| File name: | Setup.exe |
| Full analysis: | https://app.any.run/tasks/e8d6387c-381b-46d3-9151-ce3c58ec9a1a |
| Verdict: | Malicious activity |
| Analysis date: | November 05, 2023, 11:24:03 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 240BDB7AF8CAE7C1129099DB2E72FCA0 |
| SHA1: | FD8A3D2901020CB7552596DC28E4ACD82B4BAAA1 |
| SHA256: | 501CA30174426B8E1ADDD980955C9BA6C4368AB6B4E20B85271AD81390148AFC |
| SSDEEP: | 98304:6TdWSXLMXwMSTeJy4JXN8JNiL8NDklbe+5WPv7wZVqmJwXxtl1B8ZzI0c59RA1r5:bsVx10G29F |
MALICIOUS
Drops the executable file immediately after the start
- Setup.exe (PID: 3480)
- _iu14D2N.tmp (PID: 3660)
- unins000.exe (PID: 3652)
- Setup.tmp (PID: 3500)
SUSPICIOUS
Process drops legitimate windows executable
- Setup.tmp (PID: 3500)
- _iu14D2N.tmp (PID: 3660)
Drops 7-zip archiver for unpacking
- Setup.tmp (PID: 3500)
Reads the Windows owner or organization settings
- _iu14D2N.tmp (PID: 3660)
- Setup.tmp (PID: 3500)
Starts itself from another location
- unins000.exe (PID: 3652)
Starts application with an unusual extension
- unins000.exe (PID: 3652)
INFO
Checks supported languages
- Setup.exe (PID: 3480)
- Setup.tmp (PID: 3500)
- _iu14D2N.tmp (PID: 3660)
- unins000.exe (PID: 3652)
Create files in a temporary directory
- Setup.exe (PID: 3480)
- Setup.tmp (PID: 3500)
- unins000.exe (PID: 3652)
- _iu14D2N.tmp (PID: 3660)
Reads the computer name
- Setup.tmp (PID: 3500)
Reads the machine GUID from the registry
- Setup.tmp (PID: 3500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (81.5) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10.5) |
| .exe | | | Win32 Executable (generic) (3.3) |
| .exe | | | Win16/32 Executable Delphi generic (1.5) |
| .exe | | | Generic Win/DOS Executable (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:10:02 07:04:04+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 86016 |
| InitializedDataSize: | 116736 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16478 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | dixen18 |
| FileDescription: | MSMR-MM Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | MSMR-MM |
| ProductVersion: |
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3216 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | — | explorer.exe | |||||||||||
User: admin Company: dixen18 Integrity Level: MEDIUM Description: MSMR-MM Setup Exit code: 3221226540 Version: Modules
| |||||||||||||||
| 3480 | "C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\Setup.exe | explorer.exe | ||||||||||||
User: admin Company: dixen18 Integrity Level: HIGH Description: MSMR-MM Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3500 | "C:\Users\admin\AppData\Local\Temp\is-I0V5R.tmp\Setup.tmp" /SL5="$80134,4118480,203776,C:\Users\admin\AppData\Local\Temp\Setup.exe" | C:\Users\admin\AppData\Local\Temp\is-I0V5R.tmp\Setup.tmp | — | Setup.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3652 | "C:\Games\MSMR-MM\Uninstall\unins000.exe" /Silent | C:\Games\MSMR-MM\Uninstall\unins000.exe | — | Setup.tmp | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3660 | "C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Games\MSMR-MM\Uninstall\unins000.exe" /FIRSTPHASEWND=$50170 /Silent | C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp | — | unins000.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
155
Read events
145
Write events
0
Delete events
10
Modification events
| (PID) Process: | (3660) _iu14D2N.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSMR-MM_is1 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3660) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Insomniac Games\Marvel's Spider-Man Miles Morales |
| Operation: | delete value | Name: | englishVO |
Value: 0 | |||
| (PID) Process: | (3660) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Insomniac Games\Marvel's Spider-Man Miles Morales |
| Operation: | delete value | Name: | TextLanguage |
Value: 14 | |||
| (PID) Process: | (3660) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Insomniac Games\Marvel's Spider-Man Miles Morales |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3660) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Games\MSMR-MM\MilesMorales.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3660) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3500) Setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3500) Setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: 6555869F4BF17984F6C6AC8697EE71770CDE7B5B547E9169264E9E6A875FA64E | |||
| (PID) Process: | (3500) Setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: AC0D0000B846469ADA0FDA01 | |||
| (PID) Process: | (3500) Setup.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
19
Suspicious files
1
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\UIcon.ico | image | |
MD5:014ECE6712E7098FC0BC69675FCABE5C | SHA256:46346CC016EDBBFB2F52C3C5EAAF6550BFAAE8263E8F9C959F628569CF692BAA | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\image.bmp | image | |
MD5:BFDEF6D84B98E5773CE1F7358AD11786 | SHA256:B9967BC7ACE2E130DBF05A2A3CF33428583E40DD0DB5954619FD52D141DCBE12 | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\ISDone.dll | executable | |
MD5:4FEAFA8B5E8CDB349125C8AF0AC43974 | SHA256:BB8A0245DCC5C10A1C7181BAD509B65959855009A8105863EF14F2BB5B38AC71 | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\idp.dll | executable | |
MD5:55C310C0319260D798757557AB3BF636 | SHA256:54E7E0AD32A22B775131A6288F083ED3286A9A436941377FC20F85DD9AD983ED | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\WinTB.dll | executable | |
MD5:348F5C9651B979191373EBA950D0EDC3 | SHA256:6922915886745D1B59320DEE9A87311AADD57F924FFB73CAC1D27573E75BCECC | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\english.ini | text | |
MD5:B031BEE9106D82782B43BDF5D4AD79B0 | SHA256:E1B6F4DC9BA12E110B33D370E8F06F176228059C42754BE5DA7B92AB939FF38E | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\unarc.dll | executable | |
MD5:2CED17F02B24372C166FAAF7DA2DFFB3 | SHA256:89952411324163A635942DB33DD0087508E20D112E1E75403DC1D5E852927DD7 | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\facompress.dll | executable | |
MD5:D43845F28651A42BA2105FCFCCA5253F | SHA256:17A9FFDF381F7A9F6CDFC85B157FC6CF80CD4B45ED8AD43EDAC73008923501A0 | |||
| 3500 | Setup.tmp | C:\Users\admin\AppData\Local\Temp\is-HLQMP.tmp\russian.ini | text | |
MD5:C2F6F1038DE8369B2E31067EA4D48536 | SHA256:1CFA41921DCE01991640DB414D4955B1A6DC6D6FA4F4333CA7552E2E8B81391E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |