File name:

15 Second ADB Installer v1.5.6.exe

Full analysis: https://app.any.run/tasks/452f4ddb-2f43-44e5-8c13-6ec2ff995f3a
Verdict: Malicious activity
Analysis date: March 06, 2024, 15:41:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

A4705082D17A2081A47F47A3D28711C7

SHA1:

037A52083E8634748224D224E6B068970EC7B6A4

SHA256:

6AEDB17D951F24FA20496EC01639AD54AA9B82968102CF5EBF2DB1426500A2E4

SSDEEP:

196608:GOQ7CgNq3j1nlwp8J3BoYzFeGjF/nwqLLkzJ1S1nRp+9H51j3qZLqNjHNpVAZCRm:cCc0j3KsFB5wqUzOf8ZNqxSJAZW2LcU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • 15 Second ADB Installer v1.5.6.exe (PID: 3672)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2852)
      • drvinst.exe (PID: 3180)
      • DPInst_x86.exe (PID: 2908)

    • Creates a writable file in the system directory

      • drvinst.exe (PID: 3180)

  • SUSPICIOUS

    • Reads the Internet Settings

      • 15 Second ADB Installer v1.5.6.exe (PID: 3672)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2840)

    • Application launched itself

      • 15 Second ADB Installer v1.5.6.exe (PID: 3672)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2852)
      • cmd.exe (PID: 3948)

    • Process drops legitimate windows executable

      • 15 Second ADB Installer v1.5.6.exe (PID: 2852)
      • DPInst_x86.exe (PID: 2908)
      • drvinst.exe (PID: 3180)

    • Reads security settings of Internet Explorer

      • 15 Second ADB Installer v1.5.6.exe (PID: 3672)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2840)

    • Executing commands from a ".bat" file

      • 15 Second ADB Installer v1.5.6.exe (PID: 2840)

    • Starts CMD.EXE for commands execution

      • 15 Second ADB Installer v1.5.6.exe (PID: 2840)
      • cmd.exe (PID: 3948)

    • Executable content was dropped or overwritten

      • 15 Second ADB Installer v1.5.6.exe (PID: 2852)
      • xcopy.exe (PID: 2624)
      • xcopy.exe (PID: 3428)
      • xcopy.exe (PID: 2340)
      • xcopy.exe (PID: 3500)
      • DPInst_x86.exe (PID: 2908)
      • drvinst.exe (PID: 3180)

    • Runs PING.EXE to delay simulation

      • cmd.exe (PID: 3948)

    • Starts a Microsoft application from unusual location

      • DPInst_x86.exe (PID: 2908)

    • The executable file from the user directory is run by the CMD process

      • DPInst_x86.exe (PID: 2908)

    • Creates files in the driver directory

      • drvinst.exe (PID: 3180)

    • Reads settings of System Certificates

      • rundll32.exe (PID: 2256)

    • Executes as Windows Service

      • VSSVC.exe (PID: 1656)

    • Creates a software uninstall entry

      • DPInst_x86.exe (PID: 2908)

    • Checks Windows Trust Settings

      • drvinst.exe (PID: 3180)

  • INFO

    • Checks supported languages

      • 15 Second ADB Installer v1.5.6.exe (PID: 3672)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2852)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2840)
      • DPInst_x86.exe (PID: 2908)
      • wmpnscfg.exe (PID: 1236)
      • drvinst.exe (PID: 3180)

    • Reads the computer name

      • 15 Second ADB Installer v1.5.6.exe (PID: 3672)
      • 15 Second ADB Installer v1.5.6.exe (PID: 2840)
      • DPInst_x86.exe (PID: 2908)
      • wmpnscfg.exe (PID: 1236)
      • drvinst.exe (PID: 3180)

    • Create files in a temporary directory

      • 15 Second ADB Installer v1.5.6.exe (PID: 2852)
      • DPInst_x86.exe (PID: 2908)

    • Drops the executable file immediately after the start

      • xcopy.exe (PID: 2624)
      • xcopy.exe (PID: 3428)
      • xcopy.exe (PID: 3500)
      • xcopy.exe (PID: 2340)

    • Checks operating system version

      • cmd.exe (PID: 3948)

    • Reads the machine GUID from the registry

      • DPInst_x86.exe (PID: 2908)
      • drvinst.exe (PID: 3180)

    • Reads the software policy settings

      • drvinst.exe (PID: 3180)
      • rundll32.exe (PID: 2256)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 2256)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2012:12:31 00:38:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 57344
InitializedDataSize: 307200
UninitializedDataSize: 389120
EntryPoint: 0x6cad0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.3.0
ProductVersionNumber: 1.4.3.0
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Snoop05
FileDescription: 15 seconds ADB Installer
FileVersion: 1.4.3
InternalName: adb-installer
LegalCopyright: -
OriginalFileName: adb-installer-1.4.3.exe
PrivateBuild: December 30, 2012
ProductName: 15 seconds ADB Installer
ProductVersion: 1.4.3
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
19
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 15 second adb installer v1.5.6.exe no specs 15 second adb installer v1.5.6.exe 15 second adb installer v1.5.6.exe no specs cmd.exe no specs xcopy.exe xcopy.exe xcopy.exe xcopy.exe find.exe no specs cmd.exe no specs find.exe no specs setx.exe no specs ping.exe no specs dpinst_x86.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs wmpnscfg.exe no specs ping.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1236"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1656C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1692FIND "5.1" C:\Windows\System32\find.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Find String (grep) Utility
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\find.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1836C:\Windows\system32\cmd.exe /S /D /c" VER "C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2096PING localhost -n 2 C:\Windows\System32\PING.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
TCP/IP Ping Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ping.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
2232SETX PATH "C:\Program Files\Common Files\Oracle\Java\javapath;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\PowerShell\7\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\adb" /m C:\Windows\System32\setx.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setx - Sets environment variables
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\setx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2256rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{0d0d5c13-a51b-4d68-8c23-4361c60c5d13} Global\{7e477283-24e1-27a6-57d2-b413d5197523} C:\Windows\System32\DriverStore\Temp\{1c245d6c-7925-063a-a30f-6a2f4376cb57}\android_winusb.inf C:\Windows\System32\DriverStore\Temp\{1c245d6c-7925-063a-a30f-6a2f4376cb57}\androidwinusb86.catC:\Windows\System32\rundll32.exedrvinst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
2340XCOPY adb\AdbWinUsbApi.dll C:\adb\ /y /q C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2624XCOPY adb\adb.exe C:\adb\ /y /q C:\Windows\System32\xcopy.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Extended Copy Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\xcopy.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ulib.dll
c:\windows\system32\user32.dll
2840"C:\Users\admin\AppData\Local\Temp\15 Second ADB Installer v1.5.6.exe" -sfxwaitall:0 "install.bat" C:\Users\admin\AppData\Local\Temp\15 Second ADB Installer v1.5.6.exe15 Second ADB Installer v1.5.6.exe
User:
admin
Company:
Snoop05
Integrity Level:
HIGH
Description:
15 seconds ADB Installer
Exit code:
0
Version:
1.4.3
Modules
Images
c:\users\admin\appdata\local\temp\15 second adb installer v1.5.6.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
15 858
Read events
15 643
Write events
212
Delete events
3

Modification events

(PID) Process:(3672) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3672) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3672) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3672) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2840) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2840) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2840) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2840) 15 Second ADB Installer v1.5.6.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2232) setx.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager\Environment
Operation:writeName:PATH
Value:
C:\Program Files\Common Files\Oracle\Java\javapath;C:\ProgramData\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\PowerShell\7\;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\adb
(PID) Process:(2908) DPInst_x86.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
35
Suspicious files
13
Text files
9
Unknown types
9

Dropped files

PID
Process
Filename
Type
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\i386\NOTICE.txttext
MD5:EA7F2158B930BAF2C0FE799566489716
SHA256:A19B767B9DDDA7306C78232E4A223D0BA966471B74DCE3C0C995307CAB5BF7B7
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\androidwinusb86.catcat
MD5:76CFE751E17119F352C29F9FCE83D24F
SHA256:15A39B14E5FA4EC4BBE16632DBB19C7E0159649702BF98F9F77B2ABD7EBCC4DE
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\adb\mke2fs.conftext
MD5:699098CA95F87BA48BB94A3E848549B3
SHA256:AD58A58DCDD24D85055814CA9CAC67DB89D4E67C434E96774BDCE0D0A007D067
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\i386\winusbcoinstaller2.dllexecutable
MD5:8E7B9F81E8823FEE2D82F7DE3A44300B
SHA256:EBE3B7708DD974EE87EFED3113028D266AF87CA8DBAE77C47C6F7612824D3D6C
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\adb\NOTICE.txttext
MD5:44968B93DCB7403A731E89ED14CAA252
SHA256:9652A7629CC5115B890759F7AA15A614F39CE7B4B76A5A299768351F2CBD0998
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\amd64\NOTICE.txttext
MD5:EA7F2158B930BAF2C0FE799566489716
SHA256:A19B767B9DDDA7306C78232E4A223D0BA966471B74DCE3C0C995307CAB5BF7B7
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\amd64\WUDFUpdate_01009.dllexecutable
MD5:EBF9EE8A7671F3B260ED9B08FCEE0CC5
SHA256:015F26BBCD619A0B67B5EAA985B69582BAC27D5CBCA99CE747A76532FCDE4AFF
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\i386\WUDFUpdate_01009.dllexecutable
MD5:E1BBE9E3568CF54598E9A8D23697B67E
SHA256:A902BB3BFF785FAAEB6432BE76F798627A80B2CC45441E16440E46E6D7340F2C
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\DPInst_x64.exeexecutable
MD5:4192A5B905374E423EC1E545599AA86E
SHA256:567F40A09F1D9E72396296AD194FA7CF48B72361D6E259D6B99DA774C2CD8981
285215 Second ADB Installer v1.5.6.exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\driver\android_winusb.infbinary
MD5:BEA78A10D31B64E81D007B4CE0ECD0EE
SHA256:7984D14AF8EBCE8255448AA728A5436916FCCB36D1814516301F04A7DEA2A666
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
15 Second ADB Installer v1.5.6.exe