| File name: | 1tv.exe |
| Full analysis: | https://app.any.run/tasks/ab6859b4-88f0-4d3f-9ce3-46489406e8c2 |
| Verdict: | Malicious activity |
| Analysis date: | May 15, 2024, 13:21:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 22537B9FA99F827C065121D45C19DD20 |
| SHA1: | CDE009ABFB08F56AADB21B0BF52A87DB1D0863DC |
| SHA256: | 6F77293636E77289F03D7CE172299A54AF46B3E671189BF09050E9B4957F509E |
| SSDEEP: | 49152:+7HecD4dnbibBlYq3cXfjsbmLApne0Fop4R2uXB3iyLT/ex4XrL7P42DpJXWZn8B:m+cD4dnZPIkWnXFopLQ3iUrex4vkY7mu |
MALICIOUS
Drops the executable file immediately after the start
- 1tv.exe (PID: 1064)
- 1tv.exe (PID: 3972)
- 1tv.tmp (PID: 112)
- powershell.exe (PID: 728)
Bypass execution policy to execute commands
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
Run PowerShell with an invisible window
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
Changes powershell execution policy (Bypass)
- cmd.exe (PID: 308)
- cmd.exe (PID: 1944)
SUSPICIOUS
Executable content was dropped or overwritten
- 1tv.exe (PID: 1064)
- 1tv.exe (PID: 3972)
- 1tv.tmp (PID: 112)
- powershell.exe (PID: 728)
Reads the Windows owner or organization settings
- 1tv.tmp (PID: 112)
Starts CMD.EXE for commands execution
- DesktopApp.exe (PID: 1112)
- DesktopApp.exe (PID: 2052)
Writes data into a file (POWERSHELL)
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
The process executes Powershell scripts
- cmd.exe (PID: 308)
- cmd.exe (PID: 1944)
Likely accesses (executes) a file from the Public directory
- powershell.exe (PID: 728)
- cmd.exe (PID: 308)
- powershell.exe (PID: 1792)
- cmd.exe (PID: 1944)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 308)
- cmd.exe (PID: 1944)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
Reads the Internet Settings
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
INFO
Create files in a temporary directory
- 1tv.exe (PID: 3972)
- 1tv.exe (PID: 1064)
Checks supported languages
- 1tv.exe (PID: 3972)
- 1tv.tmp (PID: 3988)
- 1tv.exe (PID: 1064)
- 1tv.tmp (PID: 112)
- DesktopApp.exe (PID: 1112)
- DesktopApp.exe (PID: 2052)
Reads the computer name
- 1tv.tmp (PID: 3988)
- 1tv.tmp (PID: 112)
- DesktopApp.exe (PID: 1112)
- DesktopApp.exe (PID: 2052)
Creates files in the program directory
- 1tv.tmp (PID: 112)
Creates a software uninstall entry
- 1tv.tmp (PID: 112)
Gets data length (POWERSHELL)
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 728)
- powershell.exe (PID: 1792)
Manual execution by a user
- DesktopApp.exe (PID: 2052)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:02:15 14:54:16+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 89600 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | 1TV Armenia |
| FileDescription: | 1TV Armenia Setup |
| FileVersion: | |
| LegalCopyright: | |
| OriginalFileName: | |
| ProductName: | 1TV Armenia |
| ProductVersion: | 0.1 |
Total processes
50
Monitored processes
10
Malicious processes
4
Suspicious processes
6
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 112 | "C:\Users\admin\AppData\Local\Temp\is-DHMPL.tmp\1tv.tmp" /SL5="$50130,843248,832512,C:\Users\admin\Desktop\1tv.exe" /SPAWNWND=$2013E /NOTIFYWND=$20138 /ALLUSERS | C:\Users\admin\AppData\Local\Temp\is-DHMPL.tmp\1tv.tmp | 1tv.exe | ||||||||||||
User: admin Company: 1TV Armenia Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 308 | "cmd.exe" /c start /min "" powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps1 | C:\Windows\System32\cmd.exe | — | DesktopApp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 728 | powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1064 | "C:\Users\admin\Desktop\1tv.exe" /SPAWNWND=$2013E /NOTIFYWND=$20138 /ALLUSERS | C:\Users\admin\Desktop\1tv.exe | 1tv.tmp | ||||||||||||
User: admin Company: 1TV Armenia Integrity Level: HIGH Description: 1TV Armenia Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 1112 | "C:\Program Files\1TV Armenia\DesktopApp.exe" | C:\Program Files\1TV Armenia\DesktopApp.exe | — | 1tv.tmp | |||||||||||
User: admin Integrity Level: MEDIUM Description: DesktopApp Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 1792 | powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps1 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.14409.1005 (rs1_srvoob.161208-1155) Modules
| |||||||||||||||
| 1944 | "cmd.exe" /c start /min "" powershell -WindowStyle Hidden -ep Bypass -File C:\Users\Public\Downloads\updater.ps1 | C:\Windows\System32\cmd.exe | — | DesktopApp.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2052 | "C:\Program Files\1TV Armenia\DesktopApp.exe" | C:\Program Files\1TV Armenia\DesktopApp.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: DesktopApp Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
| 3972 | "C:\Users\admin\Desktop\1tv.exe" | C:\Users\admin\Desktop\1tv.exe | explorer.exe | ||||||||||||
User: admin Company: 1TV Armenia Integrity Level: MEDIUM Description: 1TV Armenia Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3988 | "C:\Users\admin\AppData\Local\Temp\is-5EM7K.tmp\1tv.tmp" /SL5="$20138,843248,832512,C:\Users\admin\Desktop\1tv.exe" | C:\Users\admin\AppData\Local\Temp\is-5EM7K.tmp\1tv.tmp | — | 1tv.exe | |||||||||||
User: admin Company: 1TV Armenia Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
9 672
Read events
9 513
Write events
153
Delete events
6
Modification events
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 700000006AB468C6CAA6DA01 | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 65546969EF06046B9A6E51563944C0DCA137CBD998B1D7CBA2A073ADED3858CD | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files\1TV Armenia\DesktopApp.exe | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: BD8ED2FF89A8AABBEAD385A5B4F45DB5E18358F926A1D18999AA2956A95AFC4C | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68EC1A0A-2574-42E6-AD9B-4B35249023E3}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.2.2 | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68EC1A0A-2574-42E6-AD9B-4B35249023E3}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\1TV Armenia | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68EC1A0A-2574-42E6-AD9B-4B35249023E3}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\1TV Armenia\ | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68EC1A0A-2574-42E6-AD9B-4B35249023E3}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: (Default) | |||
| (PID) Process: | (112) 1tv.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68EC1A0A-2574-42E6-AD9B-4B35249023E3}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
5
Suspicious files
12
Text files
1
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 112 | 1tv.tmp | C:\Program Files\1TV Armenia\is-6IVPO.tmp | — | |
MD5:— | SHA256:— | |||
| 112 | 1tv.tmp | C:\Program Files\1TV Armenia\DesktopApp.exe | — | |
MD5:— | SHA256:— | |||
| 728 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | — | |
MD5:— | SHA256:— | |||
| 112 | 1tv.tmp | C:\Program Files\1TV Armenia\unins000.dat | dat | |
MD5:5EEF484AFA00A38D389B6147DF2ED6ED | SHA256:67182921CE5877A017398D7637E8238A433600BE70AA90B1B2CF0E37D9228FE3 | |||
| 1064 | 1tv.exe | C:\Users\admin\AppData\Local\Temp\is-DHMPL.tmp\1tv.tmp | executable | |
MD5:9AF23504E36377F03C87C5C0AE66D2FF | SHA256:5E5C7042FCA0D2BB26B5658C24D461A819621D3B2BCCFC5098D4F25CDF78F987 | |||
| 112 | 1tv.tmp | C:\Program Files\1TV Armenia\unins000.exe | executable | |
MD5:1D61E58CF5EEA8901FE438DEB5775D1D | SHA256:F0A6ECE39EA0514E598ADF23A9CCD6BBEC98457A0471A722A3F4BAD70EF1DBC9 | |||
| 112 | 1tv.tmp | C:\Program Files\1TV Armenia\is-3E640.tmp | executable | |
MD5:CB102843884C22B910C6DD65064BF439 | SHA256:6F28BBD26BF2BD5A55589F76E959CF4CF776B905547610E3465B707D5AF952F2 | |||
| 728 | powershell.exe | C:\Users\admin\AppData\Local\Temp\khgixwk5.wkv.ps1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
| 112 | 1tv.tmp | C:\Users\Public\Desktop\1TV Armenia.lnk | lnk | |
MD5:3A9319BA3D141FF88D4F451B9709A9CA | SHA256:88050153AAEDF01A559FB251D67F3E4B7E299F4D22E9D9F27DF8460E7ACE734F | |||
| 728 | powershell.exe | C:\Users\admin\AppData\Local\Temp\l3t5sjpd.kcu.psm1 | binary | |
MD5:C4CA4238A0B923820DCC509A6F75849B | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |