download:

MediaCreationTool1909.exe

Full analysis: https://app.any.run/tasks/6d723111-526b-44b7-b85f-bf1ecb9623b3
Verdict: Malicious activity
Analysis date: April 13, 2020, 12:41:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D0BA2B1C91124EE4A250C6C53F545F1F

SHA1:

0352292FC21C8DD442358F2FF4FA8EDED01B7DCA

SHA256:

8237794F0FFFB298040ED59045B679579FA6E1B66703EC2BF5353E71499C663E

SSDEEP:

196608:gTBne2w95/Ry70HesbbUkMgDgT86liKXscCW3usLRFK0tGxxK9:F955lHPboLg8YlmJC2LRg0tGxx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SetupHost.Exe (PID: 3000)
      • SetupHost.Exe (PID: 2588)
      • SetupHost.Exe (PID: 2540)
      • SetupHost.Exe (PID: 1852)
      • SetupHost.Exe (PID: 2580)

    • Loads dropped or rewritten executable

      • SetupHost.Exe (PID: 2580)

  • SUSPICIOUS

    • Creates files in the Windows directory

      • MediaCreationTool1909.exe (PID: 2284)

    • Executable content was dropped or overwritten

      • MediaCreationTool1909.exe (PID: 2284)
      • MediaCreationTool1909.exe (PID: 1196)
      • MediaCreationTool1909.exe (PID: 2792)
      • MediaCreationTool1909.exe (PID: 1456)
      • MediaCreationTool1909.exe (PID: 2228)

    • Reads Environment values

      • SetupHost.Exe (PID: 2580)

  • INFO

    • Manual execution by user

      • MediaCreationTool1909.exe (PID: 3876)
      • MediaCreationTool1909.exe (PID: 2780)
      • MediaCreationTool1909.exe (PID: 1456)
      • wermgr.exe (PID: 3448)
      • MediaCreationTool1909.exe (PID: 1196)
      • MediaCreationTool1909.exe (PID: 2792)
      • wermgr.exe (PID: 2936)
      • MediaCreationTool1909.exe (PID: 3236)
      • MediaCreationTool1909.exe (PID: 2228)

    • Dropped object may contain Bitcoin addresses

      • MediaCreationTool1909.exe (PID: 2284)
      • MediaCreationTool1909.exe (PID: 1196)
      • MediaCreationTool1909.exe (PID: 1456)
      • MediaCreationTool1909.exe (PID: 2792)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2001:10:07 17:10:20+02:00
PEType: PE32
LinkerVersion: 14.15
CodeSize: 472064
InitializedDataSize: 11051008
UninitializedDataSize: -
EntryPoint: 0x6d0d0
OSVersion: 10
ImageVersion: 10
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 10.0.18362.418
ProductVersionNumber: 10.0.18362.418
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Arabic
CharacterSet: Unicode
CompanyName: Microsoft Corporation
FileDescription: ‎‎إعداد Windows 10
FileVersion: 10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
InternalName: SetupPrep.exe
LegalCopyright: © Microsoft Corporation. All rights reserved.
OriginalFileName: SetupPrep.exe
ProductName: Microsoft® Windows® Operating System
ProductVersion: 10.0.18362.418

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 07-Oct-2001 15:10:20
Detected languages:
  • Arabic - Saudi Arabia
  • Bulgarian - Bulgaria
  • Chinese - PRC
  • Chinese - Taiwan
  • Croatian - Croatia
  • Czech - Czech Republic
  • Danish - Denmark
  • Dutch - Netherlands
  • English - United Kingdom
  • English - United States
  • Estonian - Estonia
  • Finnish - Finland
  • French - Canada
  • French - France
  • German - Germany
  • Greek - Greece
  • Hebrew - Israel
  • Hungarian - Hungary
  • Italian - Italy
  • Japanese - Japan
  • Korean - Korea
  • Latvian - Latvia
  • Lithuanian - Lithuania
  • Norwegian - Norway (Bokmal)
  • Polish - Poland
  • Portuguese - Brazil
  • Portuguese - Portugal
  • Romanian - Romania
  • Russian - Russia
  • Slovak - Slovakia
  • Slovenian - Slovenia
  • Spanish - Mexico
  • Spanish - Spain (International sort)
  • Swedish - Sweden
  • Thai - Thailand
  • Turkish - Turkey
  • Ukrainian - Ukraine
Debug artifacts:
  • SetupPrep.pdb
CompanyName: Microsoft Corporation
FileDescription: Instalacija izdanja Windows 10
FileVersion: 10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
InternalName: SetupPrep.exe
LegalCopyright: © Microsoft Corporation. Sva prava zadržana.
OriginalFilename: SetupPrep.exe
ProductName: Operativni sistem Microsoft® Windows®
ProductVersion: 10.0.18362.418

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000F8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 07-Oct-2001 15:10:20
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000732BC
0x00073400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.35658
.data
0x00075000
0x00002EF0
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.4657
.idata
0x00078000
0x00002930
0x00002A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.78345
.boxload@
0x0007B000
0x00000040
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.729781
.rsrc
0x0007C000
0x00A81000
0x00A80800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
1.76339
.reloc
0x00AFD000
0x00006154
0x00006200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.7396

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.64906
6193
Latin 1 / Western European
English - United States
RT_MANIFEST
2
2.88492
744
Latin 1 / Western European
English - United States
RT_ICON
3
2.61243
488
Latin 1 / Western European
English - United States
RT_ICON
4
2.60227
296
Latin 1 / Western European
English - United States
RT_ICON
5
4.35159
3752
Latin 1 / Western European
English - United States
RT_ICON
6
4.11143
2216
Latin 1 / Western European
English - United States
RT_ICON
7
3.32266
1620
Latin 1 / Western European
UNKNOWN
RT_STRING
8
3.33289
1372
Latin 1 / Western European
UNKNOWN
RT_STRING
9
2.98488
16076
Latin 1 / Western European
UNKNOWN
RT_STRING
10
3.23927
4686
Latin 1 / Western European
UNKNOWN
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
Cabinet.dll
GDI32.dll
KERNEL32.dll
MFC42u.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
68
Monitored processes
16
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start mediacreationtool1909.exe setuphost.exe no specs mediacreationtool1909.exe no specs mediacreationtool1909.exe setuphost.exe no specs mediacreationtool1909.exe setuphost.exe no specs wermgr.exe no specs mediacreationtool1909.exe no specs mediacreationtool1909.exe setuphost.exe no specs wermgr.exe no specs mediacreationtool1909.exe no specs mediacreationtool1909.exe setuphost.exe no specs mediacreationtool1909.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1196"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147943406
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1456"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147943406
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1852"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
3221225758
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
2228"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147942593
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2284"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147942583
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2540"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
3221225758
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
2580"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
2147942593
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2588"C:\$Windows.~WS\Sources\SetupHost.Exe" /Download /Web C:\$Windows.~WS\Sources\SetupHost.ExeMediaCreationTool1909.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Modern Setup Host
Exit code:
2147942583
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\$windows.~ws\sources\setuphost.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2780"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows 10 Setup
Exit code:
3221226540
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
2792"C:\Users\admin\Desktop\MediaCreationTool1909.exe" C:\Users\admin\Desktop\MediaCreationTool1909.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows 10 Setup
Exit code:
2147943406
Version:
10.0.18362.418 (19h1_release_svc_prod1.191005-1654)
Modules
Images
c:\users\admin\desktop\mediacreationtool1909.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
100
Read events
82
Write events
10
Delete events
8

Modification events

(PID) Process:(2284) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files
Operation:writeName:SetupDirectories
Value:
$Windows.~BT;$Windows.~LS;$Windows.~WS
(PID) Process:(2284) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Temporary Setup Files
Operation:writeName:SetupDirectories
Value:
$Windows.~BT;$Windows.~LS;$Windows.~WS;ESD\Download
(PID) Process:(2588) SetupHost.ExeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:SetupHostResult
Value:
2147942583
(PID) Process:(2284) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:BoxResult
Value:
2147942583
(PID) Process:(1456) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete valueName:BoxResult
Value:
2147942583
(PID) Process:(1456) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete keyName:
Value:
(PID) Process:(1456) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:BoxResult
Value:
2147943406
(PID) Process:(2792) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete valueName:BoxResult
Value:
2147943406
(PID) Process:(2792) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:delete keyName:
Value:
(PID) Process:(2792) MediaCreationTool1909.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\Setup\MoSetup\Volatile
Operation:writeName:BoxResult
Value:
2147943406
Executable files
81
Suspicious files
2
Text files
16
Unknown types
0

Dropped files

PID
Process
Filename
Type
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\DU.dllexecutable
MD5:06EBF06331E7C76173314B1E08B52EAD
SHA256:FACC69086950EBD1CAAB308C2F51D36B1968F5B90923F6711AEFC96C03A93A8D
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\DiagTrack.dllexecutable
MD5:6C3F6A6BC5EDE978E9DFE1ACCE386339
SHA256:B55D66F2943F1C63EA9B39DAE88AA2A4F91775CEFFFEFD263BD302866A7BD91C
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\setupplatform.cfgtext
MD5:213ECD9FDE3824223A98F9D9734A7BE3
SHA256:0751FB2EB6442F207D3884A1919CA1D5F34C4323DF541AED519E1C8DF6DD4E4F
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\DiagTrackRunner.exeexecutable
MD5:76F30A1E149792D2542A253B920CBEF6
SHA256:488CBC8330952DD13B797BB40E4E30610ED03483C25919C39555F7B334A3C159
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdstptc.dllexecutable
MD5:5FC2749BB228F4EFDB651E5AF4879934
SHA256:EC8B5CC05DE22BC892082E4B20F768A944F34B8ED4DCF450A3E06B137FF9C317
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wpx.dllexecutable
MD5:49419D100AFF2CF1853D2F21E6BB5645
SHA256:49B7799F7AE13160D3055A10161AACBBB94646D0DF287D4B274A16904A6773A7
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\WinDlp.dllexecutable
MD5:433951156ABBAF3C6BFA8306600F3FCE
SHA256:2155BEEEEAAD08F5590D228A8F4B111B5364BFD98FBDF6D158E8B88D5457F45B
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\Diager.dllexecutable
MD5:1130FD83403E285C9ED21F753AFAF27F
SHA256:1A09E466EF5F18CCB68E584C9B53DD239D6654C7FC11A8C7DC993265E597EF0F
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdsutil.dllexecutable
MD5:37C7684E98C130D7646A57B12661DF7E
SHA256:CA6E40D91D0763290E2167AE9BF240E429690C14CDCC2D8EAD7AB81C4C501A63
2284MediaCreationTool1909.exeC:\$Windows.~WS\Sources\wdsimage.dllexecutable
MD5:A29267BF0E6303297FC8AA5D5B40BB91
SHA256:E33C8FA0F9E7071AF8F84C33B305607669D69DB90B86CD7EE23581A4F506C7B0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
MediaCreationTool1909.exe
FTH: (1196): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
MediaCreationTool1909.exe
FTH: (2228): *** Fault tolerant heap shim applied to current process. This is usually due to previous crashes. ***
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
MediaCreationTool1909.exe