| File name: | MSDisplay_MultiDev_v1.0.0.18.0.exe |
| Full analysis: | https://app.any.run/tasks/74c42427-2c6c-44c4-8d47-4c83ca8f1475 |
| Verdict: | Malicious activity |
| Analysis date: | April 24, 2024, 15:39:12 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | F505CBCAB0670A376C866DE177A5C097 |
| SHA1: | 18DED789BC554FDA5941AA2707DF9A78DE44C7C5 |
| SHA256: | 7BE04791DF7CC79FC8427098BF9E3C11206E54D2D613D470E4B4D5855451E816 |
| SSDEEP: | 49152:jNJb0uRDKiHjoapN8J827nsjoRf8HIjkpr6PbdVKeO3dFIyKc+Kq:joKDfD4827MoRf8HnUdyd+yKn |
MALICIOUS
Drops the executable file immediately after the start
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 324)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2492)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
- devcon.exe (PID: 3244)
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
- drvinst.exe (PID: 1656)
- drvinst.exe (PID: 2000)
Changes the autorun value in the registry
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
Creates a writable file in the system directory
- drvinst.exe (PID: 1428)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 2096)
- drvinst.exe (PID: 1656)
SUSPICIOUS
Reads the Windows owner or organization settings
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
Executable content was dropped or overwritten
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2492)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
- devcon.exe (PID: 3244)
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 324)
- drvinst.exe (PID: 1656)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
- drvinst.exe (PID: 2000)
Process drops legitimate windows executable
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
The process drops C-runtime libraries
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
Drops a system driver (possible attempt to evade defenses)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
- devcon.exe (PID: 3244)
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
Checks Windows Trust Settings
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
Creates files in the driver directory
- drvinst.exe (PID: 1428)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- drvinst.exe (PID: 2096)
Executes as Windows Service
- VSSVC.exe (PID: 3484)
Reads settings of System Certificates
- rundll32.exe (PID: 3604)
- devcon.exe (PID: 2240)
- devcon.exe (PID: 4012)
- rundll32.exe (PID: 3120)
Reads security settings of Internet Explorer
- devcon.exe (PID: 2240)
- devcon.exe (PID: 4012)
INFO
Checks supported languages
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2032)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 324)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2492)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
- devcon.exe (PID: 3244)
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
Create files in a temporary directory
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 324)
- MSDisplay_MultiDev_v1.0.0.18.0.exe (PID: 2492)
- devcon.exe (PID: 3244)
- devcon.exe (PID: 2240)
- devcon.exe (PID: 4012)
Creates files in the program directory
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
Reads the computer name
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2032)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
- devcon.exe (PID: 3244)
Creates files or folders in the user directory
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
Reads the machine GUID from the registry
- devcon.exe (PID: 3244)
- drvinst.exe (PID: 1428)
- devcon.exe (PID: 2240)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- devcon.exe (PID: 4012)
- drvinst.exe (PID: 2096)
Reads the software policy settings
- drvinst.exe (PID: 1428)
- rundll32.exe (PID: 3604)
- devcon.exe (PID: 2240)
- drvinst.exe (PID: 2000)
- drvinst.exe (PID: 1656)
- devcon.exe (PID: 4012)
- rundll32.exe (PID: 3120)
- drvinst.exe (PID: 2096)
Creates a software uninstall entry
- MSDisplay_MultiDev_v1.0.0.18.0.tmp (PID: 2268)
Adds/modifies Windows certificates
- drvinst.exe (PID: 1428)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 3604)
- rundll32.exe (PID: 3120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2019:04:30 03:47:23+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 679936 |
| InitializedDataSize: | 125952 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xa6ed0 |
| OSVersion: | 6 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.18 |
| ProductVersionNumber: | 1.0.0.18 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Chinese (Simplified) |
| CharacterSet: | ASCII |
| Comments: | ´Ë°²×°³ÌÐòÓÉ Inno Setup ¹¹½¨¡£ |
| CompanyName: | MS |
| FileDescription: | MS USB Display Setup |
| FileVersion: | 1.0.0.18.0 |
| LegalCopyright: | Copyright © MS 2020 |
| OriginalFileName: | |
| ProductName: | MS USB Display |
| ProductVersion: | 1.0.0.18.0 |
Total processes
55
Monitored processes
15
Malicious processes
13
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 324 | "C:\Users\admin\AppData\Local\Temp\MSDisplay_MultiDev_v1.0.0.18.0.exe" | C:\Users\admin\AppData\Local\Temp\MSDisplay_MultiDev_v1.0.0.18.0.exe | explorer.exe | ||||||||||||
User: admin Company: MS Integrity Level: MEDIUM Description: MS USB Display Setup Version: 1.0.0.18.0 Modules
| |||||||||||||||
| 1428 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{2d22362a-9f24-2705-4982-b27eb9737431}\MSUSBDisplay.inf" "0" "610771dbb" "000004B0" "WinSta0\Default" "00000550" "208" "C:\Program Files\MS USB Display\lib_usb" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1656 | DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "displayproxykmd.inf:MNF.NTx86:Display_Inst:15.47.24.217:root\ultrasemidisplayproxy" "62141fc7f" "000004B0" "000005EC" "000005F0" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2000 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{4b8f2f9f-1533-5557-b944-c118aba15565}\displayproxykmd.inf" "0" "62141fc7f" "000004B0" "WinSta0\Default" "000005B8" "208" "c:\program files\ms usb display\displayproxy" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2032 | "C:\Users\admin\AppData\Local\Temp\is-KLPN4.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$22016A,2556185,806912,C:\Users\admin\AppData\Local\Temp\MSDisplay_MultiDev_v1.0.0.18.0.exe" | C:\Users\admin\AppData\Local\Temp\is-KLPN4.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | — | MSDisplay_MultiDev_v1.0.0.18.0.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup Version: 1.0.0.0 Modules
| |||||||||||||||
| 2096 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{2e6df3a5-934e-0ced-979b-597d26019c03}\dfmirage.inf" "0" "670102fe7" "000005E0" "WinSta0\Default" "000004B0" "208" "c:\program files\ms usb display\video_driver" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2240 | "C:\Program Files\MS USB Display\tool\x86\devcon.exe" install "C:\Program Files\MS USB Display\displayproxy\DisplayProxyKmd.inf" Root\UltrasemiDisplayProxy | C:\Program Files\MS USB Display\tool\x86\devcon.exe | MSDisplay_MultiDev_v1.0.0.18.0.tmp | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Setup API Exit code: 0 Version: 10.0.10586.0 (th2_release.151029-1700) Modules
| |||||||||||||||
| 2268 | "C:\Users\admin\AppData\Local\Temp\is-ENKGD.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp" /SL5="$2E01BA,2556185,806912,C:\Users\admin\AppData\Local\Temp\MSDisplay_MultiDev_v1.0.0.18.0.exe" /SPAWNWND=$1D0176 /NOTIFYWND=$22016A | C:\Users\admin\AppData\Local\Temp\is-ENKGD.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | MSDisplay_MultiDev_v1.0.0.18.0.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup Version: 1.0.0.0 Modules
| |||||||||||||||
| 2492 | "C:\Users\admin\AppData\Local\Temp\MSDisplay_MultiDev_v1.0.0.18.0.exe" /SPAWNWND=$1D0176 /NOTIFYWND=$22016A | C:\Users\admin\AppData\Local\Temp\MSDisplay_MultiDev_v1.0.0.18.0.exe | MSDisplay_MultiDev_v1.0.0.18.0.tmp | ||||||||||||
User: admin Company: MS Integrity Level: HIGH Description: MS USB Display Setup Version: 1.0.0.18.0 Modules
