analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

nitro_pro13.exe

Full analysis: https://app.any.run/tasks/281dc34d-3d8b-4f05-bbdd-850db1597eea
Verdict: Malicious activity
Analysis date: November 08, 2019, 14:36:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

207551B3EBED394DA674015D5C6CA7CB

SHA1:

32E823B21DD427F2D4959DFC3812B6AD932A225F

SHA256:

589FA256E266B56909E9190E01F1587C752BCC5E4BF248C68508AE930C203CEB

SSDEEP:

24576:tu/OfDlEUKWflmTP3vrqojIA3/3QQ6H+WtoKidt/2a+a/rXlqTl+SfRk:9fU4UjXIA3/gQTCoK4t/MYjSpk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • nitro_pro13.exe (PID: 2752)

    • Changes the autorun value in the registry

      • nitro_pro13.exe (PID: 3672)

  • SUSPICIOUS

    • Starts itself from another location

      • nitro_pro13.exe (PID: 2468)
      • nitro_pro13.exe (PID: 2752)

    • Executable content was dropped or overwritten

      • nitro_pro13.exe (PID: 2468)
      • nitro_pro13.exe (PID: 2752)
      • nitro_pro13.exe (PID: 3672)

    • Reads Internet Cache Settings

      • nitro_pro13.exe (PID: 2752)

    • Executed as Windows Service

      • vssvc.exe (PID: 1880)

    • Searches for installed software

      • nitro_pro13.exe (PID: 3672)

    • Creates files in the program directory

      • nitro_pro13.exe (PID: 3672)

    • Reads Environment values

      • nitro_pro13.exe (PID: 2752)

    • Creates files in the user directory

      • nitro_pro13.exe (PID: 2752)

    • Creates a software uninstall entry

      • nitro_pro13.exe (PID: 3672)

  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1880)

    • Reads settings of System Certificates

      • nitro_pro13.exe (PID: 2752)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 13.2.6.26
ProductName: Nitro Pro
OriginalFileName: nitro_pro13.exe
LegalCopyright: Copyright (c) Nitro. All rights reserved.
InternalName: setup
FileVersion: 13.2.6.26
FileDescription: Nitro Pro
CompanyName: Nitro
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 13.2.6.26
FileVersionNumber: 13.2.6.26
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x2e2a6
UninitializedDataSize: -
InitializedDataSize: 446464
CodeSize: 301568
LinkerVersion: 14.11
PEType: PE32
TimeStamp: 2017:11:18 23:00:38+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Nov-2017 22:00:38
Detected languages:
  • English - United States
Debug artifacts:
  • C:\agent\_work\8\s\build\ship\x86\burn.pdb
CompanyName: Nitro
FileDescription: Nitro Pro
FileVersion: 13.2.6.26
InternalName: setup
LegalCopyright: Copyright (c) Nitro. All rights reserved.
OriginalFilename: nitro_pro13.exe
ProductName: Nitro Pro
ProductVersion: 13.2.6.26

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 18-Nov-2017 22:00:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00049937
0x00049A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57001
.rdata
0x0004B000
0x0001ED60
0x0001EE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.11423
.data
0x0006A000
0x00001730
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.15266
.wixburn8
0x0006C000
0x00000038
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.516682
.rsrc
0x0006D000
0x000496D0
0x00049800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
2.50279
.reloc
0x000B7000
0x00003DFC
0x00003E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.79434

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.30829
1234
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.61885
9640
Latin 1 / Western European
English - United States
RT_ICON
3
2.85059
4264
Latin 1 / Western European
English - United States
RT_ICON
4
3.10905
2440
Latin 1 / Western European
English - United States
RT_ICON
5
3.49329
1128
Latin 1 / Western European
English - United States
RT_ICON

