File name:

utweb_installer.exe

Full analysis: https://app.any.run/tasks/385f3a97-648e-43bc-ab8d-3085bd049374
Verdict: Malicious activity
Analysis date: November 09, 2023, 07:23:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

A3B2C14B71BB72E7E804FCA38B61861A

SHA1:

2891E16969876A3747651EDBE0E42C4034B976A6

SHA256:

7800FDB59B95BD007674A3AA5721070998C0B6F9DF3FA3C4B94B3A8D9C758656

SSDEEP:

49152:S7HecD4dnbibBl03FNjjG43W02r+TotQslUsBZ3Udo1k/pNf+EMLwbeOJmWN5U/E:i+cD4dnhNjpq6ToislNB2dlp9alS5U/+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • utweb_installer.exe (PID: 3448)
      • utweb_installer.exe (PID: 3480)
      • utweb_installer.tmp (PID: 3512)

  • SUSPICIOUS

    • Reads the Windows owner or organization settings

      • utweb_installer.tmp (PID: 3512)

    • Reads settings of System Certificates

      • utweb_installer.tmp (PID: 3512)

  • INFO

    • Create files in a temporary directory

      • utweb_installer.exe (PID: 3480)
      • utweb_installer.exe (PID: 3448)
      • utweb_installer.tmp (PID: 3512)

    • Checks supported languages

      • utweb_installer.tmp (PID: 3156)
      • utweb_installer.exe (PID: 3448)
      • utweb_installer.tmp (PID: 3512)
      • utweb_installer.exe (PID: 3480)
      • wmpnscfg.exe (PID: 3424)

    • Reads the computer name

      • utweb_installer.tmp (PID: 3156)
      • utweb_installer.tmp (PID: 3512)
      • wmpnscfg.exe (PID: 3424)

    • Reads the machine GUID from the registry

      • utweb_installer.tmp (PID: 3512)
      • wmpnscfg.exe (PID: 3424)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (65.1)
.exe | Win32 EXE PECompact compressed (generic) (24.6)
.dll | Win32 Dynamic Link Library (generic) (3.9)
.exe | Win32 Executable (generic) (2.6)
.exe | Win16/32 Executable Delphi generic (1.2)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 18:10:23+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 76288
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.0.0
ProductVersionNumber: 1.3.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName:
FileDescription: uTorrent Web®
FileVersion: 1.3
LegalCopyright: ©2022 RainBerry Inc. All Rights Reserved
OriginalFileName:
ProductName: uTorrent Web®
ProductVersion: 1.3
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start utweb_installer.exe no specs utweb_installer.tmp no specs utweb_installer.exe utweb_installer.tmp wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3156"C:\Users\admin\AppData\Local\Temp\is-J0DJ1.tmp\utweb_installer.tmp" /SL5="$60134,898126,819200,C:\Users\admin\AppData\Local\Temp\utweb_installer.exe" C:\Users\admin\AppData\Local\Temp\is-J0DJ1.tmp\utweb_installer.tmputweb_installer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-j0dj1.tmp\utweb_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3424"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sspicli.dll
c:\windows\system32\ole32.dll
3448"C:\Users\admin\AppData\Local\Temp\utweb_installer.exe" C:\Users\admin\AppData\Local\Temp\utweb_installer.exeexplorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
uTorrent Web®
Exit code:
0
Version:
1.3
Modules
Images
c:\users\admin\appdata\local\temp\utweb_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3480"C:\Users\admin\AppData\Local\Temp\utweb_installer.exe" /SPAWNWND=$501F6 /NOTIFYWND=$60134 C:\Users\admin\AppData\Local\Temp\utweb_installer.exe
utweb_installer.tmp
User:
admin
Company:
Integrity Level:
HIGH
Description:
uTorrent Web®
Exit code:
0
Version:
1.3
Modules
Images
c:\users\admin\appdata\local\temp\utweb_installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3512"C:\Users\admin\AppData\Local\Temp\is-NPORB.tmp\utweb_installer.tmp" /SL5="$601EA,898126,819200,C:\Users\admin\AppData\Local\Temp\utweb_installer.exe" /SPAWNWND=$501F6 /NOTIFYWND=$60134 C:\Users\admin\AppData\Local\Temp\is-NPORB.tmp\utweb_installer.tmp
utweb_installer.exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-nporb.tmp\utweb_installer.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
3 768
Read events
3 753
Write events
12
Delete events
3

Modification events

(PID) Process:(3512) utweb_installer.tmpKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17A\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3424) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{E6172CB6-56B3-4B6A-A90B-EF9F128742A2}\{FF97D7E0-EC6B-4A1E-88CE-B000DF3EECF2}
Operation:delete keyName:(default)
Value:
(PID) Process:(3424) wmpnscfg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{E6172CB6-56B3-4B6A-A90B-EF9F128742A2}
Operation:delete keyName:(default)
Value:
(PID) Process:(3424) wmpnscfg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{15A88E33-FC49-4644-B04F-6BBD26F4079F}
Operation:delete keyName:(default)
Value:
Executable files
3
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3512utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-DVOR1.tmp\botva2.dllexecutable
MD5:67965A5957A61867D661F05AE1F4773E
SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105
3448utweb_installer.exeC:\Users\admin\AppData\Local\Temp\is-J0DJ1.tmp\utweb_installer.tmpexecutable
MD5:3009D9FDA4C359183767FDE67D4EEDF6
SHA256:E1E1F7BFF17E257CDBA7472669704841B60AF8B2D347AF36A3E7FDB8EFD4C9F9
3512utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-DVOR1.tmp\license.rtftext
MD5:CA9C80605FF244AE36C584FFFFA09435
SHA256:81C21179CB42FA44D8B7AA07925081B899F0EF5F18AC00FFB75B303309078634
3512utweb_installer.tmpC:\Users\admin\AppData\Local\Temp\is-DVOR1.tmp\Logo.pngimage
MD5:A00CFE887E254C462AD0C6A6D3FB25B6
SHA256:BCA0271F56F7384942FF3AFFB79FA78CCDCEABF7DDA89AD3C138226DA324CDB1
3480utweb_installer.exeC:\Users\admin\AppData\Local\Temp\is-NPORB.tmp\utweb_installer.tmpexecutable
MD5:3009D9FDA4C359183767FDE67D4EEDF6
SHA256:E1E1F7BFF17E257CDBA7472669704841B60AF8B2D347AF36A3E7FDB8EFD4C9F9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
3512
utweb_installer.tmp
52.222.250.13:443
d1l01jcxbbibur.cloudfront.net
AMAZON-02
US
unknown
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

Domain
IP
Reputation
d1l01jcxbbibur.cloudfront.net
  • 52.222.250.13
  • 52.222.250.187
  • 52.222.250.14
  • 52.222.250.121
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
utweb_installer.exe