| File name: | DellCommandUpdate.zip |
| Full analysis: | https://app.any.run/tasks/adc254ee-af87-4f63-a8d8-96e9dedb588b |
| Verdict: | Malicious activity |
| Analysis date: | May 12, 2024, 21:36:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | 2A9BBA09D497BF83E98E8AE98F1F1ABD |
| SHA1: | A4B8995B6FF60A1C14E208F41F5C2B3DF47D7CA5 |
| SHA256: | 7C6D49ED56A4ACA8385B1C691E739BB5452EF9F4D6BF711EF45D480AFA90023D |
| SSDEEP: | 98304:d2uABBCAMmA73GbYcnwfNQBvIzPN8+Q6uOKqm+Ua999w/EPejk9eWp/kvRbldGrx:AKFbeBLOgmp0Ggpbqszq |
MALICIOUS
Drops the executable file immediately after the start
- WinRAR.exe (PID: 3996)
- msiexec.exe (PID: 2528)
- msiexec.exe (PID: 2060)
- msiexec.exe (PID: 692)
SUSPICIOUS
Checks Windows Trust Settings
- msiexec.exe (PID: 692)
- ServiceShell.exe (PID: 2452)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 692)
Adds/modifies Windows certificates
- msiexec.exe (PID: 692)
- certutil.exe (PID: 2232)
The process creates files with name similar to system file names
- msiexec.exe (PID: 692)
Process drops legitimate windows executable
- msiexec.exe (PID: 692)
Executes as Windows Service
- ServiceShell.exe (PID: 2452)
Reads security settings of Internet Explorer
- ServiceShell.exe (PID: 2452)
INFO
Reads the computer name
- msiexec.exe (PID: 692)
- msiexec.exe (PID: 2060)
- msiexec.exe (PID: 2528)
- DellCommandUpdate.exe (PID: 676)
- DellCommandUpdate.exe (PID: 1028)
- ServiceShell.exe (PID: 2452)
Manual execution by a user
- cmd.exe (PID: 1772)
- DellCommandUpdate.exe (PID: 676)
- DellCommandUpdate.exe (PID: 1028)
Create files in a temporary directory
- msiexec.exe (PID: 1856)
- msiexec.exe (PID: 2060)
- msiexec.exe (PID: 692)
- msiexec.exe (PID: 2528)
Checks supported languages
- msiexec.exe (PID: 692)
- msiexec.exe (PID: 2060)
- msiexec.exe (PID: 2528)
- DellCommandUpdate.exe (PID: 676)
- DellCommandUpdate.exe (PID: 1028)
- ServiceShell.exe (PID: 2452)
Reads the software policy settings
- msiexec.exe (PID: 692)
- ServiceShell.exe (PID: 2452)
Executable content was dropped or overwritten
- msiexec.exe (PID: 692)
- msiexec.exe (PID: 2060)
- msiexec.exe (PID: 2528)
Reads the machine GUID from the registry
- msiexec.exe (PID: 2060)
- msiexec.exe (PID: 2528)
- msiexec.exe (PID: 692)
- DellCommandUpdate.exe (PID: 676)
- DellCommandUpdate.exe (PID: 1028)
- ServiceShell.exe (PID: 2452)
Application launched itself
- msiexec.exe (PID: 692)
Creates a software uninstall entry
- msiexec.exe (PID: 692)
Creates files in the program directory
- ServiceShell.exe (PID: 2452)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2024:04:25 04:07:14 |
| ZipCRC: | 0x167b462d |
| ZipCompressedSize: | 14347747 |
| ZipUncompressedSize: | 18200576 |
| ZipFileName: | DellCommandUpdate.msi |
Total processes
51
Monitored processes
10
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 676 | "C:\Program Files\Dell\CommandUpdate\DellCommandUpdate.exe" | C:\Program Files\Dell\CommandUpdate\DellCommandUpdate.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Dell Command | Update Exit code: 3 Version: 5.3.0.33 Modules
| |||||||||||||||
| 692 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1028 | "C:\Program Files\Dell\CommandUpdate\DellCommandUpdate.exe" | C:\Program Files\Dell\CommandUpdate\DellCommandUpdate.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Dell Command | Update Exit code: 3 Version: 5.3.0.33 Modules
| |||||||||||||||
| 1772 | "C:\Windows\System32\cmd.exe" | C:\Windows\System32\cmd.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 3221225786 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1856 | MsiExec.exe /i DellCommandUpdate.msi /qn /norestart | C:\Windows\System32\msiexec.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2060 | C:\Windows\system32\MsiExec.exe -Embedding E1C98127A0033400F14E51AADCD9D0D0 | C:\Windows\System32\msiexec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2232 | C:\Windows\System32\certutil.exe -f -AddStore "Dell Trust" "C:\Users\admin\AppData\Local\Temp\BradburyBinarySignedCerti.cer" | C:\Windows\System32\certutil.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: CertUtil.exe Exit code: 0 Version: 6.1.7601.18151 (win7sp1_gdr.130512-1533) Modules
| |||||||||||||||
| 2452 | "C:\Program Files\Dell\UpdateService\ServiceShell.exe" | C:\Program Files\Dell\UpdateService\ServiceShell.exe | services.exe | ||||||||||||
User: SYSTEM Integrity Level: SYSTEM Description: ServiceShell Version: 5.3.0.44 Modules
| |||||||||||||||
| 2528 | C:\Windows\system32\MsiExec.exe -Embedding D9B181AD8A40DC860918E9BB5632B731 E Global\MSI0000 | C:\Windows\System32\msiexec.exe | msiexec.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3996 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\DellCommandUpdate.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
Total events
24 948
Read events
24 383
Write events
535
Delete events
30
Modification events
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\phacker.zip | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\DellCommandUpdate.zip | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3996) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
Executable files
240
Suspicious files
20
Text files
37
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3996 | WinRAR.exe | C:\Users\admin\Desktop\DellCommandUpdate.msi | — | |
MD5:— | SHA256:— | |||
| 692 | msiexec.exe | C:\Windows\Installer\118faa.msi | — | |
MD5:— | SHA256:— | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{DB95F19D-6AD5-4300-BF81-BFFA85404C88}\setup.inx | binary | |
MD5:07C6DA6BB93A416A059EE0A989A03923 | SHA256:80EBDF9698D028743B8F377A498C4D1A808D5CE7CB992DEBF97B9B3873EEA178 | |||
| 692 | msiexec.exe | C:\Windows\Installer\MSI9401.tmp | executable | |
MD5:8B6ECF21AD082CA730823B990172F166 | SHA256:681354EB18AA03AA36699CAA390D05462817B004FBEC3A82E9B3D1E7B82A2308 | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{DB95F19D-6AD5-4300-BF81-BFFA85404C88}\IsConfig.ini | ini | |
MD5:80ADF722E5A5F0E1189B51AFEF0D88DC | SHA256:A25EC95AA45063BBC03CC05A96F2704355917D7489A0CED8A448C3F26E01BC97 | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{25C220F2-AE86-477C-A60C-B13CC10605EF}\ISRT.dll | executable | |
MD5:FF43031211486580947F25F293B8125B | SHA256:423D365B5737F925019C17B478A515B488CC55EA990E6EBEB9A77CDC7E2279E0 | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{25C220F2-AE86-477C-A60C-B13CC10605EF}\IsConfig.ini | ini | |
MD5:99F86C60C33976A1ED595A34EA570FA4 | SHA256:65E4E6EC16ACE74277E60ED3F39D4EEBF3771954646F857549C31C283D3C0077 | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{DB95F19D-6AD5-4300-BF81-BFFA85404C88}\_isres_0x0409.dll | executable | |
MD5:8AFDAE8FE83D1A813B54E48230AED2DB | SHA256:D79FC7FDC396927DAC03419EEA2F9A326C920A094074EB070ACA712CDF0629C6 | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{DB95F19D-6AD5-4300-BF81-BFFA85404C88}\String1033.txt | text | |
MD5:6BC6CCDAB955A3FD4AEC3EDD529CB35C | SHA256:3343350BFF6134B556DEB406A4D2D21CB3EA686EDBEB947B8AE7152E4C2F78B5 | |||
| 2060 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\{AEE413A9-09DE-4C8C-8BAE-0C9A8C357446}\IsConfig.ini | ini | |
MD5:99F86C60C33976A1ED595A34EA570FA4 | SHA256:65E4E6EC16ACE74277E60ED3F39D4EEBF3771954646F857549C31C283D3C0077 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Threats
Process | Message |
|---|---|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: DEBUG - ----------------------------------------------------ServiceStart----------------------------------------------------
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: DEBUG - Service start
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: DEBUG - Service securing root folder
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: DEBUG - ADMX path is not default now
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: DEBUG - Created root directory that did not exist C:\ProgramData\Dell\UpdateService
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: INFO - Get access rule is successful
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: INFO - Modify Directory Security Args Root: True, TakeOwnership: True
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: INFO - Applying ACL on C:\ProgramData\Dell\UpdateService
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: INFO - Initialized settings
|
ServiceShell.exe | Dell.Asimov.ServiceShell.Program: INFO - Set Access rule protection is successful
|