Imports

ADVAPI32.dll
Cabinet.dll (delay-loaded)
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start nitro_pro13.exe nitro_pro13.exe nitro_pro13.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2468"C:\Users\admin\AppData\Local\Temp\nitro_pro13.exe" C:\Users\admin\AppData\Local\Temp\nitro_pro13.exe
explorer.exe
User:
admin
Company:
Nitro
Integrity Level:
MEDIUM
Description:
Nitro Pro
Version:
13.2.6.26
2752"C:\Users\admin\AppData\Local\Temp\{A3A27C6E-D55D-48A6-A45D-ECD3DB5D9622}\.cr\nitro_pro13.exe" -burn.clean.room="C:\Users\admin\AppData\Local\Temp\nitro_pro13.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156 C:\Users\admin\AppData\Local\Temp\{A3A27C6E-D55D-48A6-A45D-ECD3DB5D9622}\.cr\nitro_pro13.exe
nitro_pro13.exe
User:
admin
Company:
Nitro
Integrity Level:
MEDIUM
Description:
Nitro Pro
Version:
13.2.6.26
3672"C:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.be\nitro_pro13.exe" -q -burn.elevated BurnPipe.{544A9123-4DF4-4245-9543-1A7FCEC2DF33} {CF7B019C-F7C0-4312-91A6-9F27DA8BB626} 2752C:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.be\nitro_pro13.exe
nitro_pro13.exe
User:
admin
Company:
Nitro
Integrity Level:
HIGH
Description:
Nitro Pro
Version:
13.2.6.26
1880C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
717
Read events
522
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
2
Text files
43
Unknown types
1

Dropped files

PID
Process
Filename
Type
2468nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{A3A27C6E-D55D-48A6-A45D-ECD3DB5D9622}\.cr\nitro_pro13.exeexecutable
MD5:207551B3EBED394DA674015D5C6CA7CB
SHA256:589FA256E266B56909E9190E01F1587C752BCC5E4BF248C68508AE930C203CEB
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\PageTransitions.dllexecutable
MD5:0E6BD8E478BF1A073EF4180F119CB406
SHA256:9F49A4ACCD3B8A4C33A358C0D343D69B392CA882D0D63EAD16800FF8801C9C02
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\metrics.dllexecutable
MD5:5B29644206804CD159B0A5A4BC3A84FE
SHA256:4B3B684AA51AB1690EFF2A2CB682AF5F3BDFAAA07C8576EFB5ABCB96800456B8
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\StringResources.es-ES.xamltext
MD5:431ACFBBA56F4880C31F72534E36A83F
SHA256:6F58041ABED6243E7A49EBF92179BB98CEF0AE91E0DA463AD2966D09DC1D89CD
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\GalaSoft.MvvmLight.WPF4.dllexecutable
MD5:1E40431B501D55FE8BA59CABB3CE5C17
SHA256:92EF1BDF8C8140E34E5AE1EB8D9B7AFBA9921E5ADA6317C6CDD0DA2712F7E000
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\NitroBA.dllexecutable
MD5:792943E5C492C701C3E8F270F666A9D6
SHA256:7D41BA483789918168CEBBEA714F84CAE24396A4E2685AF12158167E99725099
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\StringResources.de-DE.xamltext
MD5:FA4511A5B86E4BA8F1776F991BE152EF
SHA256:FAD8A4E495F2E216572B10F0A49173DADE9EE7B809C6B4310ED0C1999FCD688C
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\StringResources.en-US.xamltext
MD5:0B9008FD40AD4CF9C0CE2C9ABB2EA019
SHA256:8109E209CE216BA7BC4849E9BE888080D85F17B92DF5527076816E597B2E16AB
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\StringResources.it-IT.xamltext
MD5:3165E6B9A6FFF2F6707B3830387DAB62
SHA256:885BABC1379D498F00AD132F3301529AFBB09441E168CAF081FC018B78F61FA1
2752nitro_pro13.exeC:\Users\admin\AppData\Local\Temp\{4224D00F-07FB-41E5-A968-E0F4032C2B46}\.ba\StringResources.fr-FR.xamltext
MD5:406D8333066168D1CC801F3CE8BF8BCB
SHA256:AB3A361E974E38A3F0C7FCF6133F8C8748F4264E2F2E9D94DC97D0EE8C75917C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2752
nitro_pro13.exe
HEAD
200
104.16.194.72:80
http://install.nitropdf.com/professional_132626/en/retail/nitro_pro13_ba_x86.msi
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2752
nitro_pro13.exe
216.58.207.36:80
www.google.com
Google Inc.
US
whitelisted
2752
nitro_pro13.exe
104.16.158.102:443
desktop.gonitro.com
Cloudflare Inc
US
shared
2752
nitro_pro13.exe
104.16.194.72:80
install.nitropdf.com
Cloudflare Inc
US
shared
2752
nitro_pro13.exe
104.16.119.102:443
desktop.gonitro.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
desktop.gonitro.com
  • 104.16.119.102
  • 104.16.158.102
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
www.google.com
  • 216.58.207.36
whitelisted
install.nitropdf.com
  • 104.16.194.72
  • 104.16.195.72
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
nitro_pro13.exe