| File name: | TB_Free_Installer_20240309.8756.exe |
| Full analysis: | https://app.any.run/tasks/9c6f91c0-0cca-436f-abd9-90610fea45a1 |
| Verdict: | Malicious activity |
| Analysis date: | March 09, 2024, 19:13:20 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive |
| MD5: | B9A625522B3DBDE8B3DAF4CDA02AA696 |
| SHA1: | A9D8CF95D8BB989FFAE0F9B07FEA292CA16D7A93 |
| SHA256: | 7898ACFCC553E78206FA6EF705BF1F1EABE04F3A37F774B03EA57D11163D669E |
| SSDEEP: | 98304:OKEaB1r/sNZEbLyUdNqR5+8cPeEqO0qAVLgctuCuswgGe25sTwaT0o+ssv6OqIPl:T |
MALICIOUS
Drops the executable file immediately after the start
- TB_Free_Installer_20240309.8756.exe (PID: 2036)
- TB_free_easeus.exe (PID: 2240)
- TB_free_easeus.tmp (PID: 3540)
Actions looks like stealing of personal data
- TB_free_easeus.tmp (PID: 3540)
Creates a writable file in the system directory
- TB_free_easeus.tmp (PID: 3540)
SUSPICIOUS
Executable content was dropped or overwritten
- TB_Free_Installer_20240309.8756.exe (PID: 2036)
- TB_free_easeus.tmp (PID: 3540)
- TB_free_easeus.exe (PID: 2240)
Reads the Internet Settings
- AliyunWrapExe.Exe (PID: 2624)
- EDownloader.exe (PID: 2964)
Reads security settings of Internet Explorer
- AliyunWrapExe.Exe (PID: 2624)
- EDownloader.exe (PID: 2964)
Reads Internet Explorer settings
- EDownloader.exe (PID: 2964)
Reads Microsoft Outlook installation path
- EDownloader.exe (PID: 2964)
Reads the Windows owner or organization settings
- TB_free_easeus.tmp (PID: 3540)
Process drops legitimate windows executable
- TB_free_easeus.tmp (PID: 3540)
Drops 7-zip archiver for unpacking
- TB_free_easeus.tmp (PID: 3540)
Process checks presence of unattended files
- TB_free_easeus.tmp (PID: 3540)
Drops a system driver (possible attempt to evade defenses)
- TB_free_easeus.tmp (PID: 3540)
Creates files in the driver directory
- TB_free_easeus.tmp (PID: 3540)
The process drops C-runtime libraries
- TB_free_easeus.tmp (PID: 3540)
INFO
Checks supported languages
- TB_Free_Installer_20240309.8756.exe (PID: 2036)
- InfoForSetup.exe (PID: 3848)
- InfoForSetup.exe (PID: 2328)
- EDownloader.exe (PID: 2964)
- InfoForSetup.exe (PID: 3488)
- AliyunWrapExe.Exe (PID: 2624)
- InfoForSetup.exe (PID: 116)
- InfoForSetup.exe (PID: 2592)
- TB_free_easeus.exe (PID: 2240)
- InfoForSetup.exe (PID: 3180)
- InfoForSetup.exe (PID: 1340)
- TB_free_easeus.tmp (PID: 3540)
Create files in a temporary directory
- TB_Free_Installer_20240309.8756.exe (PID: 2036)
- EDownloader.exe (PID: 2964)
- InfoForSetup.exe (PID: 2328)
- AliyunWrapExe.Exe (PID: 2624)
- TB_free_easeus.exe (PID: 2240)
- TB_free_easeus.tmp (PID: 3540)
Reads the computer name
- TB_Free_Installer_20240309.8756.exe (PID: 2036)
- EDownloader.exe (PID: 2964)
- AliyunWrapExe.Exe (PID: 2624)
- TB_free_easeus.tmp (PID: 3540)
Dropped object may contain TOR URL's
- TB_Free_Installer_20240309.8756.exe (PID: 2036)
- TB_free_easeus.tmp (PID: 3540)
Checks proxy server information
- AliyunWrapExe.Exe (PID: 2624)
- EDownloader.exe (PID: 2964)
Reads the machine GUID from the registry
- EDownloader.exe (PID: 2964)
- AliyunWrapExe.Exe (PID: 2624)
Creates files or folders in the user directory
- AliyunWrapExe.Exe (PID: 2624)
Creates files in the program directory
- TB_free_easeus.tmp (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2018:01:30 03:57:48+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 26624 |
| InitializedDataSize: | 186368 |
| UninitializedDataSize: | 2048 |
| EntryPoint: | 0x338f |
| OSVersion: | 4 |
| ImageVersion: | 6 |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Total processes
55
Monitored processes
13
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 116 | /SendInfo Window "Home_Installer" Activity "Result_Download_Configurefile" Attribute "{\"CDN\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/\",\"Elapsed\":\"3\",\"Errorinfo\":\"0\",\"PostURL\":\"http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/?exeNumber=8756&lang=English&pcVersion=home&pid=3&tid=1&version=free\",\"ResponseJson\":\"{\\"check\\":1,\\"msg\\":\\"\\u6210\\u529f\\",\\"data\\":{\\"pid\\":\\"3\\",\\"version\\":\\"free\\",\\"tj_download\\":\\"test\\",\\"referNumber\\":\\"1000000\\",\\"killSwitch\\":\\"true\\",\\"WriteLogSwitch\\":\\"false\\",\\"curNum\\":\\"2024\\",\\"testid\\":\\"123\\",\\"configid\\":\\"\\",\\"md5\\":\\"A78798643AC0FFE5765110D598F79549\\",\\"download\\":\\"https:\\/\\/d1.easeus.com\\/tb\\/free\\/TodoBackup16.1.1_free.exe\\",\\"download2\\":\\"https:\\/\\/d2.easeus.com\\/tb\\/free\\/TodoBackup16.1.1_free.exe\\",\\"download3\\":\\"https:\\/\\/d3.easeus.com\\/tb\\/free\\/TodoBackup16.1.1_free.exe\\",\\"url\\":[]},\\"time\\":1710011613}\",\"Result\":\"Success\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1340 | /SendInfo Window "Downloading" Activity "Result_Download_Program" Attribute "{\"Average_Networkspeed\":\"1.72MB\",\"Cdn\":\"https://d1.easeus.com/tb/free/TodoBackup16.1.1_free.exe\",\"Elapsedtime\":\"86\",\"Errorinfo\":\"0\",\"Result\":\"Success\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2036 | "C:\Users\admin\Desktop\TB_Free_Installer_20240309.8756.exe" | C:\Users\admin\Desktop\TB_Free_Installer_20240309.8756.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2240 | /verysilent /DIR="C:\Program Files\EaseUS\Todo Backup" /IMAGEPATH="C:\My Backups" /LANG=English agreeImprove=true GUID=S-1-5-21-1302019708-1500728564-335382590-1000 xurlID=8756 | C:\Users\admin\Desktop\TB_free_easeus.exe | EDownloader.exe | ||||||||||||
User: admin Company: EaseUS Integrity Level: HIGH Description: EaseUS Todo Backup Free Setup Exit code: 0 Version: 16.1 Modules
| |||||||||||||||
| 2328 | /SendInfo Window "Web_Installer" Activity "Result_Run_Installer" Attribute "{\"Country\":\"United States\",\"Timezone\":\"GMT-00:00\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2472 | "C:\Users\admin\Desktop\TB_Free_Installer_20240309.8756.exe" | C:\Users\admin\Desktop\TB_Free_Installer_20240309.8756.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 3221226540 Modules
| |||||||||||||||
| 2592 | /SendInfo Window "Installing" Activity "Info_Start_Install_Program" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2624 | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\AliyunWrapExe.Exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\AliyunWrapExe.Exe | InfoForSetup.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2964 | "C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\EDownloader.exe" EXEDIR=C:\Users\admin\Desktop ||| EXENAME=TB_Free_Installer_20240309.8756.exe ||| DOWNLOAD_VERSION=free ||| PRODUCT_VERSION=1.0.0 ||| INSTALL_TYPE=0 | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\EDownloader.exe | TB_Free_Installer_20240309.8756.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 3180 | /SendInfo Window "Downloading" Activity "Info_Start_Download_Program" Attribute "{\"Pageid\":\"8756\",\"Version\":\"free\"}" | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\InfoForSetup.exe | — | EDownloader.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
4 302
Read events
4 243
Write events
48
Delete events
11
Modification events
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyServer |
Value: | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | ProxyOverride |
Value: | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoConfigURL |
Value: | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | delete value | Name: | AutoDetect |
Value: | |||
| (PID) Process: | (2624) AliyunWrapExe.Exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005C010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
1 180
Suspicious files
203
Text files
549
Unknown types
90
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\AliyunConfig_tmp.ini | text | |
MD5:A8D163D9B41A27BEC4AF06CE151D7B65 | SHA256:F6C91DF5C03EDED837330E0CB2FFD170FE9003A726065190E56E922FA3824DC2 | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\downloader.ico | image | |
MD5:894BA3DDE651D465DBA83D1D1EA8C47F | SHA256:7C027C7444F9C584F9A382B3B20D1357E4B91B4018D9C723E6CF170B35CA08BB | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Polish.ini | text | |
MD5:5D5B14CC7EA1C86EA483560EDECCA6E8 | SHA256:65FE4FBB2D3EB41F629017E7CF55BA236E527E2A1DE37633B566AFF4B0D31B21 | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\aliyun\AliyunConfig.ini | text | |
MD5:926917A04174D16BFC52C679B93C30DE | SHA256:6227467C437F6DB349DE49ABFD16C547C94B277F6B75F598D84FEC5F7F7AB083 | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Thai.ini | text | |
MD5:BCC36966A90CAE79F672FBEE5837B7C6 | SHA256:1CED29046919352C215B50096D00FCB1D899072C309B7AFB807F3696E9459871 | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Portuguese.ini | text | |
MD5:533CD0B13D84F650315CA141D2F12891 | SHA256:0713AD4E63CE692EF53417A91D394341C455F14EC63ED8C49A480384C0FF6A4D | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\skin.zip | compressed | |
MD5:6128C00BD164D955181B086094E5FC71 | SHA256:93F8192AF82712DF7EEEADBBC8DDCBDD4F8338AF96015E4ED11EF7FC9AB09696 | |||
| 2036 | TB_Free_Installer_20240309.8756.exe | C:\Users\admin\AppData\Local\Temp\downloader_easeus\1.0.0\3free\Spanish.ini | text | |
MD5:F3609C1B604EE95CF918427A94B66AF1 | SHA256:86548D1E1C9DF927C4DB063F34D128BD67156E545B627FA8F2DEE232C5D1BD33 | |||
| 2964 | EDownloader.exe | C:\Users\admin\Desktop\TB_free_easeus.exe.temp | — | |
MD5:— | SHA256:— | |||
| 2964 | EDownloader.exe | C:\Users\admin\Desktop\TB_free_easeus.exe | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
28
DNS requests
8
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2964 | EDownloader.exe | POST | 200 | 18.172.112.107:80 | http://download.easeus.com/api2/index.php/Apicp/Drwdl202004/index/ | unknown | binary | 495 b | unknown |
2624 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.15:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb | unknown | — | — | unknown |
2624 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.15:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb | unknown | — | — | unknown |
— | — | POST | 200 | 47.252.97.15:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb | unknown | — | — | unknown |
2624 | AliyunWrapExe.Exe | GET | 200 | 163.171.156.15:80 | http://track.easeus.com/product/index.php?c=main&a=getstatus&pid=0 | unknown | binary | 21 b | unknown |
2624 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.15:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb | unknown | — | — | unknown |
— | — | POST | 200 | 47.252.97.15:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb | unknown | — | — | unknown |
2624 | AliyunWrapExe.Exe | POST | 200 | 47.252.97.15:80 | http://easeusinfo.us-east-1.log.aliyuncs.com/logstores/logstore_tbp_downloader/shards/lb | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2964 | EDownloader.exe | 18.172.112.107:80 | download.easeus.com | — | US | unknown |
2624 | AliyunWrapExe.Exe | 163.171.156.15:80 | track.easeus.com | QUANTILNETWORKS | DE | unknown |
2624 | AliyunWrapExe.Exe | 47.252.97.15:80 | easeusinfo.us-east-1.log.aliyuncs.com | Alibaba US Technology Co., Ltd. | US | unknown |
2964 | EDownloader.exe | 108.156.60.68:443 | d1.easeus.com | AMAZON-02 | US | unknown |
2964 | EDownloader.exe | 18.164.52.41:443 | d1.easeus.com | — | US | unknown |
2964 | EDownloader.exe | 18.164.52.75:443 | d1.easeus.com | — | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.easeus.com |
| unknown |
track.easeus.com |
| unknown |
easeusinfo.us-east-1.log.aliyuncs.com |
| unknown |
d1.easeus.com |
| unknown |