| File name: | SaraSetup.exe |
| Full analysis: | https://app.any.run/tasks/c9fba369-f78a-45e2-ba83-2e109346367b |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | November 26, 2024, 09:55:06 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 3BC8A17204A5B544D558C204FDA69D4B |
| SHA1: | 383180E88CC9DBF429780C08286C8762029BF4D9 |
| SHA256: | 7DD1D3A395222E642862A7AA9B60C82CECAA26F5E3B4F5477221C52997DB55F4 |
| SSDEEP: | 3072:peLdMtx3Zy7vWVXbBtE8gTL6tJZUw9u1W+psdUcFi8rm:peek8a |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- SaraSetup.exe (PID: 5400)
Executable content was dropped or overwritten
- SaraSetup.exe (PID: 5400)
The process drops C-runtime libraries
- SaraSetup.exe (PID: 5400)
Process drops legitimate windows executable
- SaraSetup.exe (PID: 5400)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 5684)
- cmd.exe (PID: 648)
The process creates files with name similar to system file names
- SaraSetup.exe (PID: 5400)
Application launched itself
- cmd.exe (PID: 5684)
- cmd.exe (PID: 648)
INFO
Reads the computer name
- SaraSetup.exe (PID: 5400)
Checks supported languages
- SaraSetup.exe (PID: 5400)
Reads the machine GUID from the registry
- SaraSetup.exe (PID: 5400)
Creates files or folders in the user directory
- SaraSetup.exe (PID: 5400)
The process uses the downloaded file
- SaraSetup.exe (PID: 5400)
Manual execution by a user
- cmd.exe (PID: 5684)
- CleanupWPJ_AMD64.exe (PID: 3628)
- CleanupWPJ_AMD64.exe (PID: 3524)
- CleanupWPJ_X86.exe (PID: 4516)
- CleanupWPJ_X86.exe (PID: 2776)
- cmd.exe (PID: 648)
- CleanupWPJ_AMD64.exe (PID: 3260)
- CleanupWPJ_X86.exe (PID: 1612)
Sends debugging messages
- SaraSetup.exe (PID: 5400)
Create files in a temporary directory
- SaraSetup.exe (PID: 5400)
Checks operating system version
- cmd.exe (PID: 5684)
- cmd.exe (PID: 648)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (64.6) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (15.4) |
| .exe | | | Win32 Executable (generic) (10.5) |
| .exe | | | Generic Win/DOS Executable (4.6) |
| .exe | | | DOS Executable Generic (4.6) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:07:02 01:45:17+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 166400 |
| InitializedDataSize: | 72704 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2a8b2 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 17.0.4949.9 |
| ProductVersionNumber: | 17.0.4949.9 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Microsoft Corporation. |
| FileDescription: | Microsoft Support and Recovery Assistant Setup |
| InternalName: | SaraSetup.exe |
| LegalCopyright: | Copyright © 1995-2015 Microsoft Corporation. |
| LegalTrademarks: | Microsoft® is a registered trademark of Microsoft Corporation. |
| OriginalFileName: | SaraSetup.exe |
| ProductName: | Microsoft® Exchange |
| FileVersion: | 17.00.4949.009 |
| ProductVersion: | 17.00.4949.009 |
Total processes
134
Monitored processes
19
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 648 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\WPJCleanUp.cmd" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1200 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | CleanupWPJ_X86.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1356 | C:\WINDOWS\system32\cmd.exe /c ver | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1472 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | CleanupWPJ_AMD64.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1612 | "C:\Users\admin\Desktop\CleanupWPJ_X86.exe" | C:\Users\admin\Desktop\CleanupWPJ_X86.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2776 | "C:\Users\admin\Desktop\CleanupWPJ_X86.exe" | C:\Users\admin\Desktop\CleanupWPJ_X86.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2828 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | CleanupWPJ_X86.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3260 | "C:\Users\admin\Desktop\CleanupWPJ_AMD64.exe" | C:\Users\admin\Desktop\CleanupWPJ_AMD64.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3524 | "C:\Users\admin\Desktop\CleanupWPJ_AMD64.exe" | C:\Users\admin\Desktop\CleanupWPJ_AMD64.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 3628 | "C:\Users\admin\Desktop\CleanupWPJ_AMD64.exe" | C:\Users\admin\Desktop\CleanupWPJ_AMD64.exe | — | explorer.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
Total events
5 603
Read events
5 578
Write events
23
Delete events
2
Modification events
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 |
| Operation: | write | Name: | ComponentStore_RandomString |
Value: NX2ACLJBTALJ2O60K1RGJ8R4 | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 |
| Operation: | delete value | Name: | ComponentStore_RandomString |
Value: NX2ACLJBTALJ2O60K1RGJ8R4 | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0 |
| Operation: | write | Name: | ComponentStore_RandomString |
Value: R2NDB2DN0E2Q9OPQQAM6QAWE | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_CLASSES_ROOT\Software\Microsoft\Windows\CurrentVersion\Deployment\SideBySide\2.0\StateManager |
| Operation: | write | Name: | StateStore_RandomString |
Value: 5AT7WEGVO05XHRVV4VERH02D | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SaraSetup_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SaraSetup_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SaraSetup_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SaraSetup_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (5400) SaraSetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\SaraSetup_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
Executable files
70
Suspicious files
1
Text files
46
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\access.config.xml | xml | |
MD5:39E98A49311231F92ADF4FAF229B8E0B | SHA256:BF42C275185C0F4C15705F30A2429461EEC6B0005688C5D33C44DF4FAA628443 | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\tools\x64\mrmapi.exe | executable | |
MD5:2B09ABEFDC84D46D10C2A83B0870F3D4 | SHA256:973DEE4EE73FDF7BC5815D7EDF3DDEE8E0C40B259BC1DCDE603B0BB3AE732CAA | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\lync.config.xml | xml | |
MD5:C9AED8918515A0B7D64080E75E55705D | SHA256:2CA2FD970AABE2682C3D851C41F0A4058246BC39CCAA98BA6B6136CB9979D072 | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\offcat.config.xml | xml | |
MD5:146D0C42C4F6111DC20CCE076B7F5DB4 | SHA256:FD3D83ABB166819AD9EA49350456BC39A191F7C58F4B97C94B309DD2C71D2587 | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\powerpoint.config.xml | xml | |
MD5:D8655AC2DCBE83DF755C8AE7A5938390 | SHA256:FD5FB3D1BB2248841D4A76E9F6F022D37F7B4DD207B715658E17BE9A8034F262 | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\lync.crashes.config.xml | xml | |
MD5:31F51B3B4A5B4E0BE1C72260FC9FC7F3 | SHA256:DB93480626C8450D7897AA31243617E59ECF04FA52C8584C475342D28E9AF8FB | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\common.config.xml | xml | |
MD5:2DA8B630E48D578B6EF0063BDBC97FA4 | SHA256:28933760F88EA447E21BB0B7C572FBAAA715B714D34A33E77138B6CE5C32D946 | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll | executable | |
MD5:DAD75B06FCDBA45BC622BAF0582E806A | SHA256:C24A11C0E4AE4BD202DBC2002CBA4E29B18A5008063DCE2ABC922B7078E7519B | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\PQB9JQ3A.BN1\2X5VDYAB.3QZ\en\word.crashes.config.xml | xml | |
MD5:0E0B4AD7DA7EABB31E7F4C2820D74AFE | SHA256:F7FD0E19100512CEFAA8338FD9ABD94524E19B8459A52478A830B905EBBF326F | |||
| 5400 | SaraSetup.exe | C:\Users\admin\AppData\Local\Temp\Deployment\K5N72J7G.9NN\ZB0HZMRY.VZP.application | xml | |
MD5:501071CAC6A0DCF99CB0D16AD48C4B3F | SHA256:4931699AEC7FEB91825E9585C07531E5FEC8B9DC66D3283A23127233FFDBFB58 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
121
TCP/UDP connections
19
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4536 | svchost.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 152.199.19.160:443 | https://outlookdiagnostics.azureedge.net/sarafiles/Application%20Files/Microsoft.Sara_17_1_2465_0/Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll.deploy | unknown | — | — | — |
4712 | MoUsoCoreWorker.exe | GET | 200 | 88.221.125.143:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 152.199.19.160:443 | https://outlookdiagnostics.azureedge.net/sarafiles/Application%20Files/Microsoft.Sara_17_1_2465_0/sara2.ico.deploy | unknown | image | 66.0 Kb | whitelisted |
4536 | svchost.exe | GET | 200 | 23.48.23.143:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 152.199.19.160:443 | https://outlookdiagnostics.azureedge.net/sarafiles/Application%20Files/Microsoft.Sara_17_1_2465_0/en/excel.crashes.config.xml.deploy | unknown | xml | 163 Kb | whitelisted |
— | — | GET | 200 | 152.199.19.160:443 | https://outlookdiagnostics.azureedge.net/sarafiles/Application%20Files/Microsoft.Sara_17_1_2465_0/en/access.config.xml.deploy | unknown | xml | 54.6 Kb | whitelisted |
— | — | GET | 200 | 152.199.19.160:443 | https://outlookdiagnostics.azureedge.net/sarafiles/Application%20Files/Microsoft.Sara_17_1_2465_0/Microsoft.Sara.exe.manifest | unknown | xml | 2.39 Mb | whitelisted |
— | — | GET | 200 | 152.199.19.160:443 | https://outlookdiagnostics.azureedge.net/sarafiles/Application%20Files/Microsoft.Sara_17_1_2465_0/en/infopath.crashes.config.xml.deploy | unknown | xml | 11.5 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4712 | MoUsoCoreWorker.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4536 | svchost.exe | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5400 | SaraSetup.exe | 152.199.19.160:443 | outlookdiagnostics.azureedge.net | EDGECAST | US | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4536 | svchost.exe | 23.48.23.143:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4536 | svchost.exe | 88.221.125.143:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
outlookdiagnostics.azureedge.net |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
Process | Message |
|---|---|
SaraSetup.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|
SaraSetup.exe |
*** Status originated: -1073741811
*** Source File: onecore\com\netfx\windowsbuilt\iso_legacy\base\isolation\hier_hierarchy.cpp, line 230
|