| File name: | SetupRw.exe |
| Full analysis: | https://app.any.run/tasks/30ffa082-53e2-4885-8dfe-d69900f35dad |
| Verdict: | Malicious activity |
| Analysis date: | October 05, 2023, 06:46:58 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 280E48B2E813E98E87510C7AA6ECFD1A |
| SHA1: | 8785407204EB19FE73D9A1FD23C4EC50F3ECDB31 |
| SHA256: | 70422F692546467050A22530E527EFCC98B6CDD8B0A60A2BE2C594F5A7F6AADF |
| SSDEEP: | 49152:krmvgkXXkU53VcngiN76dwFZeRHEYJKGcwS/Qcdh077QQlioO:6Ckao762FQR5KGmXdh07UFB |
MALICIOUS
Drops the executable file immediately after the start
- SetupRw.exe (PID: 1924)
- SetupRw.exe (PID: 1648)
- SetupRw.tmp (PID: 3288)
- Rw.exe (PID: 3824)
Application was dropped or rewritten from another process
- Rw.exe (PID: 3824)
Creates a writable file the system directory
- Rw.exe (PID: 3824)
SUSPICIOUS
Reads the Windows owner or organization settings
- SetupRw.tmp (PID: 3288)
Creates files in the driver directory
- Rw.exe (PID: 3824)
Drops a system driver (possible attempt to evade defenses)
- Rw.exe (PID: 3824)
INFO
Create files in a temporary directory
- SetupRw.exe (PID: 1648)
- SetupRw.exe (PID: 1924)
Checks supported languages
- SetupRw.exe (PID: 1648)
- SetupRw.tmp (PID: 1768)
- SetupRw.exe (PID: 1924)
- SetupRw.tmp (PID: 3288)
- Rw.exe (PID: 3824)
- wmpnscfg.exe (PID: 1692)
Reads the computer name
- SetupRw.tmp (PID: 1768)
- SetupRw.tmp (PID: 3288)
- Rw.exe (PID: 3824)
- wmpnscfg.exe (PID: 1692)
Application was dropped or rewritten from another process
- SetupRw.tmp (PID: 1768)
- SetupRw.tmp (PID: 3288)
Creates files in the program directory
- SetupRw.tmp (PID: 3288)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 1692)
Manual execution by a user
- wmpnscfg.exe (PID: 1692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (45.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (20.9) |
| .exe | | | Win32 Executable (generic) (14.3) |
| .exe | | | Win16/32 Executable Delphi generic (6.6) |
| .exe | | | Generic Win/DOS Executable (6.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:04:06 16:39:04+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 66560 |
| InitializedDataSize: | 52224 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x117dc |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | RW-Everything Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | RW-Everything |
| ProductVersion: |
Total processes
43
Monitored processes
6
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1648 | "C:\Users\admin\AppData\Local\Temp\SetupRw.exe" | C:\Users\admin\AppData\Local\Temp\SetupRw.exe | — | explorer.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: RW-Everything Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 1692 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1768 | "C:\Users\admin\AppData\Local\Temp\is-OG96P.tmp\SetupRw.tmp" /SL5="$F00FA,1928587,119808,C:\Users\admin\AppData\Local\Temp\SetupRw.exe" | C:\Users\admin\AppData\Local\Temp\is-OG96P.tmp\SetupRw.tmp | — | SetupRw.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1924 | "C:\Users\admin\AppData\Local\Temp\SetupRw.exe" /SPAWNWND=$90216 /NOTIFYWND=$F00FA | C:\Users\admin\AppData\Local\Temp\SetupRw.exe | SetupRw.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: RW-Everything Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3288 | "C:\Users\admin\AppData\Local\Temp\is-R11RN.tmp\SetupRw.tmp" /SL5="$90194,1928587,119808,C:\Users\admin\AppData\Local\Temp\SetupRw.exe" /SPAWNWND=$90216 /NOTIFYWND=$F00FA | C:\Users\admin\AppData\Local\Temp\is-R11RN.tmp\SetupRw.tmp | — | SetupRw.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3824 | "C:\Program Files\RW-Everything\Rw.exe" | C:\Program Files\RW-Everything\Rw.exe | — | SetupRw.tmp | |||||||||||
User: admin Integrity Level: HIGH Description: RW - Read & Write Exit code: 0 Version: 1.7.0.0 Modules
| |||||||||||||||
Total events
1 133
Read events
1 122
Write events
0
Delete events
11
Modification events
| (PID) Process: | (3288) SetupRw.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: 113394A88E8E84ACFA22A574C449F04FF78877451864767601DB86C15CC0E43D | |||
| (PID) Process: | (3288) SetupRw.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Program Files\RW-Everything\Rw.exe | |||
| (PID) Process: | (3288) SetupRw.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (3288) SetupRw.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: B03A7C8DCB4C53EB54F55EB010D16D521F74677C08778508078705E9EA81B26C | |||
| (PID) Process: | (3288) SetupRw.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: D80C000086752BC257F7D901 | |||
| (PID) Process: | (3288) SetupRw.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1692) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{97B07676-E431-4E50-9033-F625FDF994E5}\{F49BD7E5-51B0-4B4D-898D-3D77E58FC4FD} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1692) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{EB696381-214E-4528-9BF9-802266217465}\{F49BD7E5-51B0-4B4D-898D-3D77E58FC4FD} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1692) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{EB696381-214E-4528-9BF9-802266217465} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1692) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{97B07676-E431-4E50-9033-F625FDF994E5} |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
11
Suspicious files
11
Text files
16
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\is-36E4S.tmp | executable | |
MD5:3A165498ED2BC12F86EB064AB3204AC3 | SHA256:D630E60C655600B1BCB9B5D8979DF699AE6B4909F628AFB7229F6B466C78E5C2 | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\is-LNGTT.tmp | binary | |
MD5:5AEF9916B2550066FF7260206D0C0443 | SHA256:192D6E119C68FB57FD64FE784D53351DA4EA1FB5DF787CC4D3D23748F2DCB65E | |||
| 1648 | SetupRw.exe | C:\Users\admin\AppData\Local\Temp\is-OG96P.tmp\SetupRw.tmp | executable | |
MD5:74713FC3E9983C6E148C083599177E66 | SHA256:6E8A32BAFB0B2099074FD092CC6B326BD4EE4C0DFDE10BDFFFD5CD84FC687497 | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\RwWeb.url | binary | |
MD5:9B058DEDC568BB200A6575AE3C37EA06 | SHA256:742B170B125576BA684C63780F09BE48F9DDAFC049E528392D8E0DD124407F5A | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\is-TSLHG.tmp | text | |
MD5:25C88D23BECF0F969AC589F6E2D3CE83 | SHA256:6D959FBE7E2CCAC42C1A009DA4A765C1BCE16C2D10C19F781DF8F03B6A350475 | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\ATAPI.IRW | text | |
MD5:429103370648C9AEF84E43E11FADE466 | SHA256:09A41416CA90BD244B439B7370183AB4602DE7F3DC7B0988C344FA8630ECB4AF | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\is-C3RAL.tmp | binary | |
MD5:9B058DEDC568BB200A6575AE3C37EA06 | SHA256:742B170B125576BA684C63780F09BE48F9DDAFC049E528392D8E0DD124407F5A | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\ATA.IRW | text | |
MD5:37890378927552FADDF560A8F9F55B3B | SHA256:51B3A89C458E6061FE331C7BE59C3EEC3A1A25A899390B4B88A2A5132C4E7C71 | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\is-MJ2FH.tmp | text | |
MD5:8F386AFE7679DB40DC20169D5C25E61F | SHA256:0814C9E571FBBD6CD8457670A05F42AF802FFECDBA88DFAF3D6CAA984C50F0CB | |||
| 3288 | SetupRw.tmp | C:\Program Files\RW-Everything\DDR2SPD.IRW | text | |
MD5:8F386AFE7679DB40DC20169D5C25E61F | SHA256:0814C9E571FBBD6CD8457670A05F42AF802FFECDBA88DFAF3D6CAA984C50F0CB | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2656 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |