analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.drivereasy.com/DriverEasy_Setup.exe

Full analysis: https://app.any.run/tasks/eb503ecb-2a6b-4b32-ad25-6165c21f4dad
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 02, 2019, 17:35:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

A68B8C218FC7A9C837A3FA148AD9AED9

SHA1:

7934E3731533D5D898B555ED1685C4D0CF7556FA

SHA256:

4FA0E89D0EEE0468A3DD0C69D6F8196E43BAF7CF616FE3B3B3CA1C05F594115D

SSDEEP:

3:N1KJS4aW5yTJWkA:Cc4mTUkA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DriverEasy_Setup.exe (PID: 3792)
      • DriverEasy_Setup.exe (PID: 564)
      • Easeware.CheckScheduledScan.exe (PID: 1948)
      • Easeware.ConfigLanguageFromSetup.exe (PID: 3368)
      • DriverEasy.exe (PID: 3748)
    • Downloads executable files from the Internet

      • chrome.exe (PID: 3016)
    • Loads dropped or rewritten executable

      • Easeware.ConfigLanguageFromSetup.exe (PID: 3368)
      • DriverEasy.exe (PID: 3748)
    • Loads the Task Scheduler DLL interface

      • Easeware.CheckScheduledScan.exe (PID: 1948)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3016)
      • chrome.exe (PID: 2840)
      • DriverEasy_Setup.exe (PID: 3792)
      • DriverEasy_Setup.exe (PID: 564)
      • DriverEasy_Setup.tmp (PID: 1096)
      • DriverEasy.exe (PID: 3748)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2840)
    • Reads the Windows organization settings

      • DriverEasy_Setup.tmp (PID: 1096)
    • Reads Windows owner or organization settings

      • DriverEasy_Setup.tmp (PID: 1096)
    • Creates files in the user directory

      • Easeware.ConfigLanguageFromSetup.exe (PID: 3368)
      • DriverEasy.exe (PID: 3748)
    • Creates files in the Windows directory

      • Easeware.CheckScheduledScan.exe (PID: 1948)
    • Reads Environment values

      • DriverEasy.exe (PID: 3748)
    • Reads the machine GUID from the registry

      • DriverEasy.exe (PID: 3748)
    • Uses NETSH.EXE for network configuration

      • DriverEasy_Setup.tmp (PID: 1096)
    • Starts Internet Explorer

      • DriverEasy_Setup.tmp (PID: 1096)
    • Creates files in the program directory

      • iexplore.exe (PID: 3396)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3228)
      • chrome.exe (PID: 2840)
      • iexplore.exe (PID: 3396)
    • Changes internet zones settings

      • iexplore.exe (PID: 2428)
      • iexplore.exe (PID: 3984)
    • Manual execution by user

      • chrome.exe (PID: 2840)
    • Application launched itself

      • chrome.exe (PID: 2840)
      • iexplore.exe (PID: 2428)
      • iexplore.exe (PID: 3984)
    • Reads the hosts file

      • chrome.exe (PID: 3016)
      • chrome.exe (PID: 2840)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3016)
      • DriverEasy.exe (PID: 3748)
    • Application was dropped or rewritten from another process

      • DriverEasy_Setup.tmp (PID: 2740)
      • DriverEasy_Setup.tmp (PID: 1096)
    • Loads dropped or rewritten executable

      • DriverEasy_Setup.tmp (PID: 1096)
    • Creates files in the program directory

      • DriverEasy_Setup.tmp (PID: 1096)
    • Creates a software uninstall entry

      • DriverEasy_Setup.tmp (PID: 1096)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3396)
    • Creates files in the user directory

      • iexplore.exe (PID: 3396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
43
Malicious processes
6
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs drivereasy_setup.exe drivereasy_setup.tmp no specs drivereasy_setup.exe drivereasy_setup.tmp chrome.exe no specs easeware.checkscheduledscan.exe no specs easeware.configlanguagefromsetup.exe no specs drivereasy.exe iexplore.exe no specs iexplore.exe netsh.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3228"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2428 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2840"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2852"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d67a9d0,0x6d67a9e0,0x6d67a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3000 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1316"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1008,17990065031117311064,16560272885804295315,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7707886560640681071 --mojo-platform-channel-handle=1004 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3016"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1008,17990065031117311064,16560272885804295315,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=8156584730923234830 --mojo-platform-channel-handle=1612 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3904"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,17990065031117311064,16560272885804295315,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1817418874217151392 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,17990065031117311064,16560272885804295315,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3395721919285386124 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2460 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2532"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1008,17990065031117311064,16560272885804295315,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8690007084628743965 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2452 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
6 716
Read events
6 357
Write events
347
Delete events
12

Modification events

(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{27381801-152A-11EA-AB41-5254004A04AF}
Value:
0
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(2428) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070C0001000200110023002700B101
Executable files
25
Suspicious files
34
Text files
295
Unknown types
26

Dropped files

PID
Process
Filename
Type
2428iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2428iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF3a06fb.TMPtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:C4D6CBB269C626168A5D6D0D8CCE6C30
SHA256:B62CDBB758278A0C2E50593357390119441D8DE09428EB29027F3DFD1332E348
2840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF3a06fb.TMPtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
2840chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF3a06fb.TMPtext
MD5:213AE3DA120D7862D60B5763B6C9D466
SHA256:5736534D6EE654C1BF1A8E79E73330AF58F622E8657285330D2C7189A55604F4
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:359E47B427F9CF632D432F6F624B1CBB
SHA256:98CC470A68F03480B3EAF796737A41F5C5B9720A8C43F0796D80E9BDD90BA1E2
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\HO8NFPOC\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
101
DNS requests
39
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3228
iexplore.exe
GET
2.16.106.201:80
http://cdn.drivereasy.com/DriverEasy_Setup.exe
unknown
suspicious
3748
DriverEasy.exe
GET
149.202.92.120:80
http://dow1.drivereasy.com/down19/ftpii1oy.lrq/PROWin7_32.zip
FR
unknown
3748
DriverEasy.exe
GET
200
149.202.92.120:80
http://dow1.drivereasy.com/infstructure/2000/2go2wdsp.zpt/ich9usb.infstru
FR
xml
726 b
unknown
3748
DriverEasy.exe
GET
206
149.202.92.120:80
http://dow1.drivereasy.com/down19/ftpii1oy.lrq/PROWin7_32.zip
FR
binary
72.8 Kb
unknown
3016
chrome.exe
GET
301
167.114.130.158:80
http://www.drivereasy.com/DriverEasy_Setup.exe
CA
html
162 b
malicious
3016
chrome.exe
GET
200
74.125.153.27:80
http://r5---sn-hpa7zned.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.128.27.151&mm=28&mn=sn-hpa7zned&ms=nvh&mt=1575308060&mv=m&mvi=4&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
3016
chrome.exe
GET
302
172.217.18.110:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
515 b
whitelisted
3748
DriverEasy.exe
GET
200
2.16.106.187:80
http://cdn.drivereasy.com/version.html
unknown
text
415 b
suspicious
3748
DriverEasy.exe
GET
200
149.202.92.120:80
http://dow1.drivereasy.com/drivercomponents/8000/0pbdg5k4.snw/ich9usb.inf
FR
txt
12.3 Kb
unknown
3748
DriverEasy.exe
GET
200
149.202.92.120:80
http://dow1.drivereasy.com/drivercomponents/8000/5itr55wc.t1t/ich9usb.cat
FR
cat
144 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2428
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3016
chrome.exe
172.217.22.99:443
www.google.com.ua
Google Inc.
US
whitelisted
3016
chrome.exe
172.217.22.109:443
accounts.google.com
Google Inc.
US
whitelisted
3016
chrome.exe
172.217.18.100:443
www.google.com
Google Inc.
US
whitelisted
3016
chrome.exe
216.58.207.67:443
www.gstatic.com
Google Inc.
US
whitelisted
3228
iexplore.exe
167.114.130.158:443
www.drivereasy.com
OVH SAS
CA
malicious
3228
iexplore.exe
2.16.106.201:80
cdn.drivereasy.com
Akamai International B.V.
whitelisted
3016
chrome.exe
172.217.16.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3228
iexplore.exe
167.114.130.158:80
www.drivereasy.com
OVH SAS
CA
malicious
3016
chrome.exe
216.58.207.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.drivereasy.com
  • 167.114.130.158
unknown
clientservices.googleapis.com
  • 216.58.207.35
whitelisted
accounts.google.com
  • 172.217.22.109
shared
cdn.drivereasy.com
  • 2.16.106.201
  • 2.16.106.187
suspicious
www.google.com.ua
  • 172.217.22.99
whitelisted
www.google.com
  • 172.217.18.100
whitelisted
fonts.googleapis.com
  • 172.217.16.170
whitelisted
www.gstatic.com
  • 216.58.207.67
whitelisted
apis.google.com
  • 172.217.18.110
whitelisted

Threats

PID
Process
Class
Message
3228
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3016
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info