| |||||||||||||||
| 3120 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2a833d29-e618-1ff4-888c-440648584c28} Global\{49e3f21e-9eb9-2b31-2b0a-8c7a87145b1f} C:\Windows\System32\DriverStore\Temp\{2f45ff27-6fb5-5c84-0506-d2530a28c31d}\dfmirage.inf C:\Windows\System32\DriverStore\Temp\{2f45ff27-6fb5-5c84-0506-d2530a28c31d}\dfmirage.cat | C:\Windows\System32\rundll32.exe | — | drvinst.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
39 930
Read events
39 448
Write events
469
Delete events
13
Modification events
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: DC08000012BE07945D96DA01 | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: 4CA1449519B8925CB4851FEFC4A7AB4D912CF35F41F56B462C91CFE07FECEB0A | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Program Files\MS USB Display\WinUsbDisplay.exe | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: E59D39BB274CA12043C0B69CF86EFFC30DBB09B308DB766E7E33B0E916BC54B8 | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Windows Usb Display |
Value: C:\Program Files\MS USB Display\WinUsbDisplay.exe | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\System\CurrentControlSet\SERVICES\dfmirage\DEVICE0 |
| Operation: | write | Name: | Attach.ToDesktop |
Value: 0 | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_CURRENT_USER\Software\WinUsbDisplay\Server |
| Operation: | write | Name: | LogLevel |
Value: 1 | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{509DC88F-BC75-4AED-B511-9892EAD1AE48}}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.0.2 (u) | |||
| (PID) Process: | (2268) MSDisplay_MultiDev_v1.0.0.18.0.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{509DC88F-BC75-4AED-B511-9892EAD1AE48}}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\MS USB Display | |||
Executable files
95
Suspicious files
51
Text files
10
Unknown types
30
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\WinUsbDisplay.exe | executable | |
MD5:4AAB73E5792E49227E5843C0207E7BFD | SHA256:85AF24188A2040F61F008C50620835B9DDCEA0F4C1707447EC11002D55ED134E | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-DB2UD.tmp | text | |
MD5:AB5BD4D46AA4F19ED52961F81635AD76 | SHA256:A1C6CEDAB9EC5850C98D5FED2CB0A2253FBBCCA7B8C5974F57F34FBDE4DC3C3F | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\libusb0.dll | executable | |
MD5:A969E398CC9319DD9BD9EEDCAE288DA7 | SHA256:3165D5E9212E9C4F009A594F67BD9E6D899B026CE1E3B0D6EBB994F423D6B1D1 | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-207VE.tmp | executable | |
MD5:4AAB73E5792E49227E5843C0207E7BFD | SHA256:85AF24188A2040F61F008C50620835B9DDCEA0F4C1707447EC11002D55ED134E | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-9P9A5.tmp | image | |
MD5:2098EF97358FBBDFAE0206BBCB4E2234 | SHA256:DE96747834EF6ED07618AA7EB89F643444F3BA01140EED263468C08A0B7BF8FE | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\config.ini | text | |
MD5:AB5BD4D46AA4F19ED52961F81635AD76 | SHA256:A1C6CEDAB9EC5850C98D5FED2CB0A2253FBBCCA7B8C5974F57F34FBDE4DC3C3F | |||
| 2492 | MSDisplay_MultiDev_v1.0.0.18.0.exe | C:\Users\admin\AppData\Local\Temp\is-ENKGD.tmp\MSDisplay_MultiDev_v1.0.0.18.0.tmp | executable | |
MD5:7EC9CFAB450831249D70152183B3E844 | SHA256:664938FC6169E37700C45C0242006EDE97219AA0B873CC26C8DAF19647DBAA77 | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-4I26H.tmp | executable | |
MD5:A969E398CC9319DD9BD9EEDCAE288DA7 | SHA256:3165D5E9212E9C4F009A594F67BD9E6D899B026CE1E3B0D6EBB994F423D6B1D1 | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\is-EHAIS.tmp | executable | |
MD5:1954CD248E65C7C5C2D3D93DD7F91604 | SHA256:761EC2283460F3E641F9C815A015698B3EB77090808768A4BF3C17439CCD0018 | |||
| 2268 | MSDisplay_MultiDev_v1.0.0.18.0.tmp | C:\Program Files\MS USB Display\libVMonitor.dll | executable | |
MD5:10BB929E9FD8B028738B46F4D3EA741E | SHA256:8817EAF691058E091E3A240547B74C3E396DAFF1312F66971274C1D30C55BDE1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |