File name:

IFSetup.exe

Full analysis: https://app.any.run/tasks/b7b7b80e-2907-4da8-a0cc-a97306f532e5
Verdict: Malicious activity
Analysis date: May 13, 2021, 17:17:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DBF3C6AEE1B7ACED53C8BC8CB965C0C4

SHA1:

8222556CE4E8265CD14F121384E8DE0CF3B7CB0F

SHA256:

57C79A11C80BA53AB4DD7EF8F4C4EBB257DD19F009145341708E3E1E538781D5

SSDEEP:

98304:KT/CMPmCTbyWdZY2wUE8gRqJYkLLuk5URMm0G:Od9HyWdZ/wN8gR2YS9pG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ifbuilderenvx86.exe (PID: 1764)
      • Update.exe (PID: 3448)

    • Loads dropped or rewritten executable

      • ifbuilderenvx86.exe (PID: 1764)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • IFSetup.exe (PID: 2580)

    • Creates files in the program directory

      • IFSetup.exe (PID: 2580)

    • Drops a file that was compiled in debug mode

      • IFSetup.exe (PID: 2580)

    • Creates a directory in Program Files

      • IFSetup.exe (PID: 2580)

    • Reads internet explorer settings

      • Update.exe (PID: 3448)

    • Creates a software uninstall entry

      • IFSetup.exe (PID: 2580)

    • Creates files in the user directory

      • IFSetup.exe (PID: 2580)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • IFSetup.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

Comments: Created with InstallForge
CompanyName: solicus
FileVersion: 1.4.2
ProductVersion: 1.4.2
ProductName: InstallForge Setup
InternalName: IFSetup
OriginalFileName: IFSetup.exe
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Unknown (0)
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1000
UninitializedDataSize: -
InitializedDataSize: 168448
CodeSize: 658432
LinkerVersion: 2.5
PEType: PE32
TimeStamp: 2020:06:17 03:15:22+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start ifsetup.exe ifbuilderenvx86.exe update.exe ifsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1764"C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe"C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe
IFSetup.exe
User:
admin
Company:
solicus
Integrity Level:
HIGH
Description:
InstallForge
Exit code:
0
Version:
1.4.2
Modules
Images
c:\program files\solicus\installforge\bin\ifbuilderenvx86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2580"C:\Users\admin\Desktop\IFSetup.exe" C:\Users\admin\Desktop\IFSetup.exe
explorer.exe
User:
admin
Company:
solicus
Integrity Level:
HIGH
Exit code:
0
Version:
1.4.2
Modules
Images
c:\users\admin\desktop\ifsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3448"..\Update.exe"C:\Program Files\solicus\InstallForge\Update.exe
ifbuilderenvx86.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\solicus\installforge\update.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3596"C:\Users\admin\Desktop\IFSetup.exe" C:\Users\admin\Desktop\IFSetup.exeexplorer.exe
User:
admin
Company:
solicus
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.4.2
Modules
Images
c:\users\admin\desktop\ifsetup.exe
c:\systemroot\system32\ntdll.dll
Total events
369
Read events
340
Write events
29
Delete events
0

Modification events

(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayIcon
Value:
C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:UninstallString
Value:
C:\Program Files\solicus\InstallForge\Uninstall.exe
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:InstallDate
Value:
20210513
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:InstallLocation
Value:
C:\Program Files\solicus\InstallForge\
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:EstimatedSize
Value:
7028
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:NoModify
Value:
1
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayName
Value:
InstallForge
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayVersion
Value:
1.4.2
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:HelpLink
Value:
https://installforge.net
Executable files
8
Suspicious files
2
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\licence.rtftext
MD5:23B918723DFBCF6417C73200FA9FADB1
SHA256:90E896A1F7ADF5ABC05B85A529EC8727F2B2AA3E56C5070BA5579B80BCEFABF0
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\Desktop.dattext
MD5:34519FE799729D305FA976A4C0052ACB
SHA256:0B127A84237632D878B246A1F3E81CCF161CB34481C75514B45CA809B318CBF5
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\Startmenu.dattext
MD5:E0BDF877B4CD4789B4051024BB3F12E4
SHA256:57A3834A5FE31A2B4C39AD1166E3E656964B36A7FCE5E5B43417D134EB058824
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\SC.dattext
MD5:5C9A09734D20EEA04A0BF49CB0A95F6B
SHA256:7B81759D7365233BFDA6B09FA0CAAC054094ADFC8FBDFBCE98E37380010048E1
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifuninstallx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\setupArchive.archivecompressed
MD5:
SHA256:
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\setupConfiguration.archivecompressed
MD5:D0F403C39AF31A0E4C7DC1EFD317E3C6
SHA256:3FADDC24D1A8A3E2118F193C4BF9E188E6FE229CD2258FCB460CA332C4CE1350
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifsetupx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\rcx86.exeexecutable
MD5:24F40DF650B81E249D9095F6207087FE
SHA256:1733E4B7E532C99B6A4DDECA1B9FFF7BB1C5FD0BA7DBEB5F3520B6DA03A5284F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1764
ifbuilderenvx86.exe
5.175.14.17:443
installforge.net
Host Europe GmbH
DE
suspicious
3448
Update.exe
5.175.14.17:443
installforge.net
Host Europe GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
installforge.net
  • 5.175.14.17
suspicious

Threats

PID
Process
Class
Message
1764
ifbuilderenvx86.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3448
Update.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3448
Update.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IFSetup.exe