| download: | /autoit3/files/archive/autoit/autoit-v3.3.8.1-setup.exe |
| Full analysis: | https://app.any.run/tasks/5ae21e55-792c-45ad-a4f4-a67aa91aa04c |
| Verdict: | Malicious activity |
| Analysis date: | November 14, 2023, 06:05:29 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | 1E996BE9F8D39C37C1BA2BB54C30976F |
| SHA1: | 16ACFF6ABD348E87111CD64674F06F13C8165291 |
| SHA256: | 75C6A9843181FB4AF33612E98AC214F5E61F3FD4B77FB611908A1DCD19027E16 |
| SSDEEP: | 98304:ybes/M6GaHLdbgt8LjdIh9/jPOf71GTnEXedkGDdy6/sC+hxqSa8DRSYiyQ2TvE3:5q3njXt17sYywDx4jXn |
MALICIOUS
Drops the executable file immediately after the start
- autoit-v3.3.8.1-setup.exe (PID: 3408)
SUSPICIOUS
Malware-specific behavior (creating "System.dll" in Temp)
- autoit-v3.3.8.1-setup.exe (PID: 3408)
The process creates files with name similar to system file names
- autoit-v3.3.8.1-setup.exe (PID: 3408)
Drops the AutoIt3 executable file
- autoit-v3.3.8.1-setup.exe (PID: 3408)
Reads the Internet Settings
- AutoIt3.exe (PID: 1644)
INFO
Checks supported languages
- wmpnscfg.exe (PID: 3436)
- autoit-v3.3.8.1-setup.exe (PID: 3408)
- wmpnscfg.exe (PID: 1880)
- AutoIt3.exe (PID: 1644)
Manual execution by a user
- AutoIt3.exe (PID: 1644)
- wmpnscfg.exe (PID: 1880)
- chrome.exe (PID: 3644)
- explorer.exe (PID: 2176)
Reads the computer name
- autoit-v3.3.8.1-setup.exe (PID: 3408)
- wmpnscfg.exe (PID: 3436)
- wmpnscfg.exe (PID: 1880)
- AutoIt3.exe (PID: 1644)
Create files in a temporary directory
- autoit-v3.3.8.1-setup.exe (PID: 3408)
Creates files in the program directory
- autoit-v3.3.8.1-setup.exe (PID: 3408)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3436)
- wmpnscfg.exe (PID: 1880)
- AutoIt3.exe (PID: 1644)
Application launched itself
- chrome.exe (PID: 3644)
The process uses the downloaded file
- chrome.exe (PID: 2332)
- chrome.exe (PID: 2740)
Reads mouse settings
- AutoIt3.exe (PID: 1644)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | NSIS - Nullsoft Scriptable Install System (94.8) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (3.4) |
| .dll | | | Win32 Dynamic Link Library (generic) (0.7) |
| .exe | | | Win32 Executable (generic) (0.5) |
| .exe | | | Generic Win/DOS Executable (0.2) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2009:12:05 23:50:46+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 23552 |
| InitializedDataSize: | 119808 |
| UninitializedDataSize: | 1024 |
| EntryPoint: | 0x323c |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.3.8.1 |
| ProductVersionNumber: | 3.3.8.1 |
| FileFlagsMask: | 0x0000 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | AutoIt Team |
| FileDescription: | AutoIt v3 Setup |
| FileVersion: | 3.3.8.1 |
| LegalCopyright: | (c)1999-2011 Jonathan Bennett & AutoIt Team |
Total processes
71
Monitored processes
21
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1592 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3724 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1644 | "C:\Program Files\AutoIt3\AutoIt3.exe" | C:\Program Files\AutoIt3\AutoIt3.exe | — | explorer.exe | |||||||||||
User: admin Company: AutoIt Team Integrity Level: MEDIUM Description: AutoIt v3 Script Exit code: 0 Version: 3, 3, 8, 1 Modules
| |||||||||||||||
| 1816 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1408 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 1880 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2076 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3944 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2176 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2332 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2368 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1472 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:2 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
| 2740 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3708 --field-trial-handle=1132,i,3274891045038888066,12706454668733843490,131072 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 109.0.5414.120 Modules
| |||||||||||||||
Total events
5 435
Read events
5 312
Write events
116
Delete events
7
Modification events
| (PID) Process: | (3436) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D7D2FD36-B10B-4535-A09E-410BBE9CEFB4}\{857FCC3A-07A8-40A3-BF81-F5A324CC6E41} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3436) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{D7D2FD36-B10B-4535-A09E-410BBE9CEFB4} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3436) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{CF6B7DA6-DD6D-4944-A393-9639369FCADE} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3408) autoit-v3.3.8.1-setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | GlobalAssocChangedCounter |
Value: 115 | |||
| (PID) Process: | (3644) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (3644) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (3644) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3644) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (3644) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (3644) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 1 | |||
Executable files
25
Suspicious files
93
Text files
2 413
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Program Files\AutoIt3\Include\AVIConstants.au3 | text | |
MD5:7135945FFD72D3BAAD04008437B8C68A | SHA256:26898784FC64FFF5FB3D38E1B28A7731F103DD246F495BEB8E3B8672274E8668 | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Users\admin\AppData\Local\Temp\nsn7277.tmp\ioPreviousVersion.ini | text | |
MD5:FF219ED56817980A677677EC5DE519E5 | SHA256:D75D8B0F7B5BEC3D339E47182EEBCD5E09AA4C7A08EFAC811291689022D54ECC | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Program Files\AutoIt3\AutoIt3_x64.exe | executable | |
MD5:90AEDD02AB718D20CC35B7397F1E0B1A | SHA256:FCB13367DB5B3CCCE3DC9DFEEEDB4F5FF827E3A6987FD74C643B21D8416698F3 | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Users\admin\AppData\Local\Temp\nsn7277.tmp\ioX64Options.ini | text | |
MD5:C238939BF051A3D9542DC36DBEFA3199 | SHA256:2152F24F0CAB3B51498A78B61C19465B1D98E4F63F3F2B3F193F559CAEC7FF6A | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Users\admin\AppData\Local\Temp\nsn7277.tmp\UserInfo.dll | executable | |
MD5:7579ADE7AE1747A31960A228CE02E666 | SHA256:564C80DEC62D76C53497C40094DB360FF8A36E0DC1BDA8383D0F9583138997F5 | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Users\admin\AppData\Local\Temp\nsn7277.tmp\System.dll | executable | |
MD5:C17103AE9072A06DA581DEC998343FC1 | SHA256:DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Users\admin\AppData\Local\Temp\nsn7277.tmp\modern-header.bmp | image | |
MD5:940C56737BF9BB69CE7A31C623D4E87A | SHA256:766A893FE962AEFD27C574CB05F25CF895D3FC70A00DB5A6FA73D573F571AEFC | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Program Files\AutoIt3\Au3Info_x64.exe | executable | |
MD5:8702B5AB954F58119B0DC4F7F72EC0AE | SHA256:ECFF0F2608A97EDE9FAD4AF8B97014B00555B22F1D4042385B7B9C5A6B7BD2AF | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Users\admin\AppData\Local\Temp\nsn7277.tmp\modern-wizard.bmp | image | |
MD5:D8D0517877A90004F35EE7A3354E54E8 | SHA256:EB6ED6051CAE9755D0793EB659C95E470E21C7D3AA067609E27340F8C0F073AE | |||
| 3408 | autoit-v3.3.8.1-setup.exe | C:\Program Files\AutoIt3\AutoIt3Help.exe | executable | |
MD5:44A8CE3A7776A981ACDDEAB600CCD559 | SHA256:2674A89E37FEA6CC2ABAE68D249A178AB2C167B26888A5B2991281FFFF6EF0E7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
10
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
3644 | chrome.exe | 239.255.255.250:1900 | — | — | — | unknown |
3744 | chrome.exe | 142.250.185.195:443 | clientservices.googleapis.com | GOOGLE | US | unknown |
3744 | chrome.exe | 142.250.184.205:443 | accounts.google.com | GOOGLE | US | unknown |
3744 | chrome.exe | 142.250.181.228:443 | www.google.com | GOOGLE | US | unknown |
3644 | chrome.exe | 224.0.0.251:5353 | — | — | — | unknown |
3744 | chrome.exe | 172.217.16.202:443 | optimizationguide-pa.googleapis.com | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
clientservices.googleapis.com |
| unknown |
accounts.google.com |
| unknown |
www.google.com |
| unknown |
update.googleapis.com |
| unknown |
optimizationguide-pa.googleapis.com |
| unknown |