File name:

IFSetup.exe

Full analysis: https://app.any.run/tasks/b7b7b80e-2907-4da8-a0cc-a97306f532e5
Verdict: Malicious activity
Analysis date: May 13, 2021, 17:17:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DBF3C6AEE1B7ACED53C8BC8CB965C0C4

SHA1:

8222556CE4E8265CD14F121384E8DE0CF3B7CB0F

SHA256:

57C79A11C80BA53AB4DD7EF8F4C4EBB257DD19F009145341708E3E1E538781D5

SSDEEP:

98304:KT/CMPmCTbyWdZY2wUE8gRqJYkLLuk5URMm0G:Od9HyWdZ/wN8gR2YS9pG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ifbuilderenvx86.exe (PID: 1764)
      • Update.exe (PID: 3448)

    • Loads dropped or rewritten executable

      • ifbuilderenvx86.exe (PID: 1764)

  • SUSPICIOUS

    • Creates a directory in Program Files

      • IFSetup.exe (PID: 2580)

    • Drops a file that was compiled in debug mode

      • IFSetup.exe (PID: 2580)

    • Creates a software uninstall entry

      • IFSetup.exe (PID: 2580)

    • Creates files in the program directory

      • IFSetup.exe (PID: 2580)

    • Executable content was dropped or overwritten

      • IFSetup.exe (PID: 2580)

    • Creates files in the user directory

      • IFSetup.exe (PID: 2580)

    • Reads internet explorer settings

      • Update.exe (PID: 3448)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • IFSetup.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

Comments: Created with InstallForge
CompanyName: solicus
FileVersion: 1.4.2
ProductVersion: 1.4.2
ProductName: InstallForge Setup
InternalName: IFSetup
OriginalFileName: IFSetup.exe
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Unknown (0)
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1000
UninitializedDataSize: -
InitializedDataSize: 168448
CodeSize: 658432
LinkerVersion: 2.5
PEType: PE32
TimeStamp: 2020:06:17 03:15:22+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start ifsetup.exe ifbuilderenvx86.exe update.exe ifsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1764"C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe"C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe
IFSetup.exe
User:
admin
Company:
solicus
Integrity Level:
HIGH
Description:
InstallForge
Exit code:
0
Version:
1.4.2
Modules
Images
c:\program files\solicus\installforge\bin\ifbuilderenvx86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2580"C:\Users\admin\Desktop\IFSetup.exe" C:\Users\admin\Desktop\IFSetup.exe
explorer.exe
User:
admin
Company:
solicus
Integrity Level:
HIGH
Exit code:
0
Version:
1.4.2
Modules
Images
c:\users\admin\desktop\ifsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3448"..\Update.exe"C:\Program Files\solicus\InstallForge\Update.exe
ifbuilderenvx86.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\solicus\installforge\update.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3596"C:\Users\admin\Desktop\IFSetup.exe" C:\Users\admin\Desktop\IFSetup.exeexplorer.exe
User:
admin
Company:
solicus
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.4.2
Modules
Images
c:\users\admin\desktop\ifsetup.exe
c:\systemroot\system32\ntdll.dll
Total events
369
Read events
340
Write events
29
Delete events
0

Modification events

(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayIcon
Value:
C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:UninstallString
Value:
C:\Program Files\solicus\InstallForge\Uninstall.exe
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:InstallDate
Value:
20210513
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:InstallLocation
Value:
C:\Program Files\solicus\InstallForge\
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:EstimatedSize
Value:
7028
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:NoModify
Value:
1
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayName
Value:
InstallForge
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayVersion
Value:
1.4.2
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:HelpLink
Value:
https://installforge.net
Executable files
8
Suspicious files
2
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\setupConfiguration.archivecompressed
MD5:D0F403C39AF31A0E4C7DC1EFD317E3C6
SHA256:3FADDC24D1A8A3E2118F193C4BF9E188E6FE229CD2258FCB460CA332C4CE1350
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifuninstallx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifsetupx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\setupArchive.archivecompressed
MD5:
SHA256:
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\Desktop.dattext
MD5:34519FE799729D305FA976A4C0052ACB
SHA256:0B127A84237632D878B246A1F3E81CCF161CB34481C75514B45CA809B318CBF5
2580IFSetup.exeC:\Program Files\solicus\InstallForge\Uninstall.exeexecutable
MD5:C26206A554C98417B65DA2CAEE82CB4A
SHA256:D1C9251B57C59EA0469FA0CAD832C5591EAAFFE1A4EC4BF9F1785B3C73E44ECD
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\rcx86.exeexecutable
MD5:24F40DF650B81E249D9095F6207087FE
SHA256:1733E4B7E532C99B6A4DDECA1B9FFF7BB1C5FD0BA7DBEB5F3520B6DA03A5284F
2580IFSetup.exeC:\Program Files\solicus\InstallForge\icons\ancient.icoimage
MD5:FA7D1E5DB7C24DFC7F6121781DBF098A
SHA256:36E6455043B57968221BBF5FFD6681CC173F0A531BEF9721337C3A8C1AD70591
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\vuebuildx86.dllexecutable
MD5:932660029900BA24BE4D59FDB4F52FFE
SHA256:F92DEE3502554599CFBB8E351D2A3CADC2D64AB2B78790ABEB3A083BAA2E022D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3448
Update.exe
5.175.14.17:443
installforge.net
Host Europe GmbH
DE
suspicious
1764
ifbuilderenvx86.exe
5.175.14.17:443
installforge.net
Host Europe GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
installforge.net
  • 5.175.14.17
suspicious

Threats

PID
Process
Class
Message
1764
ifbuilderenvx86.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3448
Update.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3448
Update.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IFSetup.exe