

      • WINWORD.EXE (PID: 3024)
      • WINWORD.EXE (PID: 3852)
      • DashlaneInst.exe (PID: 1836)
    • Drops a file that was compiled in debug mode

      • DashlaneInst.exe (PID: 1604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2019-Jan-24 14:28:37
Detected languages:
  • English - United States
Comments :
CompanyName: Dashlane Inc.
FileDescription: Dashlane
FileVersion: 6.2105.0.43225
LegalCopyright: Copyright 2009-2021 Dashlane Inc.
LegalTradmarks: Dashlane is a tradmark of Dashlane Inc.
ProductName: Dashlane

DOS Header

e_magic: MZ
e_cblp: 144
e_cp: 3
e_crlc: 0
e_cparhdr: 4
e_minalloc: 0
e_maxalloc: 65535
e_ss: 0
e_sp: 184
e_csum: 0
e_ip: 0
e_cs: 0
e_ovno: 0
e_oemid: 0
e_oeminfo: 0
e_lfanew: 224

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 5
TimeDateStamp: 2019-Jan-24 14:28:37
PointerToSymbolTable: 0
NumberOfSymbols: 0
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
26288
26624
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.35989
.rdata
32768
5544
5632
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.34624
.data
40960
107736
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
1.61575
.ndata
151552
786432
0
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc
937984
126088
126464
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.24235

Resources

Title
Entropy
Size
Codepage
Language
Type
1
2.60233
67624
UNKNOWN
English - United States
RT_ICON
2
3.09318
16936
UNKNOWN
English - United States
RT_ICON
3
7.61812
13137
UNKNOWN
English - United States
RT_ICON
4
3.21852
9640
UNKNOWN
English - United States
RT_ICON
5
7.86823
6375
UNKNOWN
English - United States
RT_ICON
6
3.26551
4264
UNKNOWN
English - United States
RT_ICON
7
4.44343
1128
UNKNOWN
English - United States
RT_ICON
103
2.79933
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dashlaneinst.exe dashlaneinst.exe winword.exe no specs winword.exe no specs dashlaneinst.exe dashlaneinst.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Users\admin\Desktop\DashlaneInst.exe" C:\Users\admin\Desktop\DashlaneInst.exe
Explorer.EXE
User:
admin
Company:
Dashlane Inc.
Integrity Level:
MEDIUM
Description:
Dashlane
Version:
6.2105.0.43225
Modules
Images
c:\users\admin\desktop\dashlaneinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\user32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\advapi32.dll
3348"C:\Users\admin\Desktop\DashlaneInst.exe" /UAC:50150 /NCRC C:\Users\admin\Desktop\DashlaneInst.exe
DashlaneInst.exe
User:
admin
Company:
Dashlane Inc.
Integrity Level:
HIGH
Description:
Dashlane
Version:
6.2105.0.43225
Modules
Images
c:\users\admin\desktop\dashlaneinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
3024"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\optioncourt.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\system32\user32.dll
3852"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\optioncourt.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\program files\microsoft office\office14\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_50934f2ebcb7eb57\msvcr90.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
1836"C:\Users\admin\Desktop\DashlaneInst.exe" C:\Users\admin\Desktop\DashlaneInst.exe
Explorer.EXE
User:
admin
Company:
Dashlane Inc.
Integrity Level:
MEDIUM
Description:
Dashlane
Version:
6.2105.0.43225
Modules
Images
c:\users\admin\desktop\dashlaneinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shell32.dll
1604"C:\Users\admin\Desktop\DashlaneInst.exe" /UAC:3012C /NCRC C:\Users\admin\Desktop\DashlaneInst.exe
DashlaneInst.exe
User:
admin
Company:
Dashlane Inc.
Integrity Level:
HIGH
Description:
Dashlane
Version:
6.2105.0.43225
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\dashlaneinst.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
13 880
Read events
13 060
Write events
669
Delete events
151

Modification events

(PID) Process:(856) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:partnerid
Value:
(PID) Process:(856) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:campaignid
Value:
NO_CAMPAIGN
(PID) Process:(856) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:createDesktopShortcut
Value:
true
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:partnerid
Value:
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:AnonymousInstallerId2
Value:
707405901511138591921169605
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:partnername
Value:
NO_TYPE
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Dashlane\InstallInformation
Operation:writeName:InstallerPath
Value:
C:\Users\admin\Desktop\DashlaneInst.exe
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3348) DashlaneInst.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
30
Suspicious files
9
Text files
7
Unknown types
12

Dropped files

PID
Process
Filename
Type
856DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\dashlaneInstallLog.txttext
MD5:AA25D7EFA3A53E5108080C1744CD8901
SHA256:12AF91DFFB2E1240FF6E454E33663D772D43EB82294F1878ACC2A51747F413D3
856DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nsa8DC.tmp\System.dllexecutable
MD5:5BC871689EAB0C9726D71DD0E5921D9B
SHA256:0BCCF2D9FCAE0F2746E52DB6D3DA99C1AB21CBE81FD8D115157D31AFABA4601E
856DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nsa8DC.tmp\nsRandom_1.dllexecutable
MD5:AB467B8DFAA660A0F0E5B26E28AF5735
SHA256:DB267D9920395B4BADC48DE04DF99DFD21D579480D103CAE0F48E6578197FF73
856DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nsa8DC.tmp\UserInfo_1.dllexecutable
MD5:D1E37112390E6BCCA8362788D61BECF5
SHA256:77B40D42606D48F817B901F1E5ABEA114B4288B344B8C193BF3E3C52E469A926
856DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nsa8DC.tmp\System_2.dllexecutable
MD5:2AE993A2FFEC0C137EB51C8832691BCB
SHA256:681382F3134DE5C6272A49DD13651C8C201B89C247B471191496E7335702FA59
3348DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nslB3D.tmp\System.dllexecutable
MD5:5BC871689EAB0C9726D71DD0E5921D9B
SHA256:0BCCF2D9FCAE0F2746E52DB6D3DA99C1AB21CBE81FD8D115157D31AFABA4601E
3348DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nslB3D.tmp\nsRandom_1.dllexecutable
MD5:AB467B8DFAA660A0F0E5B26E28AF5735
SHA256:DB267D9920395B4BADC48DE04DF99DFD21D579480D103CAE0F48E6578197FF73
3348DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\dashlaneInstallLog.txttext
MD5:AA25D7EFA3A53E5108080C1744CD8901
SHA256:12AF91DFFB2E1240FF6E454E33663D772D43EB82294F1878ACC2A51747F413D3
3348DashlaneInst.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3348DashlaneInst.exeC:\Users\admin\AppData\Local\Temp\nslB3D.tmp\UserInfo_1.dllexecutable
MD5:D1E37112390E6BCCA8362788D61BECF5
SHA256:77B40D42606D48F817B901F1E5ABEA114B4288B344B8C193BF3E3C52E469A926
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
26
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3348
DashlaneInst.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?00adbaf6499136e0
US
compressed
4.70 Kb
whitelisted
3348
DashlaneInst.exe
GET
200
108.156.61.136:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3348
DashlaneInst.exe
GET
200
108.156.61.163:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3348
DashlaneInst.exe
GET
200
108.156.61.214:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3348
DashlaneInst.exe
GET
200
18.65.40.40:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAy9%2FFzEdU4NywCMlt3jyQ0%3D
US
der
471 b
whitelisted
3348
DashlaneInst.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3348
DashlaneInst.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEApan6vViUvL1DgpMaS4zxI%3D
US
der
278 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3348
DashlaneInst.exe
34.255.201.174:443
logs.dashlane.com
AMAZON-02
IE
unknown
3348
DashlaneInst.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
3348
DashlaneInst.exe
108.156.61.214:80
ocsp.rootca1.amazontrust.com
AMAZON-02
US
unknown
3348
DashlaneInst.exe
108.156.61.163:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
unknown
3348
DashlaneInst.exe
108.156.61.136:80
o.ss2.us
AMAZON-02
US
unknown
3348
DashlaneInst.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3348
DashlaneInst.exe
18.65.40.40:80
ocsp.sca1b.amazontrust.com
AMAZON-02
US
whitelisted
104.18.27.218:443
ws1.dashlane.com
CLOUDFLARENET
shared
3348
DashlaneInst.exe
104.18.27.218:443
ws1.dashlane.com
CLOUDFLARENET
shared
1604
DashlaneInst.exe
34.255.201.174:443
logs.dashlane.com
AMAZON-02
IE
unknown

DNS requests

Domain
IP
Reputation
logs.dashlane.com
  • 34.255.201.174
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
o.ss2.us
  • 108.156.61.136
whitelisted
ocsp.rootg2.amazontrust.com
  • 108.156.61.163
whitelisted
ocsp.rootca1.amazontrust.com
  • 108.156.61.214
shared
ocsp.sca1b.amazontrust.com
  • 18.65.40.40
whitelisted
ws1.dashlane.com
  • 104.18.27.218
unknown
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info