File name: | Firefox.exe |
Full analysis: | https://app.any.run/tasks/f284706e-c634-465f-a676-592130f3bf99 |
Verdict: | Malicious activity |
Analysis date: | July 17, 2019, 23:25:06 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 64 bit) |
Tags: | |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
MD5: | 1B456FA970F73344449B20D1F8BCC3CD |
SHA1: | B7D01E539C294C50D720595AE62173654C33C4F0 |
SHA256: | 888D6601635750C394F17111FE2FD2EF507879CCDA13078A0157A8F514620BF0 |
SSDEEP: | 98304:PX4BO2iTvkoBmC1GqTX2Hm7e2k98q057Uvyazx1X:ve2v1GqjHe2dNUvyaL |
.exe | | | Inno Setup installer (51.8) |
---|---|---|
.exe | | | InstallShield setup (20.3) |
.exe | | | Win32 EXE PECompact compressed (generic) (19.6) |
.dll | | | Win32 Dynamic Link Library (generic) (3.1) |
.exe | | | Win32 Executable (generic) (2.1) |
ProductVersion: | 78.9 |
---|---|
ProductName: | Browser update install |
OriginalFileName: | |
LegalCopyright: | |
FileVersion: | |
FileDescription: | Browser update install Setup |
CompanyName: | Google, Inc. |
Comments: | This installation was built with Inno Setup. |
CharacterSet: | Unicode |
LanguageCode: | Neutral |
FileSubtype: | - |
ObjectFileType: | Executable application |
FileOS: | Win32 |
FileFlags: | (none) |
FileFlagsMask: | 0x003f |
ProductVersionNumber: | 0.0.0.0 |
FileVersionNumber: | 0.0.0.0 |
Subsystem: | Windows GUI |
SubsystemVersion: | 6 |
ImageVersion: | 6 |
OSVersion: | 6 |
EntryPoint: | 0xa7ed0 |
UninitializedDataSize: | - |
InitializedDataSize: | 37888 |
CodeSize: | 682496 |
LinkerVersion: | 2.25 |
PEType: | PE32 |
TimeStamp: | 2019:04:27 10:22:11+02:00 |
MachineType: | Intel 386 or later, and compatibles |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 27-Apr-2019 08:22:11 |
Detected languages: |
|
Comments: | This installation was built with Inno Setup. |
CompanyName: | Google, Inc. |
FileDescription: | Browser update install Setup |
FileVersion: | - |
LegalCopyright: | - |
OriginalFileName: | - |
ProductName: | Browser update install |
ProductVersion: | 78.9 |
Magic number: | MZ |
---|---|
Bytes on last page of file: | 0x0050 |
Pages in file: | 0x0002 |
Relocations: | 0x0000 |
Size of header: | 0x0004 |
Min extra paragraphs: | 0x000F |
Max extra paragraphs: | 0xFFFF |
Initial SS value: | 0x0000 |
Initial SP value: | 0x00B8 |
Checksum: | 0x0000 |
Initial IP value: | 0x0000 |
Initial CS value: | 0x0000 |
Overlay number: | 0x001A |
OEM identifier: | 0x0000 |
OEM information: | 0x0000 |
Address of NE header: | 0x00000100 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
Number of sections: | 10 |
Time date stamp: | 27-Apr-2019 08:22:11 |
Pointer to Symbol Table: | 0x00000000 |
Number of symbols: | 0 |
Size of Optional Header: | 0x00E0 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
.text | 0x00001000 | 0x000A50E0 | 0x000A5200 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 6.36825 |
.itext | 0x000A7000 | 0x00001668 | 0x00001800 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.95049 |
.data | 0x000A9000 | 0x000037A4 | 0x00003800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 5.02787 |
.bss | 0x000AD000 | 0x0000676C | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.idata | 0x000B4000 | 0x00000F1C | 0x00001000 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.79161 |
.didata | 0x000B5000 | 0x000001A4 | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 2.74582 |
.edata | 0x000B6000 | 0x0000009A | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.88107 |
.tls | 0x000B7000 | 0x00000018 | 0x00000000 | IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 0 |
.rdata | 0x000B8000 | 0x0000005D | 0x00000200 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 1.36974 |
.rsrc | 0x000B9000 | 0x00004600 | 0x00004600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.44027 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 5.13965 | 1580 | UNKNOWN | English - United States | RT_MANIFEST |
2 | 3.47151 | 1384 | UNKNOWN | Dutch - Netherlands | RT_ICON |
3 | 3.91708 | 744 | UNKNOWN | Dutch - Netherlands | RT_ICON |
4 | 3.91366 | 2216 | UNKNOWN | Dutch - Netherlands | RT_ICON |
4086 | 3.16547 | 864 | UNKNOWN | UNKNOWN | RT_STRING |
4087 | 3.40938 | 608 | UNKNOWN | UNKNOWN | RT_STRING |
4088 | 3.31153 | 1116 | UNKNOWN | UNKNOWN | RT_STRING |
4089 | 3.33977 | 1036 | UNKNOWN | UNKNOWN | RT_STRING |
4090 | 3.36723 | 724 | UNKNOWN | UNKNOWN | RT_STRING |
4091 | 3.33978 | 184 | UNKNOWN | UNKNOWN | RT_STRING |
advapi32.dll |
comctl32.dll |
kernel32.dll |
kernel32.dll (delay-loaded) |
netapi32.dll |
oleaut32.dll |
user32.dll |
version.dll |
Title | Ordinal | Address |
---|---|---|
dbkFCallWrapperAddr | 1 | 0x000B063C |
__dbk_fcall_wrapper | 2 | 0x0000D3DC |
TMethodImplementationIntercept | 3 | 0x00053ABC |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2100 | "C:\Users\admin\AppData\Local\Temp\Firefox.exe" | C:\Users\admin\AppData\Local\Temp\Firefox.exe | explorer.exe | |
User: admin Company: Google, Inc. Integrity Level: MEDIUM Description: Browser update install Setup Exit code: 0 Version: | ||||
2648 | "C:\Users\admin\AppData\Local\Temp\is-977PI.tmp\Firefox.tmp" /SL5="$F01B4,3454339,721408,C:\Users\admin\AppData\Local\Temp\Firefox.exe" | C:\Users\admin\AppData\Local\Temp\is-977PI.tmp\Firefox.tmp | Firefox.exe | |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
2576 | "C:\Windows\system32\cmd.exe" /c rundll32.exe %temp%\installsoftw.log, minaret | C:\Windows\SysWOW64\cmd.exe | — | Firefox.tmp |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2396 | rundll32.exe C:\Users\admin\AppData\Local\Temp\installsoftw.log, minaret | C:\Windows\SysWOW64\rundll32.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2640 | "C:\Windows\System32\cmd.exe" /c start %temp%\bitssvc.exe&timeout -t 23® ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "intel update" /t REG_SZ /F /D "C:\Users\admin\AppData\Local\Temp\bitssvc.exe" | C:\Windows\SysWOW64\cmd.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2260 | "C:\Windows\System32\cmd.exe" /c timeout -t 10&del C:\Users\admin\AppData\Local\Temp\installsoftw.log /f | C:\Windows\SysWOW64\cmd.exe | — | rundll32.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2332 | C:\Users\admin\AppData\Local\Temp\bitssvc.exe | C:\Users\admin\AppData\Local\Temp\bitssvc.exe | cmd.exe | |
User: admin Company: NetSupport Ltd Integrity Level: MEDIUM Description: NetSupport Client Application Version: V12.10 | ||||
2756 | timeout -t 23 | C:\Windows\SysWOW64\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2772 | timeout -t 10 | C:\Windows\SysWOW64\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3024 | REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "intel update" /t REG_SZ /F /D "C:\Users\admin\AppData\Local\Temp\bitssvc.exe" | C:\Windows\SysWOW64\reg.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | Owner |
Value: 580A00008E9F42F3F63CD501 | |||
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | SessionHash |
Value: 69E13E3345508815CBFD5D2A1C372CB28E8816A7E8C97547043C5B898EDFBAAA | |||
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | write | Name: | Sequence |
Value: 1 | |||
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | delete value | Name: | Sequence |
Value: 1 | |||
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | delete value | Name: | SessionHash |
Value: 69E13E3345508815CBFD5D2A1C372CB28E8816A7E8C97547043C5B898EDFBAAA | |||
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | delete value | Name: | Owner |
Value: 580A00008E9F42F3F63CD501 | |||
(PID) Process: | (2648) Firefox.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
Operation: | delete key | Name: | |
Value: | |||
(PID) Process: | (2396) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (2396) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (2396) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2648 | Firefox.tmp | C:\Users\admin\AppData\Local\Temp\is-VJ13C.tmp | — | |
MD5:— | SHA256:— | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\client32.exe | — | |
MD5:— | SHA256:— | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\client32.ini | text | |
MD5:6DF9A17CC71670AB880356BF8ACFAE8E | SHA256:36D93EAD2702812D514CB8FBD6CB25DA969ACC5FF1AF08E607C25162A2363838 | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\PCICL32.DLL | executable | |
MD5:00587238D16012152C2E951A087F2CC9 | SHA256:63AA18C32AF7144156E7EE2D5BA0FA4F5872A7DEB56894F6F96505CBC9AFE6F8 | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\pcicapi.dll | executable | |
MD5:DCDE2248D19C778A41AA165866DD52D0 | SHA256:9074FD40EA6A0CAA892E6361A6A4E834C2E51E6E98D1FFCDA7A9A537594A6917 | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\msvcr100.dll | executable | |
MD5:0E37FBFA79D349D672456923EC5FBBE3 | SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18 | |||
2648 | Firefox.tmp | C:\Users\admin\AppData\Local\Temp\is-3RPUC.tmp\_isetup\_setup64.tmp | executable | |
MD5:E4211D6D009757C078A9FAC7FF4F03D4 | SHA256:388A796580234EFC95F3B1C70AD4CB44BFDDC7BA0F9203BF4902B9929B136F95 | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\HTCTL32.DLL | executable | |
MD5:2D3B207C8A48148296156E5725426C7F | SHA256:EDFE2B923BFB5D1088DE1611401F5C35ECE91581E71503A5631647AC51F7D796 | |||
2396 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\aliaiia3262.txt | compressed | |
MD5:8AB7F018AD2B3F4C90F47577FDBF0896 | SHA256:708EA51AB25D87A9401D57328AAE1BE5F85104CB2C57345386979CCC097FE78C | |||
2648 | Firefox.tmp | C:\Users\admin\AppData\Local\Temp\installsoftw.log | executable | |
MD5:D18AC7BA439C3F30B529411A84884070 | SHA256:B5C95949DCA0D58DB47C011BFC086DF03A0DC3EAAB60A9A9B6FBB44975037A44 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2332 | bitssvc.exe | POST | 200 | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | binary | 159 b | suspicious |
2332 | bitssvc.exe | GET | 200 | 195.171.92.116:80 | http://geo.netsupportsoftware.com/location/loca.asp | GB | binary | 1 b | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | — | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | — | — | suspicious |
2332 | bitssvc.exe | POST | 200 | 5.45.74.219:443 | http://5.45.74.219/fakeurl.htm | NL | binary | 61 b | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2332 | bitssvc.exe | 195.171.92.116:80 | geo.netsupportsoftware.com | British Telecommunications PLC | GB | suspicious |
2332 | bitssvc.exe | 5.45.74.219:443 | — | Serverius Holding B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
geo.netsupportsoftware.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
2332 | bitssvc.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
2332 | bitssvc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2332 | bitssvc.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
2332 | bitssvc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2332 | bitssvc.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
2332 | bitssvc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2332 | bitssvc.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
2332 | bitssvc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |
2332 | bitssvc.exe | A Network Trojan was detected | SUSPICIOUS [PTsecurity] NetSupport Remote Admin |
2332 | bitssvc.exe | Potentially Bad Traffic | ET POLICY HTTP traffic on port 443 (POST) |