| File name: | SpywareQuake.exe |
| Full analysis: | https://app.any.run/tasks/a3cb00e3-ed6c-4d3a-b88c-2227419ce32a |
| Verdict: | Malicious activity |
| Analysis date: | February 10, 2024, 17:14:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 7E56EA2BA66F0BA2DB6591C428923872 |
| SHA1: | 70B485DE20CE726B0F407070FFB22C38E5D29627 |
| SHA256: | 568D759BB2AAC5D177941063E14775727DDE17857FF64EB68586831F4B734EA1 |
| SSDEEP: | 49152:NJLz7hYYuHSQS/jElpu/ni1/1ZWNWIfgDqhX4DFauM0A4JV0znwtQ7:NJhYYrHADu/nw1+fdpC840nw67 |
MALICIOUS
Drops the executable file immediately after the start
- SpywareQuake.exe (PID: 3216)
Changes the autorun value in the registry
- SpywareQuake.exe (PID: 3216)
SUSPICIOUS
Reads the BIOS version
- SpywareQuaked.exe (PID: 1876)
- SpywareQuaked.exe (PID: 4008)
Executable content was dropped or overwritten
- SpywareQuake.exe (PID: 3216)
Process drops legitimate windows executable
- SpywareQuake.exe (PID: 3216)
The process drops C-runtime libraries
- SpywareQuake.exe (PID: 3216)
Reads the Internet Settings
- SpywareQuaked.exe (PID: 4008)
Reads security settings of Internet Explorer
- SpywareQuaked.exe (PID: 4008)
Reads settings of System Certificates
- SpywareQuaked.exe (PID: 4008)
Creates a software uninstall entry
- SpywareQuake.exe (PID: 3216)
Starts application from unusual location
- SpywareQuaked.exe (PID: 4008)
INFO
Create files in a temporary directory
- SpywareQuake.exe (PID: 3216)
- SpywareQuaked.exe (PID: 4008)
Creates files in the program directory
- SpywareQuake.exe (PID: 3216)
Reads the computer name
- SpywareQuake.exe (PID: 3216)
- SpywareQuaked.exe (PID: 1876)
- SpywareQuaked.exe (PID: 4008)
Checks supported languages
- SpywareQuake.exe (PID: 3216)
- SpywareQuaked.exe (PID: 1876)
- SpywareQuaked.exe (PID: 4008)
Reads the machine GUID from the registry
- SpywareQuaked.exe (PID: 1876)
- SpywareQuaked.exe (PID: 4008)
Checks proxy server information
- SpywareQuaked.exe (PID: 4008)
Creates files or folders in the user directory
- SpywareQuake.exe (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (0.7) |
| .exe | | | Win32 Executable (generic) (0.5) |
| .exe | | | Generic Win/DOS Executable (0.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2007:01:13 18:26:07+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 23040 |
| InitializedDataSize: | 121856 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x3132 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 2.4.0.0 |
| ProductVersionNumber: | 2.4.0.0 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | SpywareQuaked AntiSpyware |
| CompanyName: | SpywareQuaked |
| FileDescription: | SpywareQuaked Install |
| FileVersion: | 2.4.0.0 |
| LegalCopyright: | 2007, All rights reserverd (c) SpywareQuaked. |
| OriginalFileName: | SpywareQuaked.exe |
| ProductName: | SpywareQuaked 2.4 |
Total processes
44
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1876 | "C:\Program Files\SpywareQuaked\SpywareQuaked.exe" /regserver | C:\Program Files\SpywareQuaked\SpywareQuaked.exe | SpywareQuake.exe | ||||||||||||
User: admin Company: SpywareQuake.com Integrity Level: HIGH Description: Anti- spyware and adware Exit code: 0 Version: 2.0.0.0 Modules
| |||||||||||||||
| 3216 | "C:\Users\admin\AppData\Local\Temp\SpywareQuake.exe" | C:\Users\admin\AppData\Local\Temp\SpywareQuake.exe | explorer.exe | ||||||||||||
User: admin Company: SpywareQuaked Integrity Level: HIGH Description: SpywareQuaked Install Exit code: 0 Version: 2.4.0.0 Modules
| |||||||||||||||
| 3672 | "C:\Users\admin\AppData\Local\Temp\SpywareQuake.exe" | C:\Users\admin\AppData\Local\Temp\SpywareQuake.exe | — | explorer.exe | |||||||||||
User: admin Company: SpywareQuaked Integrity Level: MEDIUM Description: SpywareQuaked Install Exit code: 3221226540 Version: 2.4.0.0 Modules
| |||||||||||||||
| 4008 | "C:\Program Files\SpywareQuaked\SpywareQuaked.exe" | C:\Program Files\SpywareQuaked\SpywareQuaked.exe | SpywareQuake.exe | ||||||||||||
User: admin Company: SpywareQuake.com Integrity Level: HIGH Description: Anti- spyware and adware Exit code: 0 Version: 2.0.0.0 Modules
| |||||||||||||||
Total events
8 680
Read events
8 569
Write events
62
Delete events
49
Modification events
| (PID) Process: | (3216) SpywareQuake.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\SpywareQuaked |
| Operation: | write | Name: | refid |
Value: 240 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RFC1156Agent\CurrentVersion\Parameters |
| Operation: | write | Name: | TrapPollTimeMilliSecs |
Value: 15000 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Licenses |
| Operation: | write | Name: | {K7C0DB872A3F777C0} |
