File name:

IFSetup.exe

Full analysis: https://app.any.run/tasks/b7b7b80e-2907-4da8-a0cc-a97306f532e5
Verdict: Malicious activity
Analysis date: May 13, 2021, 17:17:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

DBF3C6AEE1B7ACED53C8BC8CB965C0C4

SHA1:

8222556CE4E8265CD14F121384E8DE0CF3B7CB0F

SHA256:

57C79A11C80BA53AB4DD7EF8F4C4EBB257DD19F009145341708E3E1E538781D5

SSDEEP:

98304:KT/CMPmCTbyWdZY2wUE8gRqJYkLLuk5URMm0G:Od9HyWdZ/wN8gR2YS9pG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • ifbuilderenvx86.exe (PID: 1764)

    • Application was dropped or rewritten from another process

      • Update.exe (PID: 3448)
      • ifbuilderenvx86.exe (PID: 1764)

  • SUSPICIOUS

    • Creates a directory in Program Files

      • IFSetup.exe (PID: 2580)

    • Creates files in the user directory

      • IFSetup.exe (PID: 2580)

    • Executable content was dropped or overwritten

      • IFSetup.exe (PID: 2580)

    • Creates files in the program directory

      • IFSetup.exe (PID: 2580)

    • Creates a software uninstall entry

      • IFSetup.exe (PID: 2580)

    • Drops a file that was compiled in debug mode

      • IFSetup.exe (PID: 2580)

    • Reads internet explorer settings

      • Update.exe (PID: 3448)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • IFSetup.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (41)
.exe | Win64 Executable (generic) (36.3)
.dll | Win32 Dynamic Link Library (generic) (8.6)
.exe | Win32 Executable (generic) (5.9)
.exe | Win16/32 Executable Delphi generic (2.7)

EXIF

EXE

Comments: Created with InstallForge
CompanyName: solicus
FileVersion: 1.4.2
ProductVersion: 1.4.2
ProductName: InstallForge Setup
InternalName: IFSetup
OriginalFileName: IFSetup.exe
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Unknown (0)
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 0.0.0.0
FileVersionNumber: 0.0.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x1000
UninitializedDataSize: -
InitializedDataSize: 168448
CodeSize: 658432
LinkerVersion: 2.5
PEType: PE32
TimeStamp: 2020:06:17 03:15:22+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
4
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start ifsetup.exe ifbuilderenvx86.exe update.exe ifsetup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1764"C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe"C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe
IFSetup.exe
User:
admin
Company:
solicus
Integrity Level:
HIGH
Description:
InstallForge
Exit code:
0
Version:
1.4.2
Modules
Images
c:\program files\solicus\installforge\bin\ifbuilderenvx86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2580"C:\Users\admin\Desktop\IFSetup.exe" C:\Users\admin\Desktop\IFSetup.exe
explorer.exe
User:
admin
Company:
solicus
Integrity Level:
HIGH
Exit code:
0
Version:
1.4.2
Modules
Images
c:\users\admin\desktop\ifsetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3448"..\Update.exe"C:\Program Files\solicus\InstallForge\Update.exe
ifbuilderenvx86.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\solicus\installforge\update.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3596"C:\Users\admin\Desktop\IFSetup.exe" C:\Users\admin\Desktop\IFSetup.exeexplorer.exe
User:
admin
Company:
solicus
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.4.2
Modules
Images
c:\users\admin\desktop\ifsetup.exe
c:\systemroot\system32\ntdll.dll
Total events
369
Read events
340
Write events
29
Delete events
0

Modification events

(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayIcon
Value:
C:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exe
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:UninstallString
Value:
C:\Program Files\solicus\InstallForge\Uninstall.exe
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:InstallDate
Value:
20210513
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:InstallLocation
Value:
C:\Program Files\solicus\InstallForge\
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:EstimatedSize
Value:
7028
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:NoModify
Value:
1
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:NoRepair
Value:
1
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayName
Value:
InstallForge
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:DisplayVersion
Value:
1.4.2
(PID) Process:(2580) IFSetup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallForge
Operation:writeName:HelpLink
Value:
https://installforge.net
Executable files
8
Suspicious files
2
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifsetupx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifuninstallx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\ifbuilderenvx86.exeexecutable
MD5:
SHA256:
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\licence.rtftext
MD5:23B918723DFBCF6417C73200FA9FADB1
SHA256:90E896A1F7ADF5ABC05B85A529EC8727F2B2AA3E56C5070BA5579B80BCEFABF0
2580IFSetup.exeC:\Users\admin\AppData\Local\Temp\IF{B1912A43-4DF9-4122-A294-0236B3A0D045}\SC.dattext
MD5:5C9A09734D20EEA04A0BF49CB0A95F6B
SHA256:7B81759D7365233BFDA6B09FA0CAAC054094ADFC8FBDFBCE98E37380010048E1
2580IFSetup.exeC:\Program Files\solicus\InstallForge\bin\rcx86.exeexecutable
MD5:24F40DF650B81E249D9095F6207087FE
SHA256:1733E4B7E532C99B6A4DDECA1B9FFF7BB1C5FD0BA7DBEB5F3520B6DA03A5284F
2580IFSetup.exeC:\Program Files\solicus\InstallForge\icons\ancient.icoimage
MD5:FA7D1E5DB7C24DFC7F6121781DBF098A
SHA256:36E6455043B57968221BBF5FFD6681CC173F0A531BEF9721337C3A8C1AD70591
2580IFSetup.exeC:\Program Files\solicus\InstallForge\Uninstall.exeexecutable
MD5:C26206A554C98417B65DA2CAEE82CB4A
SHA256:D1C9251B57C59EA0469FA0CAD832C5591EAAFFE1A4EC4BF9F1785B3C73E44ECD
2580IFSetup.exeC:\Program Files\solicus\InstallForge\icons\modern.icoimage
MD5:FA63A0160B9FF05DC70CFBCA82B465B6
SHA256:D3A14188ECCD7761CD20CE86237F481A4BCDDFFCD460871BD7B4504F6162D9DA
2580IFSetup.exeC:\Program Files\solicus\InstallForge\images\Header_2.bmpimage
MD5:D194F28D606F27C8F9AA225122CA2BB8
SHA256:A7E560D419E85DAF80CCE980BAA124EF7C73197D0F51A59A19F1866EE8EDFE8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
6
DNS requests
1
Threats
3

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1764
ifbuilderenvx86.exe
5.175.14.17:443
installforge.net
Host Europe GmbH
DE
suspicious
3448
Update.exe
5.175.14.17:443
installforge.net
Host Europe GmbH
DE
suspicious

DNS requests

Domain
IP
Reputation
installforge.net
  • 5.175.14.17
suspicious

Threats

PID
Process
Class
Message
1764
ifbuilderenvx86.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3448
Update.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
3448
Update.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
IFSetup.exe