File name: | system_update_5.07.0137.exe |
Full analysis: | https://app.any.run/tasks/37915af0-e141-4a64-8485-348ba96cbc12 |
Verdict: | Malicious activity |
Analysis date: | October 04, 2022, 21:12:42 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1713404B182B6D805A343E4B69F9FED6 |
SHA1: | 2E27C18A7F6F651CB592072D1E2086B598ECC238 |
SHA256: | 7E2AD5283C76B44A3569CDC19DA043F7C7B316C50DC182735395649545B4E474 |
SSDEEP: | 196608:J0L4TTmH80P95voMHMgdEfzoYuPo8ivBLdpa6cV7aoo:JByH80bldE3Wo8ivnpPco |
.exe | | | Win32 EXE PECompact compressed (generic) (79.7) |
---|---|---|
.exe | | | Win32 Executable (generic) (8.6) |
.exe | | | Win16/32 Executable Delphi generic (3.9) |
.exe | | | Generic Win/DOS Executable (3.8) |
.exe | | | DOS Executable Generic (3.8) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2020-Jan-06 06:31:46 |
Detected languages: |
|
Comments: | This installation was built with Inno Setup. |
CompanyName: | Lenovo |
FileDescription: | Lenovo System Update Setup |
FileVersion: | 5.07.0137 |
LegalCopyright: | - |
ProductName: | Lenovo System Update |
ProductVersion: | 5.07.0137 |
e_magic: | MZ |
---|---|
e_cblp: | 80 |
e_cp: | 2 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | 15 |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | 26 |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 256 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 10 |
TimeDateStamp: | 2020-Jan-06 06:31:46 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 4096 | 146080 | 146432 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.32291 |
.itext | 151552 | 4968 | 5120 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.91348 |
.data | 159744 | 5672 | 6144 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 3.32921 |
.bss | 167936 | 24920 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.idata | 196608 | 1608 | 2048 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.08948 |
.didata | 200704 | 3646 | 4096 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.2563 |
.edata | 204800 | 113 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.3265 |
.tls | 208896 | 20 | 0 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
.rdata | 212992 | 93 | 512 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.37999 |
.rsrc | 217088 | 244204 | 244224 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 5.02788 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 2.41891 | 816 | Latin 1 / Western European | English - United States | RT_ICON |
2 | 3.30618 | 304 | Latin 1 / Western European | English - United States | RT_ICON |
3 | 2.47581 | 176 | Latin 1 / Western European | English - United States | RT_ICON |
4 | 7.73695 | 4201 | Latin 1 / Western European | English - United States | RT_ICON |
5 | 2.79096 | 1640 | Latin 1 / Western European | English - United States | RT_ICON |
6 | 3.20638 | 744 | Latin 1 / Western European | English - United States | RT_ICON |
7 | 3.31916 | 488 | Latin 1 / Western European | English - United States | RT_ICON |
8 | 3.25564 | 296 | Latin 1 / Western European | English - United States | RT_ICON |
9 | 7.93819 | 11287 | Latin 1 / Western European | English - United States | RT_ICON |
10 | 4.47867 | 3752 | Latin 1 / Western European | English - United States | RT_ICON |
advapi32.dll |
comctl32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
oleaut32.dll |
user32.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 181644 |
__dbk_fcall_wrapper | 2 | 45716 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3188 | "C:\Users\admin\AppData\Local\Temp\system_update_5.07.0137.exe" | C:\Users\admin\AppData\Local\Temp\system_update_5.07.0137.exe | Explorer.EXE | ||||||||||||
User: admin Company: Lenovo Integrity Level: MEDIUM Description: Lenovo System Update Setup Exit code: 0 Version: 5.07.0137 Modules
| |||||||||||||||
3140 | "C:\Users\admin\AppData\Local\Temp\is-L5N39.tmp\system_update_5.07.0137.tmp" /SL5="$20138,7520034,410112,C:\Users\admin\AppData\Local\Temp\system_update_5.07.0137.exe" | C:\Users\admin\AppData\Local\Temp\is-L5N39.tmp\system_update_5.07.0137.tmp | — | system_update_5.07.0137.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
4080 | "C:\Users\admin\AppData\Local\Temp\system_update_5.07.0137.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\system_update_5.07.0137.exe | system_update_5.07.0137.tmp | ||||||||||||
User: admin Company: Lenovo Integrity Level: HIGH Description: Lenovo System Update Setup Exit code: 0 Version: 5.07.0137 Modules
| |||||||||||||||
1984 | "C:\Windows\TempInst\is-JGILQ.tmp\system_update_5.07.0137.tmp" /SL5="$2013A,7520034,410112,C:\Users\admin\AppData\Local\Temp\system_update_5.07.0137.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 | C:\Windows\TempInst\is-JGILQ.tmp\system_update_5.07.0137.tmp | system_update_5.07.0137.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
3104 | "C:\Windows\system32\cmd.exe" /C ""C:\Windows\TempInst\is-9C0N0.tmp\upgrade.cmd"" | C:\Windows\system32\cmd.exe | — | system_update_5.07.0137.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
328 | C:\Windows\system32\cmd.exe /S /D /c" dir /a /b "C:\Program Files\Lenovo\System Update"" | C:\Windows\system32\cmd.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3452 | findstr . | C:\Windows\system32\findstr.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Find String (QGREP) Utility Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2180 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe" "C:\Program Files\Lenovo\System Update\SUService.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe | — | system_update_5.07.0137.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: .NET Framework installation utility Exit code: 0 Version: 4.0.30319.34209 built by: FX452RTMGDR Modules
| |||||||||||||||
2492 | "C:\Program Files\Lenovo\System Update\StartSuService.exe" | C:\Program Files\Lenovo\System Update\StartSuService.exe | — | system_update_5.07.0137.tmp | |||||||||||
User: admin Integrity Level: HIGH Description: StartSUService Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
2768 | "C:\Program Files\Lenovo\System Update\SUService.exe" | C:\Program Files\Lenovo\System Update\SUService.exe | — | services.exe | |||||||||||
User: SYSTEM Integrity Level: SYSTEM Description: Lenovo System Update Service Version: 5.7.0.137 Modules
|
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | Owner |
Value: C00700000862FA1136D8D801 | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | SessionHash |
Value: 0B4EECA5E4D13561AAA9F84442C13B2EB1BA7518C229673852624865513E14A6 | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | Sequence |
Value: 1 | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | RegFilesHash |
Value: 142F7B13C22172F200E9A6ACE829974E9505578E7FB5CF1C1CE16E3DB309FC7A | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tvsu.exe |
Operation: | write | Name: | (default) |
Value: C:\Program Files\Lenovo\System Update\tvsu.exe | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tvsu.exe |
Operation: | write | Name: | Path |
Value: C:\Program Files\Lenovo\System Update\ | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tvsu_install.exe |
Operation: | write | Name: | (default) |
Value: C:\swtools\readyapps\appinstall.exe -tvsu | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tvsu_install.exe |
Operation: | write | Name: | Path |
Value: C:\swtools\readyapps\tvsu | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tvsu_install.exe |
Operation: | write | Name: | Version |
Value: 5.07 | |||
(PID) Process: | (1984) system_update_5.07.0137.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\tvsu_install.exe |
Operation: | write | Name: | W7_CmdInst |
Value: setuptvsu.exe |
PID | Process | Filename | Type | |
---|---|---|---|---|
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\is-Q6RRT.tmp | executable | |
MD5:D8225F31E06EEE00F7336D15A6604C03 | SHA256:5944628E8254996C2CD11514A3579A90F173CC669FCFE1DF16F25E071EE9D632 | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\unins000.exe | executable | |
MD5:D8225F31E06EEE00F7336D15A6604C03 | SHA256:5944628E8254996C2CD11514A3579A90F173CC669FCFE1DF16F25E071EE9D632 | |||
4080 | system_update_5.07.0137.exe | C:\Windows\TempInst\is-JGILQ.tmp\system_update_5.07.0137.tmp | executable | |
MD5:D8225F31E06EEE00F7336D15A6604C03 | SHA256:5944628E8254996C2CD11514A3579A90F173CC669FCFE1DF16F25E071EE9D632 | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\is-EIRIH.tmp | executable | |
MD5:4CD3D2EEAB69C76594E09DCD23530F17 | SHA256:015351A8DCDB89BD124F5357B39A0B82A432744F40290E4AAED863ABF91C53CF | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\is-32U39.tmp | executable | |
MD5:76E853DE0FB58C2B7E79F781A0729E46 | SHA256:897B54E377EA7B3045EB831BB337ED924DA2B124CAE2D69B320915EEA343AF96 | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\7za.exe | executable | |
MD5:43141E85E7C36E31B52B22AB94D5E574 | SHA256:EA308C76A2F927B160A143D94072B0DCE232E04B751F0C6432A94E05164E716D | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\is-QGLMP.tmp | executable | |
MD5:A716773B24D36FBDACC2FF20D8FA9310 | SHA256:CDBBC0CECB3D35864E5C593733B24C8823061D4FBB8E3D5EAF1B363E2FACFC91 | |||
3188 | system_update_5.07.0137.exe | C:\Users\admin\AppData\Local\Temp\is-L5N39.tmp\system_update_5.07.0137.tmp | executable | |
MD5:D8225F31E06EEE00F7336D15A6604C03 | SHA256:5944628E8254996C2CD11514A3579A90F173CC669FCFE1DF16F25E071EE9D632 | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\is-2R4N7.tmp | executable | |
MD5:8D3B523AA298960FC9CB033AE35C323F | SHA256:5E6546BB7D03BE4679EEF648DBBE64D91F1500FA0EB87D46C8523B146FF29414 | |||
1984 | system_update_5.07.0137.tmp | C:\Program Files\Lenovo\System Update\is-V0PSH.tmp | executable | |
MD5:D2B0DD26901EB61C086E432843D8D248 | SHA256:AE885A863DD8BB838AA65587C0AD604BB8F06D20A0030A029555D249DAF410D8 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1088 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1088 | opera.exe | 93.184.220.29:80 | crl3.digicert.com | EDGECAST | GB | whitelisted |
1088 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
Domain | IP | Reputation |
---|---|---|
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |