File name:	MediaCreationTool_22H2.exe
Full analysis:	https://app.any.run/tasks/d7aa52c2-04fe-40aa-a346-f716599cb184
Verdict:	Malicious activity
Analysis date:	July 07, 2024, 10:39:48
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	AA2AD37BB74C05A49417E3D2F1BD89CE
SHA1:	1BF5F814FFE801B4E6F118E829C0D2821D78A60A
SHA256:	690C8A63769D444FAD47B7DDECEE7F24C9333AA735D0BD46587D0DF5CF15CDE5
SSDEEP:	196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4

.exe	\|	Win32 Executable MS Visual C++ (generic) (67.4)
.dll	\|	Win32 Dynamic Link Library (generic) (14.2)
.exe	\|	Win32 Executable (generic) (9.7)
.exe	\|	Generic Win/DOS Executable (4.3)
.exe	\|	DOS Executable Generic (4.3)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	1974:05:29 19:08:33+00:00
ImageFileCharacteristics:	Executable, 32-bit, Removable run from swap, Net run from swap
PEType:	PE32
LinkerVersion:	14.2
CodeSize:	490496
InitializedDataSize:	11057152
UninitializedDataSize:	-
EntryPoint:	0x729b0
OSVersion:	10
ImageVersion:	10
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	10.0.19041.572
ProductVersionNumber:	10.0.19041.572
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Arabic
CharacterSet:	Unicode
CompanyName:	Microsoft Corporation
FileDescription:	‎‎إعداد Windows 10
FileVersion:	10.0.19041.572 (vb_release_svc_prod1.201007-1724)
InternalName:	SetupPrep.exe
LegalCopyright:	© Microsoft Corporation. All rights reserved.
OriginalFileName:	SetupPrep.exe
ProductName:	Microsoft® Windows® Operating System
ProductVersion:	10.0.19041.572


(PID) Process:	(1824) MediaCreationTool_22H2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(1824) MediaCreationTool_22H2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:	delete value	Name:	CorrelationVector
Value: IYXEGxww/0WC95lB.37
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup
Operation:	write	Name:	CorrelationVector
Value: qhonrU0V6E2CxVSX.0
(PID) Process:	(652) MediaCreationTool_22H2.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:	write	Name:	BoxResult
Value:
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360
Operation:	write	Name:	ETag
Value: 2123:66A2A386
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360
Operation:	write	Name:	RefreshInterval
Value: 2123
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	os
Value: windows
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	osver
Value: 10.0.19041.4046.amd64fre.vb_release.191206-1406
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	scenarioId
Value: 7
(PID) Process:	(5132) SetupHost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\OneSettings\WSD\Setup360\QueryParameters
Operation:	write	Name:	platformEdition
Value: Professional

PID	Process	Filename		Type
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\DU.dll		executable
		MD5:7727A405C9878C2FE052922C1F965384	SHA256:4912ABC0A250DFAF63A48E4165E94AB701505F14BCC7A1464D5588FA2D434564
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wdsclientapi.dll		executable
		MD5:C8622591EA490127898FF612C4D0FCE8	SHA256:00436605B013E26F39B3FF6AAB1E5577FE6E4950C4C803D534D0BBD912B3F7E0
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\setupplatform.dll		executable
		MD5:0DB2EB7B159D7289DFBDF3CA29D44704	SHA256:CBEEC25C578F4E8EAE81BB8829C3B7BC81648DA6F63EEB4A606B9A66660D6D91
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\DiagTrackRunner.exe		executable
		MD5:76F30A1E149792D2542A253B920CBEF6	SHA256:488CBC8330952DD13B797BB40E4E30610ED03483C25919C39555F7B334A3C159
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\WinDlp.dll		executable
		MD5:6F12BA2D5CB564F73D9813D105E5C1FE	SHA256:26B66B81267DFDA7A78890F20A4ED0D104DB1CD350D2D9F649FDB496B6C11333
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\DiagTrack.dll		executable
		MD5:6C3F6A6BC5EDE978E9DFE1ACCE386339	SHA256:B55D66F2943F1C63EA9B39DAE88AA2A4F91775CEFFFEFD263BD302866A7BD91C
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\MediaSetupUIMgr.dll		executable
		MD5:BDBD14F60FC78EDCA16A022C9801CF70	SHA256:A2679D717DB07F43D81F895E508520E01CD0262F1BE5870333D12CE71FE02DB4
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\pidgenx.dll		executable
		MD5:A54F45A9013251F0DDD91C6B3AB18449	SHA256:40A97484CE8E06658EA02AF3E3B0077C47BA8D71C2D991EB69B94F221C78478F
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wpx.dll		executable
		MD5:15E92D3769E6EEFA80DAAC3085741BF6	SHA256:08C8A6B2F76F9D9152E01FF3118990FDCDBB0D2E8C57DBFE43568367493187D4
1824	MediaCreationTool_22H2.exe	C:\$Windows.~WS\Sources\wdsimage.dll		executable
		MD5:B5D99819CB865C4DA4EBE8880F5ADA7E	SHA256:4ED57014301E91B0504E0C2A62F4EE969CCF4C179DE9788D1307DBC71186D543

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4780	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	—
4780	MoUsoCoreWorker.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
3516	RUXIMICS.exe	GET	—	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
3396	svchost.exe	GET	200	23.52.120.96:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	—
—	—	HEAD	302	null:443	https://go.microsoft.com/fwlink/?LinkId=841361	unknown	—	—	—
—	—	GET	302	null:443	https://go.microsoft.com/fwlink/?LinkId=841361	unknown	—	—	—
—	—	HEAD	200	null:443	https://download.microsoft.com/download/C/0/3/C036B882-9F99-4BC9-A4B5-69370C4E17E9/EULA_MCTool_EN-US_6.27.16.rtf	unknown	—	—	—
—	—	GET	206	23.52.120.96:443	https://download.microsoft.com/download/C/0/3/C036B882-9F99-4BC9-A4B5-69370C4E17E9/EULA_MCTool_EN-US_6.27.16.rtf	unknown	—	—	—
—	—	HEAD	200	null:443	https://download.microsoft.com/download/7/9/c/79cbc22a-0eea-4a0d-89c0-054a1b3aa8e0/products.cab	unknown	—	—	—
780	svchost.exe	HEAD	200	146.75.122.172:80	http://dl.delivery.mp.microsoft.com/filestreamingservice/files/f7d48c2e-eb2c-4f13-97e1-45a08c90bcfe/19045.3803.231204-0204.22h2_release_svc_refresh_CLIENTCONSUMER_RET_x64FRE_en-us.esd	unknown	—	—	—

PID	Process	IP	Domain	ASN	CN	Reputation
4032	svchost.exe	239.255.255.250:1900	—	—	—	unknown
3396	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4	System	192.168.100.255:138	—	—	—	unknown
3516	RUXIMICS.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4780	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown
4780	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	unknown
4780	MoUsoCoreWorker.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3396	svchost.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
3516	RUXIMICS.exe	23.52.120.96:80	www.microsoft.com	AKAMAI-AS	DE	unknown
5132	SetupHost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	unknown

Domain	IP	Reputation
crl.microsoft.com	23.48.23.143 23.48.23.156	unknown
www.microsoft.com	23.52.120.96	unknown
go.microsoft.com	23.35.238.131	unknown
download.microsoft.com	23.32.101.194	unknown
self.events.data.microsoft.com	13.89.179.11	unknown
dl.delivery.mp.microsoft.com	146.75.122.172	unknown

General Info

MediaCreationTool_22H2.exe

AA2AD37BB74C05A49417E3D2F1BD89CE

1BF5F814FFE801B4E6F118E829C0D2821D78A60A

690C8A63769D444FAD47B7DDECEE7F24C9333AA735D0BD46587D0DF5CF15CDE5

196608:MmtHa+5hH1km/Sf7byFXKEBmih9S5rQ5FNFl001p4Ki:Y+5RB/SDbyFBH9eQD/l00/4

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

The DLL Hijacking

Drops the executable file immediately after the start

SUSPICIOUS

Process drops legitimate windows executable

Starts a Microsoft application from unusual location

Executable content was dropped or overwritten

The process creates files with name similar to system file names

INFO

Reads the machine GUID from the registry

Reads the computer name

Checks supported languages

Checks proxy server information

Process checks computer location settings

Reads the software policy settings

Manual execution by a user

Reads Environment values

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings