Malware analysis OffercastInstaller_AVR_U-0087-01-P_.exe Malicious activity

Add for printing

File name:	OffercastInstaller_AVR_U-0087-01-P_.exe
Full analysis:	https://app.any.run/tasks/ce240d40-8106-488a-97f2-fa234f6c66d0
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Malware Trends Tracker >>>
Analysis date:	August 14, 2024, 21:10:38
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	adware
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	302DD0119A39F3E726721BC6D82E29A4
SHA1:	F42337E70886DB01977319E632FFB4356003050E
SHA256:	64FFAAE707CC563F06F9D43B50D2E6B9603BCAD10B9E22E030DB1743B5304A53
SSDEEP:	24576:eu8qWJEtGWgdbERu+Ta34Y0PxlU78SqIEtNgooj9Yo:eFXfdb0a34Y0PxlUoXIEtNQj9Yo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- ADWARE has been detected (SURICATA)
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
- Reads Internet Explorer settings
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
- Drops the executable file immediately after the start
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
- Application launched itself
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
- Access to an unwanted program domain was detected
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
INFO
- Process checks Internet Explorer phishing filters
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
- Checks supported languages
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)
- Checks proxy server information
  - OffercastInstaller_AVR_U-0087-01-P_.exe (PID: 6464)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable MS Visual C++ (generic) (42.2)
.exe	\|	Win64 Executable (generic) (37.3)
.dll	\|	Win32 Dynamic Link Library (generic) (8.8)
.exe	\|	Win32 Executable (generic) (6)
.exe	\|	Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2013:06:11 23:44:05+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	10
CodeSize:	613888
InitializedDataSize:	414208
UninitializedDataSize:	-
EntryPoint:	0x74eb3
OSVersion:	5.1
ImageVersion:	-
SubsystemVersion:	5.1
Subsystem:	Windows GUI
FileVersionNumber:	2.8.1.0
ProductVersionNumber:	2.8.1.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	Ask.com
FileDescription:	Offercast - APN Install Manager
FileVersion:	2.8.1.0
InternalName:	AskInstaller.exe
LegalCopyright:	2010 (c) Ask.com. All rights reserved.
OriginalFileName:	AskInstaller.exe
ProductName:	Offercast - APN Install Manager
ProductVersion:	2.8.1.0

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

138

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6372

"C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0087-01-P_.exe"

C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0087-01-P_.exe

—

explorer.exe

User:

admin

Company:

Ask.com

Integrity Level:

MEDIUM

Description:

Offercast - APN Install Manager

Exit code:

3221226540

Version:

2.8.1.0

Modules

Images
c:\users\admin\desktop\offercastinstaller_avr_u-0087-01-p_.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6464

"C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0087-01-P_.exe"

C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0087-01-P_.exe

explorer.exe

User:

admin

Company:

Ask.com

Integrity Level:

HIGH

Description:

Offercast - APN Install Manager

Exit code:

Version:

2.8.1.0

Modules

Images
c:\windows\syswow64\textshaping.dll

6524

"C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0087-01-P_.exe" -se -ppd 6464

C:\Users\admin\Desktop\OffercastInstaller_AVR_U-0087-01-P_.exe

—

OffercastInstaller_AVR_U-0087-01-P_.exe

User:

admin

Company:

Ask.com

Integrity Level:

HIGH

Description:

Offercast - APN Install Manager

Exit code:

50002

Version:

2.8.1.0

Add for printing

Total events

152

Read events

144

Write events

Delete events

Modification events


(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFeedsInitialSelection
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\APN PIP\ipc\AVR
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\APN PIP\AVR
Operation:	delete value	Name:	Show_UI
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\APN PIP\AVR
Operation:	delete value	Name:	Start_Install
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\APN PIP\AVR
Operation:	delete value	Name:	Cancel_PIP
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\APN PIP\AVR
Operation:	delete value	Name:	Left
Value:
(PID) Process:	(6464) OffercastInstaller_AVR_U-0087-01-P_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\APN PIP\AVR
Operation:	delete value	Name:	Top
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6464	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\Local\Temp\apn_pip_local\rules.js		text
		MD5:9ACB27A7C4EC3B69F3B69FD334510177	SHA256:768B45CF3776ABD3BCEE7B09E1204CA7CF1AB66EC939AEEDBB18FD70EA21DFDD
6524	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		der
		MD5:E935BC5762068CAF3E24A2683B1B8A88	SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
6464	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\Local\Temp\apn_pip_local\objectmodel.js		binary
		MD5:452A7BE33226B83F62BB477CFEFB624E	SHA256:AFA1881D3B2B142FA20A47C7BEC3AC0D3D6E2DFC427E335E2911F68C77EA9FC0
6524	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\AH8CR9J5\APNAnalytics[1].xml		xml
		MD5:C512EFA072396EAC3B40D89A161B5EDE	SHA256:F471D2A652977C0DE06A3338A712EAAF45E8AADE4B9B0B186DB9C2D6BE0B3BE9
6464	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\Local\Temp\apn_pip_local\AveryError.png		image
		MD5:D12D18809B8203F7DBAF6ED4A95BA79D	SHA256:510B561ECC6D456C149A77C98B2AFFF99A3BB233DBE96AE619EF337730A482D5
6524	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:BD292697782998247EDBF56E8A8A338D	SHA256:F812A80957E3C6D8DFED8C5EDE40490ED48C035A2775AF5250B0609EA8504A72
6464	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\Local\Temp\apn_pip_local\orchestrator.html		html
		MD5:FDD740A29F5849B4082B4267C045E33E	SHA256:1C784689CBE6F5597D72E6A672FBD5D7D536E288E2B6FC3C0F55D67D2FD86752
6524	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77B00ED971BD291B7B661CFFFD764CC2_152EB64A0FCED0F3E916D39AE7961352		der
		MD5:85E7914AB4A28DC829CDABE7FFAD8CB3	SHA256:C70BC337DAF2DCF62DF947F688CF2F141F9C4766D2D7D08AA7F6C65CDF086FBC
6524	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\Local\Temp\APNAnalytics.xml		xml
		MD5:C512EFA072396EAC3B40D89A161B5EDE	SHA256:F471D2A652977C0DE06A3338A712EAAF45E8AADE4B9B0B186DB9C2D6BE0B3BE9
6524	OffercastInstaller_AVR_U-0087-01-P_.exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:5C888CC17FA6CAB59F20C3D8C693ECC9	SHA256:633CFD390A6F9A580471FE82EDFF9F6F8DF74854BCE3F35FF1F36423B66393C9

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	2.23.209.26:80	http://ak.pipoffers.apnpartners.com/static/partners/AVR/APNAnalytics.xml	unknown	—	—	whitelisted
—	—	GET	302	34.120.59.42:80	http://pipoffers.apnpartners.com/PIP/Server.jhtml?partner_id=AVR&language=en&version=2.8.1.0&pProductID=U-0087-01-P	unknown	—	—	unknown
—	—	GET	200	142.250.184.195:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
—	—	GET	302	34.117.28.143:80	http://errdocs.zwinky.com/	unknown	—	—	whitelisted
—	—	GET	200	142.250.185.163:80	http://c.pki.goog/r/r1.crl	unknown	—	—	whitelisted
—	—	GET	200	172.217.18.3:80	http://o.pki.goog/s/wr3/5XA/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDlcCRtOwkbDBIc2ya2qjBa	unknown	—	—	whitelisted
—	—	POST	400	34.120.59.42:80	http://pipoffers.apnpartners.com/PIP/OfferAccept.jhtml	unknown	—	—	unknown
6464	OffercastInstaller_AVR_U-0087-01-P_.exe	POST	400	34.120.59.42:80	http://pipoffers.apnpartners.com/PIP/OfferAccept.jhtml	unknown	—	—	unknown
6464	OffercastInstaller_AVR_U-0087-01-P_.exe	POST	400	34.120.59.42:80	http://pipoffers.apnpartners.com/PIP/OfferAccept.jhtml	unknown	—	—	unknown
4344	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4088	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
2044	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
—	—	2.23.209.26:80	ak.pipoffers.apnpartners.com	Akamai International B.V.	GB	unknown
—	—	34.120.59.42:80	pipoffers.apnpartners.com	GOOGLE-CLOUD-PLATFORM	US	unknown
—	—	34.117.28.143:80	errdocs.zwinky.com	GOOGLE-CLOUD-PLATFORM	US	unknown
—	—	35.244.244.108:443	www.gamingwonderland.com	GOOGLE	US	unknown
—	—	142.250.184.195:80	ocsp.pki.goog	GOOGLE	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 40.127.240.158 51.124.78.146	whitelisted
google.com	172.217.18.14	whitelisted
pipoffers.apnpartners.com	34.120.59.42	unknown
42.59.120.34.in-addr.arpa	—	unknown
ak.pipoffers.apnpartners.com	2.23.209.26	whitelisted
errdocs.zwinky.com	34.117.28.143	unknown
www.gamingwonderland.com	35.244.244.108	unknown
ocsp.pki.goog	142.250.184.195	whitelisted
c.pki.goog	142.250.185.163	whitelisted
o.pki.goog	172.217.18.3	whitelisted

Threats

Found threats are available for the paid subscriptions

5 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

OffercastInstaller_AVR_U-0087-01-P_.exe

302DD0119A39F3E726721BC6D82E29A4

F42337E70886DB01977319E632FFB4356003050E

64FFAAE707CC563F06F9D43B50D2E6B9603BCAD10B9E22E030DB1743B5304A53

24576:eu8qWJEtGWgdbERu+Ta34Y0PxlU78SqIEtNgooj9Yo:eFXfdb0a34Y0PxlUoXIEtNQj9Yo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADWARE has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Reads Internet Explorer settings

Drops the executable file immediately after the start

Application launched itself

Access to an unwanted program domain was detected

INFO

Process checks Internet Explorer phishing filters

Checks supported languages

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings