analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

vpn-client-2.2.2-release.exe

Full analysis: https://app.any.run/tasks/ea1f61ff-31d3-4947-b549-c5c53fc0c99b
Verdict: Malicious activity
Analysis date: November 16, 2019, 11:09:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

43E3EF7766E4352583129CF0EEC72AB7

SHA1:

182577786892E619A4B85270FA8D915C71E63C4C

SHA256:

573B26315D49AB55E10EC39AA092F43FF0A061F3472AD99D3F5F106DADD18C3D

SSDEEP:

98304:4+5LpcUagH964P5CoiS4Ipk8u2bakpomFBH:4+5tBBH84P8S3ijsa9mf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • vpn-client-2.2.2-release.exe (PID: 1016)
      • ipseca.exe (PID: 1932)
      • drvcfg.exe (PID: 1820)
      • devcfg.exe (PID: 3364)
      • drvcfg.exe (PID: 3096)
      • ipsecd.exe (PID: 2516)
      • dtpd.exe (PID: 320)
      • iked.exe (PID: 1948)
      • ipseca.exe (PID: 3916)
      • ipseca.exe (PID: 2500)
      • activate.exe (PID: 2700)
      • ipseca.exe (PID: 4012)

    • Application was dropped or rewritten from another process

      • ipseca.exe (PID: 1932)
      • drvcfg.exe (PID: 1820)
      • drvcfg.exe (PID: 3096)
      • netcfg.exe (PID: 3392)
      • devcfg.exe (PID: 3364)
      • ipsecd.exe (PID: 2516)
      • iked.exe (PID: 1948)
      • ipseca.exe (PID: 3916)
      • dtpd.exe (PID: 320)
      • ipseca.exe (PID: 2500)
      • ipseca.exe (PID: 4012)
      • activate.exe (PID: 2700)
      • activate.exe (PID: 436)

    • Writes to a start menu file

      • vpn-client-2.2.2-release.exe (PID: 1016)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • vpn-client-2.2.2-release.exe (PID: 1016)
      • netcfg.exe (PID: 3392)
      • drvcfg.exe (PID: 3096)
      • DrvInst.exe (PID: 2696)

    • Creates files in the Windows directory

      • vpn-client-2.2.2-release.exe (PID: 1016)
      • DrvInst.exe (PID: 3316)
      • netcfg.exe (PID: 3392)
      • DrvInst.exe (PID: 1936)
      • DrvInst.exe (PID: 2696)

    • Creates files in the program directory

      • vpn-client-2.2.2-release.exe (PID: 1016)
      • ipseca.exe (PID: 1932)
      • ipsecd.exe (PID: 2516)
      • dtpd.exe (PID: 320)
      • iked.exe (PID: 1948)

    • Creates a software uninstall entry

      • vpn-client-2.2.2-release.exe (PID: 1016)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 3316)
      • netcfg.exe (PID: 3392)
      • DrvInst.exe (PID: 1936)
      • DrvInst.exe (PID: 2696)

    • Executed via COM

      • DrvInst.exe (PID: 3316)
      • DrvInst.exe (PID: 1936)
      • DrvInst.exe (PID: 2696)
      • rundll32.exe (PID: 408)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1708)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 3316)
      • netcfg.exe (PID: 3392)
      • DrvInst.exe (PID: 1936)
      • DrvInst.exe (PID: 2696)

    • Executed as Windows Service

      • ipsecd.exe (PID: 2516)
      • iked.exe (PID: 1948)
      • dtpd.exe (PID: 320)

    • Creates COM task schedule object

      • vpn-client-2.2.2-release.exe (PID: 1016)

    • Starts Internet Explorer

      • ipseca.exe (PID: 2500)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • vpn-client-2.2.2-release.exe (PID: 1016)

    • Manual execution by user

      • ipseca.exe (PID: 3916)
      • ipseca.exe (PID: 2500)
      • ipseca.exe (PID: 4012)

    • Changes internet zones settings

      • iexplore.exe (PID: 3028)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3340)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3340)

    • Creates files in the user directory

      • iexplore.exe (PID: 3340)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2009:12:05 23:53:18+01:00
PEType: PE32
LinkerVersion: 6
CodeSize: 25088
InitializedDataSize: 124928
UninitializedDataSize: 1024
EntryPoint: 0x36a0
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 05-Dec-2009 22:53:18
Detected languages:
  • English - United States

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 05-Dec-2009 22:53:18
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000061A4
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.44297
.rdata
0x00008000
0x000011E0
0x00001200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.3067
.data
0x0000A000
0x0001C3F8
0x00000C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.1303
.ndata
0x00027000
0x0000D000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00034000
0x000065E8
0x00006600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.06092

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.10394
533
UNKNOWN
English - United States
RT_MANIFEST
2
4.89539
4264
UNKNOWN
English - United States
RT_ICON
3
5.3403
3752
UNKNOWN
English - United States
RT_ICON
4
5.86327
2216
UNKNOWN
English - United States
RT_ICON
5
4.97538
1128
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.63025
76
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.70992
344
UNKNOWN
English - United States
RT_DIALOG
105
2.68372
512
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
VERSION.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
22
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start drop and start start vpn-client-2.2.2-release.exe no specs vpn-client-2.2.2-release.exe ipseca.exe no specs drvcfg.exe no specs drvinst.exe no specs netcfg.exe drvcfg.exe drvinst.exe no specs devcfg.exe no specs drvinst.exe ipsecd.exe no specs iked.exe no specs dtpd.exe no specs rundll32.exe no specs ipseca.exe activate.exe no specs activate.exe ipseca.exe ipseca.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2772"C:\Users\admin\AppData\Local\Temp\vpn-client-2.2.2-release.exe" C:\Users\admin\AppData\Local\Temp\vpn-client-2.2.2-release.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
1016"C:\Users\admin\AppData\Local\Temp\vpn-client-2.2.2-release.exe" C:\Users\admin\AppData\Local\Temp\vpn-client-2.2.2-release.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1932"C:\Program Files\ShrewSoft\VPN Client\ipseca.exe" -import C:\Users\admin\AppData\Local\TempC:\Program Files\ShrewSoft\VPN Client\ipseca.exevpn-client-2.2.2-release.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
1820"C:\Program Files\ShrewSoft\VPN Client\drvcfg.exe" -pre C:\Program Files\ShrewSoft\VPN Client\drivers\vfilter.infC:\Program Files\ShrewSoft\VPN Client\drvcfg.exevpn-client-2.2.2-release.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
3316DrvInst.exe "4" "20" "C:\Users\admin\AppData\Local\Temp\{4a7918f3-82b6-11bb-5ffa-bf215c703338}\vfilter.inf" "0" "62853ac57" "00000568" "WinSta0\Default" "0000055C" "208" "C:\Program Files\ShrewSoft\VPN Client\drivers"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3392"C:\Program Files\ShrewSoft\VPN Client\netcfg.exe" -add service vflt C:\Program Files\ShrewSoft\VPN Client\drivers\vfilter.infC:\Program Files\ShrewSoft\VPN Client\netcfg.exe
vpn-client-2.2.2-release.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
3096"C:\Program Files\ShrewSoft\VPN Client\drvcfg.exe" -pre C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.infC:\Program Files\ShrewSoft\VPN Client\drvcfg.exe
vpn-client-2.2.2-release.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
1936DrvInst.exe "4" "20" "C:\Users\admin\AppData\Local\Temp\{2c6545fc-d0dd-4b29-c25e-f206e674221d}\virtualnet.inf" "0" "6df63bb27" "0000055C" "WinSta0\Default" "00000060" "208" "C:\Program Files\ShrewSoft\VPN Client\drivers"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3364"C:\Program Files\ShrewSoft\VPN Client\devcfg.exe" -add net vnet C:\Program Files\ShrewSoft\VPN Client\drivers\virtualnet.infC:\Program Files\ShrewSoft\VPN Client\devcfg.exevpn-client-2.2.2-release.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
2696DrvInst.exe "2" "211" "ROOT\VNET\0000" "C:\Windows\INF\oem5.inf" "virtualnet.inf:shrewsoft.NTx86:vnet.ndi:2.2.0.3:vnet" "641856f83" "000003C4" "000005D4" "000005D8"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 618
Read events
1 099
Write events
0
Delete events
0

Modification events

No data
Executable files
33
Suspicious files
24
Text files
169
Unknown types
31

Dropped files

PID
Process
Filename
Type
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\readme.txttext
MD5:1A50B68A24F23037D847684034E35CBF
SHA256:FABB2D8E94C8F72A3A0AFA085A075B6B3CBDCF30C982B7EB6960864013A79BF5
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\license.txttext
MD5:FAA316092E6B239C2EDC86F25D1B1034
SHA256:F7F42641B524BC55BAC1E3CF33017B7A2AC74DB7696CC9D55D883E7926AF5307
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\iked.exeexecutable
MD5:AE2DD98850481C8BE7C8DC46B050B191
SHA256:FB8678FCC94A8C50AC63B2CD5CB074C1F3377DD7A9AD5EBAFF5C55C1F723095E
1016vpn-client-2.2.2-release.exeC:\Users\admin\AppData\Local\Temp\nsbB13B.tmp\ioSpecial.initext
MD5:47D52BEAE7C3BCDA0758EEFA3A23A0E9
SHA256:B167A3DC06F17AAD9D5E7C0039041A27CAF524974DF74B179E15481AADF9F1DC
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\libidb.dllexecutable
MD5:BF3C9BC56456BABCAD3DD3FCDD4B819B
SHA256:59942F9B9630136E883140AC1D012704FAEB4E3BF12DB8CFB9B800B5748E0DCA
1016vpn-client-2.2.2-release.exeC:\Users\admin\AppData\Local\Temp\nsbB13B.tmp\InstallOptions.dllexecutable
MD5:0DC0CC7A6D9DB685BF05A7E5F3EA4781
SHA256:8E287326F1CDD5EF2DCD7A72537C68CBE4299CEB1F820707C5820F3AA6D8206C
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\libip.dllexecutable
MD5:662B82564CC9B3AB0ED969546083A4D0
SHA256:7BA01C35E0E52714D5D560A53719204D82FE7962F8CEAF7D3A14B1157DA34C93
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\ipsecc.exeexecutable
MD5:722AFF05C9A17DF743A6FAF94EFB8758
SHA256:FFF0F31CF6D195D723A2F392E51F526F6F2B942AED83FA30C3EFA625B0F5B965
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\Shrew Soft VPN Client Administrators Guide.chmchm
MD5:A89E400F9E90621E5C2D58BDC057EF73
SHA256:423412399CBA32499498251AE1948FFB65F3A6E453F8C74D1506FAED526AAC66
1016vpn-client-2.2.2-release.exeC:\Program Files\ShrewSoft\VPN Client\ipsect.exeexecutable
MD5:EAC4363B32DDBFDA57AC49DF96A88BE6
SHA256:1CC18284472B26EBF6F53D4FFFD9C5B24E332D0F102FEF8D4CF765CF7319566B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
11
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3028
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3340
iexplore.exe
38.97.5.129:443
update.shrew.net
Cogent Communications
US
unknown
2500
ipseca.exe
38.97.5.129:443
update.shrew.net
Cogent Communications
US
unknown
3028
iexplore.exe
38.97.5.129:443
update.shrew.net
Cogent Communications
US
unknown
3028
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3916
ipseca.exe
38.97.5.129:443
update.shrew.net
Cogent Communications
US
unknown
3340
iexplore.exe
172.217.22.72:443
ssl.google-analytics.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
update.shrew.net
  • 38.97.5.129
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.shrew.net
  • 38.97.5.129
unknown
ssl.google-analytics.com
  • 172.217.22.72
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
vpn-client-2.2.2-release.exe