File name:

rp505enu.exe

Full analysis: https://app.any.run/tasks/b1d3267d-f711-47a1-a024-36534a4394b2
Verdict: Malicious activity
Analysis date: June 05, 2024, 06:48:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
MD5:

2700A631F3B171F58C054A59E4486286

SHA1:

0B08E16C5F47EC08E3A6A56A86132AF40CD9A69B

SHA256:

5DBD36C7D933B4B709319CA6434143612CF03A7D56CAA7DC23EBC6901E8027BD

SSDEEP:

98304:pCois7lzI8IanypO+VWvnYLmfkE2oM33JMs8j7WE4vTr2l3P0p+33zWndLL2b0uy:WamqKenewifDSwBrtccPuu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)
      • rp505enu.exe (PID: 4084)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • rp505enu.exe (PID: 4084)
      • _INS5576._MP (PID: 928)

    • Executable content was dropped or overwritten

      • Setup.exe (PID: 1200)
      • rp505enu.exe (PID: 4084)
      • _INS5576._MP (PID: 928)

    • Starts application with an unusual extension

      • Setup.exe (PID: 1200)

    • Creates file in the systems drive root

      • _ISDel.exe (PID: 1120)

  • INFO

    • Checks supported languages

      • rp505enu.exe (PID: 4084)
      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)
      • _ISDel.exe (PID: 1120)

    • Create files in a temporary directory

      • rp505enu.exe (PID: 4084)
      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)

    • Reads the computer name

      • Setup.exe (PID: 1200)
      • _INS5576._MP (PID: 928)
      • _ISDel.exe (PID: 1120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ 4.x (53)
.exe | InstallShield setup (16.9)
.exe | Win32 Executable MS Visual C++ (generic) (12.2)
.exe | Win64 Executable (generic) (10.8)
.dll | Win32 Dynamic Link Library (generic) (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1998:03:26 14:31:20+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 5
CodeSize: 69120
InitializedDataSize: 75776
UninitializedDataSize: -
EntryPoint: 0xc110
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2.1.5.0
ProductVersionNumber: 2.1.5.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: InstallShield Software Corporation
FileDescription: PackageForTheWeb Stub
FileVersion: 2.02.001
InternalName: STUB.EXE
LegalCopyright: Copyright © 1996 InstallShield Software Corporation
OriginalFileName: STUB32.EXE
ProductName: PackageForTheWeb Stub
ProductVersion: 2.02.001
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rp505enu.exe setup.exe _ins5576._mp _isdel.exe no specs rp505enu.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928C:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MPC:\Users\admin\AppData\Local\Temp\_ISTMP1.DIR\_INS5576._MP
Setup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
InstallShield Engine
Version:
5, 53, 168, 0
Modules
Images
c:\users\admin\appdata\local\temp\_istmp1.dir\_ins5576._mp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winspool.drv
1120C:\Users\admin\AppData\Local\Temp\pft4940~tmp\_ISDEL.EXEC:\Users\admin\AppData\Local\Temp\pft4940~tmp\_ISDel.exeSetup.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
32-bit InstallShield Deleter.
Version:
5, 51, 138, 0
Modules
Images
c:\users\admin\appdata\local\temp\pft4940~tmp\_isdel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\apphelp.dll
1200"C:\Users\admin\AppData\Local\Temp\pft4940~tmp\Setup.exe" /SMSC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Setup.exe
rp505enu.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
32-bit Setup Launcher
Version:
5, 52, 164, 0
Modules
Images
c:\users\admin\appdata\local\temp\pft4940~tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3972"C:\Users\admin\AppData\Local\Temp\rp505enu.exe" C:\Users\admin\AppData\Local\Temp\rp505enu.exeexplorer.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
MEDIUM
Description:
PackageForTheWeb Stub
Exit code:
3221226540
Version:
2.02.001
Modules
Images
c:\users\admin\appdata\local\temp\rp505enu.exe
c:\windows\system32\ntdll.dll
4084"C:\Users\admin\AppData\Local\Temp\rp505enu.exe" C:\Users\admin\AppData\Local\Temp\rp505enu.exe
explorer.exe
User:
admin
Company:
InstallShield Software Corporation
Integrity Level:
HIGH
Description:
PackageForTheWeb Stub
Version:
2.02.001
Modules
Images
c:\users\admin\appdata\local\temp\rp505enu.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.18837_none_ec86b8d6858ec0bc\comctl32.dll
Total events
547
Read events
547
Write events
0
Delete events
0

Modification events

No data
Executable files
47
Suspicious files
45
Text files
37
Unknown types
27

Dropped files

PID
Process
Filename
Type
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\pftw1.pkg
MD5:
SHA256:
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Abcpy.inibinary
MD5:9EC7E0AAC1B0D2068BCCCACC2AC38988
SHA256:A39624BB8B63F2225ECFA69D1A1D812F309091992BD6788CB7EC47C2EC7F5914
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\data1.hdrcompressed
MD5:4C72D37DBD7775A314B09FDE75882E41
SHA256:73A426A571CF376CA4C2F3FBC14D8E6B5E08C06CB5D3F7D92C85946A54BC1180
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\AcroRd32.exeexecutable
MD5:358F5F9AAA7B576BB4FE74CE6E61323C
SHA256:B82B4D804AF61EC91A9AA3C10E09D642A98E4D21739C1F8E0674D2FEF5A355E9
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\ActiveX\AcroIEHelper.ocxexecutable
MD5:8394ABFC1BE196A62C9F532511936DF7
SHA256:0D62346FA85DFC3E9FAF91B5DC4BB75E78B9F753C144289D75546473A253BBEF
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\AceLite.dllexecutable
MD5:E955393B00B23627B891F0999246ED6C
SHA256:9EDF9D7077C6C8E5CB363A54AB1948E9EB732D7B053455DBCBCA47DF62915CA0
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\Agm.dllexecutable
MD5:2C67B8706F1583888B7396AD7BD8C81E
SHA256:E817F7825257DB6FE33CCD5A1795A26893DD892CEE58B9415D4212C896587946
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\Browser\nppdf32.dllexecutable
MD5:4687B6F8CF5F62DDCF21916114142FF7
SHA256:BAE68B5DFDE31A5AC46CCAB0B1A4DAB6F9D3096656D9E74CD8B5E391A2683D53
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Reader\ActiveX\pdf.ocxexecutable
MD5:1E03BADC86A8E6AF44C47FF6EB0762D4
SHA256:40B42A6BE4FA5EF82AD5A01400871CC572F6CB8191062FEB13CED1BDAACD4AB0
4084rp505enu.exeC:\Users\admin\AppData\Local\Temp\pft4940~tmp\Help\ENU\Reader.pdfpdf
MD5:7C1E26BC1B70F710A87B7CE9F7F19570
SHA256:5B3297DD6FA74969C28A5D17DEB37D4BA4A90C92FB0853A530F0440D8DB30308
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
rp505enu.exe