File name:	MediaCreationTool_22H2.exe
Full analysis:	https://app.any.run/tasks/d7aa52c2-04fe-40aa-a346-f716599cb184
Verdict:	Malicious activity
Analysis date:	July 07, 2024, 10:39:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	AA2AD37BB74C05A49417E3D2F1BD89CE
SHA1:	1BF5F814FFE801B4E6F118E829C0D2821D78A60A
SHA256:	690C8A63769D444FAD47B7DDECEE7F24C9333AA735D0BD46587D0DF5CF15CDE5
SSDEEP:	196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1974:05:29 19:08:33+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.2
CodeSize:	490496
InitializedDataSize:	11057152
UninitializedDataSize:	-
EntryPoint:	0x729b0
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.572
ProductVersionNumber:	10.0.19041.572
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Arabic
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	‎‎إعداد Windows 10
FileVersion:	10.0.19041.572 (vb_release_svc_prod1.201007-1724)
InternalName:	SetupPrep.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	SetupPrep.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.572


(PID) Process:	(1824) MediaCreationTool_22H2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1824) MediaCreationTool_22H2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:	delete value	Name:	CorrelationVector
Value: IYXEGxww/0WC95lB.37
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:	write	Name:	CorrelationVector
Value: qhonrU0V6E2CxVSX.0
(PID) Process:	(652) MediaCreationTool_22H2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:	write	Name:	BoxResult
Value:
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360
Operation:	write	Name:	ETag
Value: 2123:66A2A386
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360
Operation:	write	Name:	RefreshInterval
Value: 2123
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	os
Value: windows
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	osver
Value: 10.0.19041.4046.amd64fre.vb_release.191206-1406
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	scenarioId
Value: 7
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	platformEdition
Value: Professional

PID	Process	Filename		Type
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\Diager.dll		executable
		MD5:4396BDD1707419909F04A92184AD1317	SHA256:AE0F8123D3EF8801961211D7D71780BEE76C418EBC8C6893B385D5FABA6BB68F
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\DiagTrackRunner.exe		executable
		MD5:76F30A1E149792D2542A253B920CBEF6	SHA256:488CBC8330952DD13B797BB40E4E30610ED03483C25919C39555F7B334A3C159
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\setupplatform.cfg		text
		MD5:033E7ADC314C248CC29A9F14906C21E5	SHA256:C40FDDBB16853406D12D30E01E170DE8474728BB8EC24794DB721DE0A7F67927
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wdsclientapi.dll		executable
		MD5:C8622591EA490127898FF612C4D0FCE8	SHA256:00436605B013E26F39B3FF6AAB1E5577FE6E4950C4C803D534D0BBD912B3F7E0
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\setupplatform.dll		executable
		MD5:0DB2EB7B159D7289DFBDF3CA29D44704	SHA256:CBEEC25C578F4E8EAE81BB8829C3B7BC81648DA6F63EEB4A606B9A66660D6D91
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wpx.dll		executable
		MD5:15E92D3769E6EEFA80DAAC3085741BF6	SHA256:08C8A6B2F76F9D9152E01FF3118990FDCDBB0D2E8C57DBFE43568367493187D4
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wdscsl.dll		executable
		MD5:0B778AD42D5E17CE89936F6D4C42957D	SHA256:D5BCFDAB29EA1DEEA22679A4A4473A9CC84871A5D707C006EB99FACB4AF9081B
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wdsimage.dll		executable
		MD5:B5D99819CB865C4DA4EBE8880F5ADA7E	SHA256:4ED57014301E91B0504E0C2A62F4EE969CCF4C179DE9788D1307DBC71186D543
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll		executable
		MD5:BDBD14F60FC78EDCA16A022C9801CF70	SHA256:A2679D717DB07F43D81F895E508520E01CD0262F1BE5870333D12CE71FE02DB4
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wdstptc.dll		executable
		MD5:7A020A931614E1A7CA1DB482D1C00EDE	SHA256:48EE94546C9345FBE5AD1A51F4826B131DA554A8E4395E5D22E4CDE09B3816D5

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4780	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
3396	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
4780	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	—
3516	RUXIMICS.exe	GET	—	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
—	—	HEAD	302	null:443	https://go.microsoft.com/fwlink/?LinkId=841361	unknown	—	—	—
—	—	GET	302	null:443	https://go.microsoft.com/fwlink/?LinkId=841361	unknown	—	—	—
—	—	HEAD	200	null:443	https://download.microsoft.com/download/7/9/c/79cbc22a-0eea-4a0d-89c0-054a1b3aa8e0/products.cab	unknown	—	—	—
—	—	HEAD	200	null:443	https://download.microsoft.com/download/C/0/3/C036B882-9F99-4BC9-A4B5-69370C4E17E9/EULA_MCTool_EN-US_6.27.16.rtf	unknown	—	—	—
—	—	GET	206	23.52.120.96:443	https://download.microsoft.com/download/C/0/3/C036B882-9F99-4BC9-A4B5-69370C4E17E9/EULA_MCTool_EN-US_6.27.16.rtf	unknown	—	—	—
780	svchost.exe	HEAD	200	146.75.122.172:80	http://dl.delivery.mp.microsoft.com/filestreamingservice/files/f7d48c2e-eb2c-4f13-97e1-45a08c90bcfe/19045.3803.231204-0204.22h2_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-us.esd	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	unknown
3396	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	unknown
3516	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4780	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4780	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
4780	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3396	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3516	RUXIMICS.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5132	SetupHost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
crl.microsoft.com	23.48.23.143 23.48.23.156	unknown
www.microsoft.com	23.52.120.96	unknown
go.microsoft.com	23.35.238.131	unknown
download.microsoft.com	23.32.101.194	unknown
self.events.data.microsoft.com	13.89.179.11	unknown
dl.delivery.mp.microsoft.com	146.75.122.172	unknown

General Info

MediaCreationTool_22H2.exe

AA2AD37BB74C05A49417E3D2F1BD89CE

1BF5F814FFE801B4E6F118E829C0D2821D78A60A

690C8A63769D444FAD47B7DDECEE7F24C9333AA735D0BD46587D0DF5CF15CDE5

196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

The DLL Hijacking

SUSPICIOUS

Starts a Microsoft application from unusual location

Process drops legitimate windows executable

The process creates files with name similar to system file names

Executable content was dropped or overwritten

INFO

Checks supported languages

Reads the computer name

Reads Environment values

Checks proxy server information

Reads the software policy settings

Reads the machine GUID from the registry

Manual execution by a user

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings