| File name: | 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe |
| Full analysis: | https://app.any.run/tasks/e27f2b63-6845-45ec-a328-f946f0042a93 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | January 08, 2025, 09:49:41 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | D8F867358748CE105526DE354E6B962B |
| SHA1: | 8EBBC32DD65CDC4AE84BDC90830292E0E279355E |
| SHA256: | 5B7B1BD52EBE921664873A676769D6632491B25B17CB806CBAFAE6E179775EF8 |
| SSDEEP: | 12288:FGa7EArE6zkcck1Zbx1w+vdjzhxpd9Mp7K7oJWZlotd3SRQmD82:F9rCaL++vdjzhxpdCp7K7rlOd3SRQmg2 |
MALICIOUS
Executing a file with an untrusted certificate
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 4504)
SOLIMBA has been detected (SURICATA)
- s3342.exe (PID: 4444)
SUSPICIOUS
Reads security settings of Internet Explorer
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 2212)
- s3342.exe (PID: 4444)
Executable content was dropped or overwritten
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 2212)
Access to an unwanted program domain was detected
- s3342.exe (PID: 4444)
Write to the desktop.ini file (may be used to cloak folders)
- s3342.exe (PID: 4444)
INFO
Reads the computer name
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 2212)
- s3342.exe (PID: 4444)
Checks supported languages
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 2212)
- s3342.exe (PID: 4444)
Process checks computer location settings
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 2212)
Reads the machine GUID from the registry
- s3342.exe (PID: 4444)
Create files in a temporary directory
- 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe (PID: 2212)
Reads Environment values
- s3342.exe (PID: 4444)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2014:04:22 15:36:09+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 119808 |
| InitializedDataSize: | 386048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xef74 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.1.10.28 |
| ProductVersionNumber: | 3.1.9.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | appinstaller |
| FileDescription: | appinstaller |
| FileVersion: | 3.1.10.28 |
| InternalName: | appsetup.exe |
| LegalCopyright: | Copyright© 2014 |
| OriginalFileName: | appinstaller.exe |
| ProductVersion: | 3.1.9 |
Total processes
121
Monitored processes
4
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2212 | "C:\Users\admin\Desktop\5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe" | C:\Users\admin\Desktop\5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe | explorer.exe | ||||||||||||
User: admin Company: appinstaller Integrity Level: HIGH Description: appinstaller Exit code: 0 Version: 3.1.10.28 Modules
| |||||||||||||||
| 4444 | "C:\Users\admin\AppData\Local\Temp\n3342\s3342.exe" ins.exe /e 11827835 /u 4db81fcb-20f4-42d4-8d8b-4c1f5bc06ebe /v "C:\Users\admin\Desktop\5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe" | C:\Users\admin\AppData\Local\Temp\n3342\s3342.exe | 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe | ||||||||||||
User: admin Company: InstallerApps Integrity Level: HIGH Description: AppsInst Exit code: 23 Version: 3.1.9 Modules
| |||||||||||||||
| 4504 | "C:\Users\admin\Desktop\5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe" | C:\Users\admin\Desktop\5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe | — | explorer.exe | |||||||||||
User: admin Company: appinstaller Integrity Level: MEDIUM Description: appinstaller Exit code: 3221226540 Version: 3.1.10.28 Modules
| |||||||||||||||
Total events
1 259
Read events
1 259
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4444 | s3342.exe | C:\Windows\assembly\Desktop.ini | binary | |
MD5:F7F759A5CD40BC52172E83486B6DE404 | SHA256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C | |||
| 2212 | 5b7b1bd52ebe921664873a676769d6632491b25b17cb806cbafae6e179775ef8.exe | C:\Users\admin\AppData\Local\Temp\n3342\s3342.exe | executable | |
MD5:AB9B11315CCAD68044ED1572B51DBE46 | SHA256:0DDBD1D8DA4F1050A3F8A3FA83427CA4E92C9B1801F72BBC9D93108E9A2D7C21 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
7
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.24:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4308 | svchost.exe | GET | 200 | 2.16.164.24:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4444 | s3342.exe | GET | 200 | 13.248.148.254:80 | http://api.socdn.com/installer/4db81fcb-20f4-42d4-8d8b-4c1f5bc06ebe/11827835/config | unknown | — | — | malicious |
4308 | svchost.exe | GET | 200 | 23.209.210.103:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4444 | s3342.exe | POST | 200 | 13.248.148.254:80 | http://api.socdn.com/installer/4db81fcb-20f4-42d4-8d8b-4c1f5bc06ebe/11827835/event | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4712 | MoUsoCoreWorker.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4308 | svchost.exe | 40.127.240.158:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4308 | svchost.exe | 2.16.164.24:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.24:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4308 | svchost.exe | 23.209.210.103:80 | www.microsoft.com | PT. Telekomunikasi Selular | ID | whitelisted |
4308 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4444 | s3342.exe | 13.248.148.254:80 | api.socdn.com | AMAZON-02 | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
api.socdn.com |
| malicious |
self.events.data.microsoft.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4444 | s3342.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (DownloadMR) |
4444 | s3342.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (DownloadMR) |
4444 | s3342.exe | Generic Protocol Command Decode | SURICATA HTTP status 100-Continue already seen |
2 ETPRO signatures available at the full report