analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

setup.exe

Full analysis: https://app.any.run/tasks/aa1f00bb-7f99-463e-a794-de2b713c57f0
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 11, 2019, 07:07:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

4859D36F77E8F96315CB39EA8DB9C1C5

SHA1:

0B49F5D07466C0EAC01183F4CDB75356ADB3628C

SHA256:

62AD23CC12659476EE5DFA3D529E783D9914FAC8755720E536A01A466CC3F259

SSDEEP:

6144:A9ZLImmuU2s8KoGgvhLLanqcU3qcDS5JfvEm2dZRUbXiva1KB4oLti:A9ZcmtW8KohLLO8qwS5UNUbXiv0c

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • flash_update.exe (PID: 3264)

    • Loads dropped or rewritten executable

      • flash_update.exe (PID: 3264)
      • explorer.exe (PID: 2308)

    • Loads the Task Scheduler COM API

      • explorer.exe (PID: 2308)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • setup.exe (PID: 908)
      • flash_update.exe (PID: 3264)

    • Creates files in the program directory

      • setup.exe (PID: 908)
      • explorer.exe (PID: 2308)

    • Starts CMD.EXE for commands execution

      • setup.exe (PID: 908)

    • Creates files in the Windows directory

      • flash_update.exe (PID: 3264)

    • Searches for installed software

      • explorer.exe (PID: 2308)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 2308)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (39.3)
.exe | Win32 EXE Yoda's Crypter (38.6)
.dll | Win32 Dynamic Link Library (generic) (9.5)
.exe | Win32 Executable (generic) (6.5)
.exe | Generic Win/DOS Executable (2.9)

EXIF

EXE

SpecialBuild: -
ProductVersion: 3, 1, 3, 0
ProductName: Microsoft Windows Operating System
PrivateBuild: -
OriginalFileName: -
LegalTrademarks: -
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2009
InternalName: -
FileVersion: 3, 1, 3, 0
FileDescription: Mircosoft Application Program
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 3.1.3.0
FileVersionNumber: 3.1.3.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0xbb7c0
UninitializedDataSize: 442368
InitializedDataSize: 4096
CodeSize: 323584
LinkerVersion: 6
PEType: PE32
TimeStamp: 2018:11:10 07:05:19+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Nov-2018 06:05:19
Detected languages:
  • Chinese - PRC
  • English - United States
Comments: -
CompanyName: -
FileDescription: Mircosoft Application Program
FileVersion: 3, 1, 3, 0
InternalName: -
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2009
LegalTrademarks: -
OriginalFilename: -
PrivateBuild: -
ProductName: Microsoft Windows Operating System
ProductVersion: 3, 1, 3, 0
SpecialBuild: -

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000E8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 10-Nov-2018 06:05:19
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x0006C000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x0006D000
0x0004F000
0x0004EA00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.95578
.rsrc
0x000BC000
0x00001000
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.76713

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.38757
888
UNKNOWN
Chinese - PRC
RT_VERSION
50
2.16096
20
UNKNOWN
Chinese - PRC
RT_GROUP_ICON
136
4.90306
40
UNKNOWN
Chinese - PRC
RT_DIALOG
153
7.94787
80760
UNKNOWN
Chinese - PRC
BIN
154
7.94073
28672
UNKNOWN
Chinese - PRC
BIN
155
0
626688
UNKNOWN
Chinese - PRC
BIN

Imports

KERNEL32.DLL
MSVCRT.dll
USER32.dll
VERSION.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start setup.exe no specs setup.exe cmd.exe no specs flash_update.exe explorer.exe

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Mircosoft Application Program
Exit code:
3221226540
Version:
3, 1, 3, 0
908"C:\Users\admin\AppData\Local\Temp\setup.exe" C:\Users\admin\AppData\Local\Temp\setup.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
Mircosoft Application Program
Exit code:
0
Version:
3, 1, 3, 0
2608cmd.exe /C "C:\Users\admin\AppData\Local\.\Adobe\.\flash_update.exe"C:\Windows\system32\cmd.exesetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3264C:\Users\admin\AppData\Local\.\Adobe\.\flash_update.exeC:\Users\admin\AppData\Local\Adobe\flash_update.exe
cmd.exe
User:
admin
Company:
Wandoujia Inc.
Integrity Level:
HIGH
Description:
豌豆荚更新
Exit code:
0
Version:
1.1.0.3
2308C:\Windows\explorer.exeC:\Windows\explorer.exe
flash_update.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 598
Read events
1 452
Write events
144
Delete events
2

Modification events

(PID) Process:(2308) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\60\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2308) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\60\52C64B7E
Operation:writeName:@C:\Windows\system32\wmploc.dll,-128
Value:
Microsoft Windows Media Player
(PID) Process:(2308) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\60\52C64B7E
Operation:writeName:@C:\Windows\System32\ie4uinit.exe,-21
Value:
Internet Explorer
(PID) Process:(2308) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\60\52C64B7E
Operation:writeName:@C:\Windows\system32\themeui.dll,-2682
Value:
Themes Setup
(PID) Process:(2308) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:CleanShutdown
Value:
0
(PID) Process:(2308) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:Data
Value:
000000000DF0ADBA01000000080000000000008000000000000000300000000000000000FF00E703FF0000001600000084BAB9BC0400000000000000000000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00660039006500330036006300340036002D0031006400340030002D0031003100650038002D0039003400310037002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003000300031003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00650031006100380032006400620033002D0061003900660030002D0031003100650037002D0062003100340032002D003800300036006500360066003600650036003900360033007D005C000000530079007300740065006D002000520065007300650072007600650064000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:(2308) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db3-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:Generation
Value:
2
(PID) Process:(2308) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:Data
Value:
000000000DF0ADBA41000000080000000000008000000000000000300000000000000000FF00E703FF000000160000004736BAC40440000001000000000000000000000000000000000000000000000000005C005C003F005C00530054004F005200410047004500230056006F006C0075006D00650023007B00660039006500330036006300340036002D0031006400340030002D0031003100650038002D0039003400310037002D003800300036006500360066003600650036003900360033007D002300300030003000300030003000300030003000360035003000300030003000300023007B00350033006600350036003300300064002D0062003600620066002D0031003100640030002D0039003400660032002D003000300061003000630039003100650066006200380062007D000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000005C005C003F005C0056006F006C0075006D0065007B00650031006100380032006400620034002D0061003900660030002D0031003100650037002D0062003100340032002D003800300036006500360066003600650036003900360033007D005C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004E005400460053000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF0000
(PID) Process:(2308) explorer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{e1a82db4-a9f0-11e7-b142-806e6f6e6963}
Operation:writeName:Generation
Value:
2
(PID) Process:(2308) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\60\52C64B7E
Operation:writeName:@"%windir%\System32\ie4uinit.exe",-732
Value:
Finds and displays information and Web sites on the Internet.
Executable files
3
Suspicious files
4
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2308explorer.exeC:\ProgramData\Adobe\{A7A30C3D-1856-401f-B8EB-352147B70224}\1549868869
MD5:
SHA256:
2308explorer.exeC:\Users\admin\AppData\Local\Temp\27D085.tmp
MD5:
SHA256:
2308explorer.exeC:\Users\admin\AppData\Local\Temp\tempv.zip
MD5:
SHA256:
2308explorer.exeC:\ProgramData\Application Data\Adobe\{A7A30C3D-1856-401f-B8EB-352147B70224}\1549868869
MD5:
SHA256:
2308explorer.exeC:\ProgramData\Adobe\{A7A30C3D-1856-401f-B8EB-352147B70224}\1549868tmp
MD5:
SHA256:
908setup.exeC:\Users\admin\AppData\Local\Adobe\goopdate.dllexecutable
MD5:E1954216BD925AD6276AF44E4B6E8D2F
SHA256:176C05767A11B0FEA2F1AB021963A04D989431F218B9594E55A088D8D50C531E
2308explorer.exeC:\ProgramData\Adobe\WinAdv.baktext
MD5:BCEDAE299AD30F1D93E352648411F96C
SHA256:E5283C762AB70FBA9C9F43529A9DFA024C2CAEAC8231271CC46F868508CBA713
2308explorer.exeC:\ProgramData\Adobe\update.lstbinary
MD5:74308EBA602AE7F905CF31C662A41E0E
SHA256:D2BC4BA4926BC1FB852043EA836641CCD8621C03F6E252C06E327503FB331E0E
3264flash_update.exeC:\Windows\fxsst.dllexecutable
MD5:AEE02DD0AFE39D3E3F93307F31DF0E64
SHA256:F0620D0A4B2DB184D64F54708318F3E97BBCE57C67D029BC8FF6550D7C9E296E
908setup.exeC:\Users\admin\AppData\Local\Adobe\update.initext
MD5:1B8656818CDA5A5FFB55AEC12B7976FD
SHA256:95E94015E4DE78CF0E33BE1D13474B30310F55BCA1AB7C33A531F074D97FE380
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2308
explorer.exe
164.219.89.91:53
US
suspicious
124.88.86.238:53
CHINA UNICOM China169 Backbone
CN
suspicious

DNS requests

Domain
IP
Reputation
windowsupdate.com
unknown

Threats

PID
Process
Class
Message
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
2308
explorer.exe
Potentially Bad Traffic
ET TROJAN Large DNS Query possible covert channel
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
setup.exe