| File name: | 43.exe |
| Full analysis: | https://app.any.run/tasks/738992ef-2199-4754-8eed-14f1685c666c |
| Verdict: | Malicious activity |
| Analysis date: | December 14, 2023, 09:47:21 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 1D35A7337000EE04CEC3F481524F87A9 |
| SHA1: | C33D0D7707B3708CD0A7316B1BA18703CBDE0D1C |
| SHA256: | 80642F03171D1D2ECC8B119B0E5085C3EEFAC698B7C9181B4C15EA4AE3E92276 |
| SSDEEP: | 393216:atuhV0IWHCEKXG7jo4+yA3vDRv2QrnBdfpd/cTii5:a8hVxGZKXcobdb12QtdfncTL |
MALICIOUS
Drops the executable file immediately after the start
- 43.exe (PID: 2920)
- 43.exe (PID: 2544)
- 43.tmp (PID: 684)
SUSPICIOUS
Reads the Windows owner or organization settings
- 43.tmp (PID: 684)
Process drops legitimate windows executable
- 43.tmp (PID: 684)
The process drops C-runtime libraries
- 43.tmp (PID: 684)
INFO
Reads the computer name
- 43.tmp (PID: 1852)
- wmpnscfg.exe (PID: 600)
- 43.tmp (PID: 684)
- javaw.exe (PID: 1936)
Create files in a temporary directory
- 43.exe (PID: 2920)
- 43.exe (PID: 2544)
- 43.tmp (PID: 684)
- javaw.exe (PID: 1936)
Checks supported languages
- 43.exe (PID: 2920)
- 43.tmp (PID: 1852)
- 43.exe (PID: 2544)
- 43.tmp (PID: 684)
- wmpnscfg.exe (PID: 600)
- Space.exe (PID: 2668)
- javaw.exe (PID: 1936)
Manual execution by a user
- wmpnscfg.exe (PID: 600)
Creates files in the program directory
- 43.tmp (PID: 684)
Reads the machine GUID from the registry
- javaw.exe (PID: 1936)
Creates files or folders in the user directory
- javaw.exe (PID: 1936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (45.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (20.9) |
| .exe | | | Win32 Executable (generic) (14.3) |
| .exe | | | Win16/32 Executable Delphi generic (6.6) |
| .exe | | | Generic Win/DOS Executable (6.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2015:07:16 15:24:20+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 65024 |
| InitializedDataSize: | 53248 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x113bc |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | |
| FileDescription: | AV Setup Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | AV Setup |
| ProductVersion: | 20.04 |
Total processes
45
Monitored processes
7
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 600 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 684 | "C:\Users\admin\AppData\Local\Temp\is-S6O2T.tmp\43.tmp" /SL5="$1901F0,51216844,119296,C:\Users\admin\AppData\Local\Temp\43.exe" /SPAWNWND=$1B0142 /NOTIFYWND=$1201B8 | C:\Users\admin\AppData\Local\Temp\is-S6O2T.tmp\43.tmp | — | 43.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1852 | "C:\Users\admin\AppData\Local\Temp\is-GF1FM.tmp\43.tmp" /SL5="$1201B8,51216844,119296,C:\Users\admin\AppData\Local\Temp\43.exe" | C:\Users\admin\AppData\Local\Temp\is-GF1FM.tmp\43.tmp | — | 43.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 1936 | "C:\Program Files\AV Setup\jre\bin\javaw.exe" -Dfile.encoding=UTF-8 -classpath "C:\Program Files\AV Setup\Space.exe" org.develnext.jphp.ext.javafx.FXLauncher | C:\Program Files\AV Setup\jre\bin\javaw.exe | Space.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.1010.13 Modules
| |||||||||||||||
| 2544 | "C:\Users\admin\AppData\Local\Temp\43.exe" /SPAWNWND=$1B0142 /NOTIFYWND=$1201B8 | C:\Users\admin\AppData\Local\Temp\43.exe | 43.tmp | ||||||||||||
User: admin Company: Integrity Level: HIGH Description: AV Setup Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2668 | "C:\Program Files\AV Setup\Space.exe" | C:\Program Files\AV Setup\Space.exe | — | 43.tmp | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2920 | "C:\Users\admin\AppData\Local\Temp\43.exe" | C:\Users\admin\AppData\Local\Temp\43.exe | — | explorer.exe | |||||||||||
User: admin Company: Integrity Level: MEDIUM Description: AV Setup Setup Exit code: 0 Version: Modules
| |||||||||||||||
Total events
1 497
Read events
1 490
Write events
1
Delete events
6
Modification events
| (PID) Process: | (684) 43.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFilesHash |
Value: 14DFC6B88826BA79140823EEFA3786B9CAA27990D2A7A85C2799CCC1578E2602 | |||
| (PID) Process: | (684) 43.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | RegFiles0000 |
Value: C:\Program Files\AV Setup\Space.exe | |||
| (PID) Process: | (684) 43.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (684) 43.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | SessionHash |
Value: A90B3302FBA622F86994DD850FF6DF5E122A93886FD21C79B0FFFEAF5B9A05E1 | |||
| (PID) Process: | (684) 43.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete value | Name: | Owner |
Value: AC020000567A8398722EDA01 | |||
| (PID) Process: | (684) 43.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (1936) javaw.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: Explorer.EXE | |||
Executable files
227
Suspicious files
52
Text files
124
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2544 | 43.exe | C:\Users\admin\AppData\Local\Temp\is-S6O2T.tmp\43.tmp | executable | |
MD5:129B8E200A6E90E813080C9CE0474063 | SHA256:CF0018AFFDD0B7921F922F1741AD229EC52C8A7D6C2B19889A149E0CC24AA839 | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\jre\is-QN7CR.tmp | text | |
MD5:A61B1E3FE507D37F0D2F3ADD5AC691E0 | SHA256:F9E84B54CF0D8CB0645E0D89BF47ED74C88AF98AC5BF9CCF3ACCB1A824F7DC3A | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\unins000.exe | executable | |
MD5:041D74311D816B0E8677168C1C0BB313 | SHA256:AE9BE4DAAF29860DC251539089611333BAA6D3171F4CAEB1B75173E00839EC89 | |||
| 2920 | 43.exe | C:\Users\admin\AppData\Local\Temp\is-GF1FM.tmp\43.tmp | executable | |
MD5:129B8E200A6E90E813080C9CE0474063 | SHA256:CF0018AFFDD0B7921F922F1741AD229EC52C8A7D6C2B19889A149E0CC24AA839 | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\is-D34VP.tmp | executable | |
MD5:1BF373C53DE45AED1C626510FB8C3C74 | SHA256:34A5D22F282DF6E3D88ADDA858DCDB20914EB18A94FD1F9BEF753FF7D9C90AD8 | |||
| 684 | 43.tmp | C:\Users\admin\AppData\Local\Temp\is-1QLGI.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\is-RRLRN.tmp | executable | |
MD5:041D74311D816B0E8677168C1C0BB313 | SHA256:AE9BE4DAAF29860DC251539089611333BAA6D3171F4CAEB1B75173E00839EC89 | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\Space.exe | executable | |
MD5:1BF373C53DE45AED1C626510FB8C3C74 | SHA256:34A5D22F282DF6E3D88ADDA858DCDB20914EB18A94FD1F9BEF753FF7D9C90AD8 | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\jre\is-C8RH9.tmp | text | |
MD5:FC605D978E7825595D752DF2EF03F8AF | SHA256:7D697EAA9ACF50FE0B57639B3C62FF02916DA184F191944F49ECA93D0BB3374F | |||
| 684 | 43.tmp | C:\Program Files\AV Setup\jre\is-HCAR3.tmp | text | |
MD5:67CB88F6234B6A1F2320A23B197FA3F6 | SHA256:263E21F4B43C118A8B4C07F1A8ACB11CAFC232886834433E34187F5663242360 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
3
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
868 | svchost.exe | 23.35.228.137:80 | — | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
868 | svchost.exe | 184.30.20.134:80 | armmf.adobe.com | AKAMAI-AS | DE | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1936 | javaw.exe | 15.197.130.221:443 | download7z-soft.xyz | AMAZON-02 | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
armmf.adobe.com |
| whitelisted |
download7z-soft.xyz |
| malicious |
dns.msftncsi.com |
| shared |