download:

MediaCreationTool1909.exe

Full analysis: https://app.any.run/tasks/6d723111-526b-44b7-b85f-bf1ecb9623b3
Verdict: Malicious activity
Analysis date: April 13, 2020, 12:41:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D0BA2B1C91124EE4A250C6C53F545F1F

SHA1:

0352292FC21C8DD442358F2FF4FA8EDED01B7DCA

SHA256:

8237794F0FFFB298040ED59045B679579FA6E1B66703EC2BF5353E71499C663E

SSDEEP:

196608:gTBne2w95/Ry70HesbbUkMgDgT86liKXscCW3usLRFK0tGxxK9:F955lHPboLg8YlmJC2LRg0tGxx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SetupHost.Exe (PID: 2588)
      • SetupHost.Exe (PID: 2540)
      • SetupHost.Exe (PID: 3000)
      • SetupHost.Exe (PID: 1852)
      • SetupHost.Exe (PID: 2580)

    • Loads dropped or rewritten executable

      • SetupHost.Exe (PID: 2580)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • MediaCreationTool1909.exe (PID: 2284)
      • MediaCreationTool1909.exe (PID: 2792)
      • MediaCreationTool1909.exe (PID: 1196)
      • MediaCreationTool1909.exe (PID: 1456)
      • MediaCreationTool1909.exe (PID: 2228)

    • Creates files in the Windows directory

      • MediaCreationTool1909.exe (PID: 2284)

    • Reads Environment values

      • SetupHost.Exe (PID: 2580)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • MediaCreationTool1909.exe (PID: 1456)
      • MediaCreationTool1909.exe (PID: 2284)
      • MediaCreationTool1909.exe (PID: 2792)
      • MediaCreationTool1909.exe (PID: 1196)

    • Manual execution by user

      • MediaCreationTool1909.exe (PID: 1456)
      • MediaCreationTool1909.exe (PID: 3876)
      • MediaCreationTool1909.exe (PID: 2792)
      • MediaCreationTool1909.exe (PID: 3236)
      • MediaCreationTool1909.exe (PID: 1196)
      • MediaCreationTool1909.exe (PID: 2780)
      • wermgr.exe (PID: 3448)
      • wermgr.exe (PID: 2936)
      • MediaCreationTool1909.exe (PID: 2228)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:10:07 17:10:20+02:00
PEType: PE32
LinkerVersion: 14.15
CodeSize: 472064
InitializedDataSize: 11051008
UninitializedDataSize: -
EntryPoint: 0x6d0d0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.18362.418
ProductVersionNumber: 10.0.18362.418
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: ‎‎إعداد Windows 10
FileVersion: 10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
InternalName: SetupPrep.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SetupPrep.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.418

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Oct-2001 15:10:20
Detected languages:
  • Arabic - Saudi Arabia
  • Bulgarian - Bulgaria
  • Chinese - PRC
  • Chinese - Taiwan
  • Croatian - Croatia
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United Kingdom
  • English - United States
  • Estonian - Estonia
  • Finnish - Finland
  • French - Canada
  • French - France
  • German - Germany
  • Greek - Greece
  • Hebrew - Israel
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Latvian - Latvia
  • Lithuanian - Lithuania
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Romanian - Romania
  • Russian - Russia
  • Slovak - Slovakia
  • Slovenian - Slovenia
  • Spanish - Mexico
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Thai - Thailand
  • Turkish - Turkey
  • Ukrainian - Ukraine
Debug artifacts:
  • SetupPrep.pdb
CompanyName: Microsoft Corporation
FileDescription: Instalacija izdanja Windows 10
FileVersion: 10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
InternalName: SetupPrep.exe
LegalCopyright: © Microsoft Corporation. Sva prava zadržana.
OriginalFilename: SetupPrep.exe
ProductName: Operativni sistem Microsoft® Windows®
ProductVersion: 10.0.18362.418

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 07-Oct-2001 15:10:20
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000732BC
0x00073400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.35658
.data
0x00075000
0x00002EF0
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.4657
.idata
0x00078000
0x00002930
0x00002A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.78345
.boxload@
0x0007B000
0x00000040
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.729781
.rsrc
0x0007C000
0x00A81000
0x00A80800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.76339
.reloc
0x00AFD000
0x00006154
0x00006200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.7396

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.64906
6193
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.88492
744
Latin 1 / Western European
English - United States
RT_ICON
3
2.61243
488
Latin 1 / Western European
English - United States
RT_ICON
4
2.60227
296
Latin 1 / Western European
English - United States
RT_ICON
5
4.35159
3752
Latin 1 / Western European
English - United States
RT_ICON
6
4.11143
2216
Latin 1 / Western European
English - United States
RT_ICON
7
3.32266
1620
Latin 1 / Western European
UNKNOWN
RT_STRING
8
3.33289
1372
Latin 1 / Western European
UNKNOWN
RT_STRING
9
2.98488
16076
Latin 1 / Western European
UNKNOWN
RT_STRING
10
3.23927
4686
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
Cabinet.dll
GDI32.dll
KERNEL32.dll
MFC42u.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
16
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start mediacreationtool1909.exe setuphost.exe no specs mediacreationtool1909.exe no specs mediacreationtool1909.exe setuphost.exe no specs mediacreationtool1909.exe setuphost.exe no specs wermgr.exe no specs mediacreationtool1909.exe no specs mediacreationtool1909.exe setuphost.exe no specs wermgr.exe no specs mediacreationtool1909.exe no specs mediacreationtool1909.exe setuphost.exe no specs mediacreationtool1909.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1196"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147943406
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1456"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147943406
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1852"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
3221225758
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
2228"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147942593
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2284"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147942583
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2540"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
3221225758
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
2580"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
2147942593
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2588"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
2147942583
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2780"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 10 Setup
Exit code:
3221226540
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
2792"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147943406
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
100
Read events
82
Write events
10
Delete events
8

Modification events

(PID) Process:(2284) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files
Operation:writeName:SetupDirectories
Value:
$Windows.~BT;$Windows.~LS;$Windows.~WS
(PID) Process:(2284) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files
Operation:writeName:SetupDirectories
Value:
$Windows.~BT;$Windows.~LS;$Windows.~WS;ESD\Download
(PID) Process:(2588) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:SetupHostResult
Value:
2147942583
(PID) Process:(2284) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:BoxResult
Value:
2147942583
(PID) Process:(1456) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete valueName:BoxResult
Value:
2147942583
(PID) Process:(1456) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete keyName:
Value:
(PID) Process:(1456) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:BoxResult
Value:
2147943406
(PID) Process:(2792) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete valueName:BoxResult
Value:
2147943406
(PID) Process:(2792) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete keyName:
Value:
(PID) Process:(2792) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:BoxResult
Value:
2147943406
Executable files
81
Suspicious files
2
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\setupplatform.dllexecutable
MD5:7777F3783A8A3D5597B396528912F593
SHA256:EA4A65F82A3178EABC360A9F2D883F07712A4F4DC41F4508D95AAFF94395D1E1
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdstptc.dllexecutable
MD5:5FC2749BB228F4EFDB651E5AF4879934
SHA256:EC8B5CC05DE22BC892082E4B20F768A944F34B8ED4DCF450A3E06B137FF9C317
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\Diager.dllexecutable
MD5:1130FD83403E285C9ED21F753AFAF27F
SHA256:1A09E466EF5F18CCB68E584C9B53DD239D6654C7FC11A8C7DC993265E597EF0F
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wpx.dllexecutable
MD5:49419D100AFF2CF1853D2F21E6BB5645
SHA256:49B7799F7AE13160D3055A10161AACBBB94646D0DF287D4B274A16904A6773A7
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdsutil.dllexecutable
MD5:37C7684E98C130D7646A57B12661DF7E
SHA256:CA6E40D91D0763290E2167AE9BF240E429690C14CDCC2D8EAD7AB81C4C501A63
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdsclientapi.dllexecutable
MD5:C9E6728E14781384B0E21EDBE87B72B9
SHA256:86AFC39D69C50426437E53972FA5E2CE3DC96A780AB6AADA2D93CDDD15D34D03
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdsimage.dllexecutable
MD5:A29267BF0E6303297FC8AA5D5B40BB91
SHA256:E33C8FA0F9E7071AF8F84C33B305607669D69DB90B86CD7EE23581A4F506C7B0
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\SetupMgr.dllexecutable
MD5:F2ECF8F9EBC5DCC899789ADDBF46C2D8
SHA256:FF36AE66F65D240A07B228CBBF1B15F7894FDEF7449F55A141D839D9C4E31B04
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\SetupCore.dllexecutable
MD5:3B255263A6404C3461B29B30CFABA889
SHA256:EBC54CB6F910522483096D9F3251A16846D0F0565C71AD3A01CCF005509CA42E
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\pidgenx.dllexecutable
MD5:E7F26261E599009EF5886FFAF85F9100
SHA256:1C1E1738DAAD553051DC0934CC5ED8519C30FEA4D1B028E7D246C00CEB5628C1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
MediaCreationTool1909.exe
FTH: (1196): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
MediaCreationTool1909.exe
FTH: (2228): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MediaCreationTool1909.exe