| File name: | rufus-3.17.exe |
| Full analysis: | https://app.any.run/tasks/c1d75c12-8259-4ee0-bbf4-99f143d904f2 |
| Verdict: | Malicious activity |
| Analysis date: | November 14, 2023, 17:28:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, UPX compressed |
| MD5: | 9AC5F5010CD28ACFD7FB00B4E2FC1310 |
| SHA1: | 4A4501CBD485A1C34E0F667A5767FD2A3554561E |
| SHA256: | 6D362897059DF29D9674112A43E68DBC549BA4C25E7036DD9FAE7C92BFAFDA02 |
| SSDEEP: | 49152:HKcmdm8eU1Oel1yUn8ux4AIj6z9QTiWKIoe02NzKOfiOV3jlU8knMqJHy2qLWE3z:qccm8bl1z8w41ROW/oeBNzK4pzSNy2cR |
MALICIOUS
No malicious indicators.SUSPICIOUS
Executes as Windows Service
- vds.exe (PID: 3608)
Reads the Internet Settings
- rufus-3.17.exe (PID: 2900)
Reads security settings of Internet Explorer
- rufus-3.17.exe (PID: 2900)
Reads settings of System Certificates
- rufus-3.17.exe (PID: 2900)
Checks Windows Trust Settings
- rufus-3.17.exe (PID: 2900)
INFO
Checks supported languages
- rufus-3.17.exe (PID: 2900)
- wmpnscfg.exe (PID: 3732)
Process checks are UAC notifies on
- rufus-3.17.exe (PID: 2900)
Reads the computer name
- rufus-3.17.exe (PID: 2900)
- wmpnscfg.exe (PID: 3732)
Reads the machine GUID from the registry
- rufus-3.17.exe (PID: 2900)
- wmpnscfg.exe (PID: 3732)
Checks proxy server information
- rufus-3.17.exe (PID: 2900)
Manual execution by a user
- wmpnscfg.exe (PID: 3732)
Create files in a temporary directory
- rufus-3.17.exe (PID: 2900)
Creates files or folders in the user directory
- rufus-3.17.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | UPX compressed Win32 Executable (64.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.6) |
| .exe | | | Win32 Executable (generic) (10.6) |
| .exe | | | Generic Win/DOS Executable (4.7) |
| .exe | | | DOS Executable Generic (4.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 0000:00:00 00:00:00 |
| ImageFileCharacteristics: | Executable, No line numbers, No symbols, 32-bit, No debug |
| PEType: | PE32 |
| LinkerVersion: | 2.37 |
| CodeSize: | 1331200 |
| InitializedDataSize: | 45056 |
| UninitializedDataSize: | 2666496 |
| EntryPoint: | 0x3cfe70 |
| OSVersion: | 4 |
| ImageVersion: | 1 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.17.1846.0 |
| ProductVersionNumber: | 3.17.1846.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | https://rufus.ie |
| CompanyName: | Akeo Consulting |
| FileDescription: | Rufus |
| FileVersion: | 3.17.1846 |
| InternalName: | Rufus |
| LegalCopyright: | © 2011-2021 Pete Batard (GPL v3) |
| LegalTrademarks: | https://www.gnu.org/licenses/gpl-3.0.html |
| OriginalFileName: | rufus-3.17.exe |
| ProductName: | Rufus |
| ProductVersion: | 3.17.1846 |
Total processes
44
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2900 | "C:\Users\admin\AppData\Local\Temp\rufus-3.17.exe" | C:\Users\admin\AppData\Local\Temp\rufus-3.17.exe | explorer.exe | ||||||||||||
User: admin Company: Akeo Consulting Integrity Level: HIGH Description: Rufus Exit code: 0 Version: 3.17.1846 Modules
| |||||||||||||||
| 3384 | "C:\Users\admin\AppData\Local\Temp\rufus-3.17.exe" | C:\Users\admin\AppData\Local\Temp\rufus-3.17.exe | — | explorer.exe | |||||||||||
User: admin Company: Akeo Consulting Integrity Level: MEDIUM Description: Rufus Exit code: 3221226540 Version: 3.17.1846 Modules
| |||||||||||||||
| 3524 | C:\Windows\System32\vdsldr.exe -Embedding | C:\Windows\System32\vdsldr.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Virtual Disk Service Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3608 | C:\Windows\System32\vds.exe | C:\Windows\System32\vds.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Virtual Disk Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3732 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
6 225
Read events
6 158
Write events
36
Delete events
31
Modification events
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}User |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine\Software |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine\Software\Microsoft |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine\Software\Microsoft\Windows |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine\Software\Microsoft\Windows\CurrentVersion |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine\Software\Microsoft\Windows\CurrentVersion\Policies |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (2900) rufus-3.17.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{DAD5F56A-CABF-4F3D-8E45-3B7BDEF150B7}Machine\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
0
Suspicious files
15
Text files
3
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:1BFE591A4FE3D91B03CDF26EAACD8F89 | SHA256:9CF94355051BF0F4A45724CA20D1CC02F76371B963AB7D1E38BD8997737B13D8 | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:F3441B8572AAE8801C04F3060B550443 | SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:2EC79F54F6923AC9BFDF6CB5898E0F95 | SHA256:742E572869390ABE37A537C1866327BF3D00EB277CA8DCFF2E5CFD461B99E4E9 | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\Local\Temp\CabA2ED.tmp | compressed | |
MD5:F3441B8572AAE8801C04F3060B550443 | SHA256:6720349E7D82EE0A8E73920D3C2B7CB2912D9FCF2EDB6FD98F2F12820158B0BF | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:60FE01DF86BE2E5331B0CDBE86165686 | SHA256:C08CCBC876CD5A7CDFA9670F9637DA57F6A1282198A9BC71FC7D7247A6E5B7A8 | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\Local\Temp\TarA2EE.tmp | binary | |
MD5:9441737383D21192400ECA82FDA910EC | SHA256:BC3A6E84E41FAEB57E7C21AA3B60C2A64777107009727C5B7C0ED8FE658909E5 | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 | binary | |
MD5:BBCC0AC60B6DA54A1EEB6585CD043497 | SHA256:C535CE401C1E3FD1410F223F47613BB837A0AA02A7E8AEE61CAF4FA2D2F8264F | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Fido[1].ver | text | |
MD5:6BE5D6E394B7267CC28953EB119E446C | SHA256:7F0DF8811088425117A0490671466482173A44E4139B55D36CEA938E47585569 | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:A9CA3E781CD25420BA21EF1A0959ADD1 | SHA256:F235A3CFFC0FE8551427608799715C6A5524F4F3E500FD4410073B464A2941E2 | |||
| 2900 | rufus-3.17.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565 | binary | |
MD5:8E0BF4250779A2AE597DBBC760A363B4 | SHA256:ACEE9B5D3939A261CBE7470DEE9D97120590F95F8C61E7AC8CC7C2E0B59EF554 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
11
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2900 | rufus-3.17.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7f96611aa9b087f3 | unknown | compressed | 61.6 Kb | unknown |
2900 | rufus-3.17.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D | unknown | binary | 471 b | unknown |
2900 | rufus-3.17.exe | GET | 200 | 23.37.41.57:80 | http://x1.c.lencr.org/ | unknown | binary | 717 b | unknown |
2900 | rufus-3.17.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D | unknown | binary | 471 b | unknown |
2900 | rufus-3.17.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAzQqL7GMs%2FmReygqbCE%2Bxw%3D | unknown | binary | 313 b | unknown |
2900 | rufus-3.17.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?050d188601a18548 | unknown | compressed | 4.66 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
2900 | rufus-3.17.exe | 185.199.108.153:443 | rufus.ie | FASTLY | US | shared |
2900 | rufus-3.17.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
2900 | rufus-3.17.exe | 23.37.41.57:80 | x1.c.lencr.org | AKAMAI-AS | DE | unknown |
2900 | rufus-3.17.exe | 140.82.121.4:443 | github.com | GITHUB | US | unknown |
2900 | rufus-3.17.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
2900 | rufus-3.17.exe | 185.199.111.133:443 | objects.githubusercontent.com | FASTLY | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
rufus.ie |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
github.com |
| shared |
ocsp.digicert.com |
| whitelisted |
objects.githubusercontent.com |
| shared |
dns.msftncsi.com |
| shared |
Threats
Process | Message |
|---|---|
rufus-3.17.exe | *** Rufus init ***
|
rufus-3.17.exe | Binary executable is signed by 'Akeo Consulting'
|
rufus-3.17.exe | Will use settings from registry
|
rufus-3.17.exe | localization: extracted data to 'C:\Users\admin\AppData\Local\Temp\Ruf7033.tmp'
|
rufus-3.17.exe | loc file not found in current directory - embedded one will be used
|
rufus-3.17.exe | embedded.loc(408): the version of this translation is older than the base one and may result in some messages not being properly translated.
If you are the translator, please update your translation with the changes that intervened between v3.5 and v3.14.
See https://github.com/pbatard/rufus/blob/master/res/loc/ChangeLog.txt
|
rufus-3.17.exe | localization: found locale 'en-US'
|
rufus-3.17.exe | embedded.loc(762): the version of this translation is older than the base one and may result in some messages not being properly translated.
If you are the translator, please update your translation with the changes that intervened between v3.5 and v3.14.
See https://github.com/pbatard/rufus/blob/master/res/loc/ChangeLog.txt
|
rufus-3.17.exe | localization: found locale 'ar-SA'
|
rufus-3.17.exe | localization: found locale 'bg-BG'
|