Value: F1E0B442D3231FDE24CFD31DB7ABA71514880D2DD9F0789FE6E132FFFFFFFF82FDBE27C3A30333FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000009FE6E132D3231FDE24CFD31DB7ABA71514880D2DD9F0789FE6E132FFFFFFFF82FDBE27C3A30333FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000009FE6E1320000 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48E9638F-E6A2-25BB-6004-732790C793EF} |
| Operation: | delete value | Name: | 0 |
Value: | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Licenses |
| Operation: | write | Name: | {I7CAB8726BC4A5C74} |
Value: 01000000 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Licenses |
| Operation: | write | Name: | {07CAB8726BC4A5C74} |
Value: 563EA80E0BA2A7A641065398E89044A3081B9266BCB601AB99E8099B1FB1523D7EE30B3D94E19C50278AD672A0CEA650B7DD6C6617AC728F901EBA5252056332C7B5327936B9D32D93101FAC7E5D6F8B1F0AEFA31CB7EFF4D52037A8968C572534A695353A0277940C05EC696D55 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Licenses |
| Operation: | write | Name: | {I7CAB8726BC4A5C74} |
Value: 02000000 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Licenses |
| Operation: | write | Name: | {07CAB8726BC4A5C74} |
Value: 563EA80E0BA2A7A641065398E89044A3081B9266BCB601AB99E8099B1FB1523D7EE30B3D94E19C50278AD672A0CEA650B7DD6C6617AC728F901EBA5252056332C7B5327937B9D32D93101EAC7E5D6F8B1F0AEFA31CB7EFF4D52037A8968C572534A695353A0177940C0574EB9F6E | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{71FE0640-481B-4609-A13B-02ED7520512A}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (1876) SpywareQuaked.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{3DD6957B-BAAF-4A07-8737-3105F4F4083C}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
Executable files
8
Suspicious files
8
Text files
3
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3216 | SpywareQuake.exe | C:\Users\admin\AppData\Local\Temp\nsnEEB6.tmp\InstallOptions.dll | executable | |
MD5:B3EBE1CB6BDD529302C121DD4E2E0D00 | SHA256:5A1696F9892567B3339FAF2BF4DF5EB1D2D886C49807529028B65F0F493E79B2 | |||
| 3216 | SpywareQuake.exe | C:\Program Files\SpywareQuaked\ref.dat | binary | |
MD5:B6E3E7AFF5AC5CE53D6AAC7AF21ACC0A | SHA256:8AC664FE10CF0F13C6C5F42DBACDFCF50455B4332014E5E3DE860DCE7656900B | |||
| 3216 | SpywareQuake.exe | C:\Users\admin\AppData\Local\Temp\nsnEEB6.tmp\modern-wizard.bmp | image | |
MD5:A798E55047197FE7D3A67C6A5B2719BB | SHA256:AAC849727C2E9B365F2C8EF6D6AEE2120F180874849BACA09019067C40A208C5 | |||
| 3216 | SpywareQuake.exe | C:\Users\admin\AppData\Local\Temp\nsnEEB6.tmp\StartMenu.dll | executable | |
MD5:CB1FC3CD20EAD3E20CBBA5D24BC850AE | SHA256:079C8D22844C2806B2577C093059E1B0404F295F35B26314FAB4EF56DF8572DC | |||
| 3216 | SpywareQuake.exe | C:\Program Files\SpywareQuaked\msvcp71.dll | executable | |
MD5:561FA2ABB31DFA8FAB762145F81667C2 | SHA256:DF96156F6A548FD6FE5672918DE5AE4509D3C810A57BFFD2A91DE45A3ED5B23B | |||
| 3216 | SpywareQuake.exe | C:\Program Files\SpywareQuaked\SpywareQuaked.url | text | |
MD5:26F3D24F81B255DC40987D9994BCD442 | SHA256:88F6558D26CA9CF036229DB718E6C60101577F310416F3276A316FE991ACDD61 | |||
| 3216 | SpywareQuake.exe | C:\Users\Administrator\Desktop\SpywareQuaked.lnk | binary | |
MD5:2BF40E05E92F9F0902F98FD320D502CB | SHA256:E9DAAB4B0B547171746425E75C422C26941064BFF8F43D1E352CDE9840B9B9C6 | |||
| 3216 | SpywareQuake.exe | C:\Program Files\SpywareQuaked\SpywareQuaked.exe | executable | |
MD5:212114126209130D62BFE083B91BB12C | SHA256:038CEDF313F205C50F98232D1918D23F199165B869A2892A5BCF10226CB50479 | |||
| 3216 | SpywareQuake.exe | C:\Program Files\SpywareQuaked\Lang\English.ini | binary | |
MD5:A9EE06B49A3666AA1B017D974FD442C3 | SHA256:5456BD3EE941CD84EC6E0BE1FAFD62F6BDD7DDA0510BF1CE3D925C719452DF53 | |||
| 3216 | SpywareQuake.exe | C:\Program Files\SpywareQuaked\blacklist.txt | text | |
MD5:00372593B3438D9E475AF653E582A4C6 | SHA256:FFDCBAF556098434CA1EDBEC498B0D78AC455AE2E9AB086E17BCD9EA15064B93 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4008 | SpywareQuaked.exe | GET | — | 198.2.199.45:80 | http://updates.spywarequake.com/db/dbver.php | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4008 | SpywareQuaked.exe | 198.2.199.45:80 | updates.spywarequake.com | PEGTECHINC | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
updates.spywarequake.com |
| unknown |
Threats
Process | Message |
|---|---|
SpywareQuaked.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |
SpywareQuaked.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |
SpywareQuaked.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |
SpywareQuaked.exe | %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s |