| File name: | SSHSecureShellClient-3.2.9.exe |
| Full analysis: | https://app.any.run/tasks/e0c38ce4-bc2b-4184-8b2d-f076aaba3690 |
| Verdict: | Malicious activity |
| Analysis date: | August 26, 2024, 10:51:35 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 5E105DBD37ABCD4486CED0F3DAF5B5E8 |
| SHA1: | DDBB5CB26D653192C141FF4D589A3FFD05C9D399 |
| SHA256: | 8A5A076582904C56ECCB41084B9BDFCF1587F0F9257FE51E3301BBA6220C6D40 |
| SSDEEP: | 98304:kNOXWohV+1LrnlQAKQHP9Unw6fAEVFCxBqb+yH2y2tvVKSiv7JuU7pvAwIAfQCYM:ekUkenTGW1+ |
MALICIOUS
No malicious indicators.SUSPICIOUS
Drops the executable file immediately after the start
- SSHSecureShellClient-3.2.9.exe (PID: 6808)
- SSHPackage1.exe (PID: 2180)
- Setup.exe (PID: 4976)
- IKernel.exe (PID: 5244)
Executable content was dropped or overwritten
- SSHPackage1.exe (PID: 2180)
- SSHSecureShellClient-3.2.9.exe (PID: 6808)
- Setup.exe (PID: 4976)
- IKernel.exe (PID: 5244)
Application launched itself
- IKernel.exe (PID: 5244)
Creates/Modifies COM task schedule object
- IKernel.exe (PID: 5244)
INFO
Create files in a temporary directory
- SSHSecureShellClient-3.2.9.exe (PID: 6808)
- SSHPackage1.exe (PID: 2180)
- Setup.exe (PID: 4976)
- IKernel.exe (PID: 5244)
Checks supported languages
- Setup.exe (PID: 4976)
- SSHSecureShellClient-3.2.9.exe (PID: 6808)
- SSHPackage1.exe (PID: 2180)
- IKernel.exe (PID: 5524)
- IKernel.exe (PID: 5244)
- IKernel.exe (PID: 6648)
Reads the computer name
- SSHPackage1.exe (PID: 2180)
- Setup.exe (PID: 4976)
- IKernel.exe (PID: 5524)
- IKernel.exe (PID: 5244)
- IKernel.exe (PID: 6648)
Creates files in the program directory
- Setup.exe (PID: 4976)
- IKernel.exe (PID: 5244)
Reads Environment values
- IKernel.exe (PID: 5244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2003:01:08 12:15:45+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 24576 |
| InitializedDataSize: | 5488640 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x18ef |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.2.0.0 |
| ProductVersionNumber: | 3.2.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| Comments: | This setup executable contains SSH Secure Shell software and possibly a Customer License to run the software. |
| CompanyName: | SSH Communications Security Corp |
| FileDescription: | SSH Secure Shell Setup |
| FileVersion: | 3.2 |
| InternalName: | InstWrapper |
| LegalCopyright: | Copyright © 2003 |
| LegalTrademarks: | - |
| OriginalFileName: | InstWrapper.exe |
| PrivateBuild: | - |
| ProductName: | SSH Secure Shell Setup |
| ProductVersion: | 3.x |
| SpecialBuild: | - |
Total processes
129
Monitored processes
7
Malicious processes
1
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2180 | "C:\Users\admin\AppData\Local\Temp\SSHPackage1.exe" | C:\Users\admin\AppData\Local\Temp\SSHPackage1.exe | SSHSecureShellClient-3.2.9.exe | ||||||||||||
User: admin Company: SSH Communications Security Ltd. Integrity Level: HIGH Version: 1.00.000 Modules
| |||||||||||||||
| 4976 | "C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\Setup.exe" | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\Setup.exe | SSHPackage1.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield (R) Setup Launcher Version: 6, 30, 100, 1255 Modules
| |||||||||||||||
| 5244 | C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | svchost.exe | ||||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield (R) Setup Engine Version: 6, 31, 100, 1190 Modules
| |||||||||||||||
| 5524 | "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | — | Setup.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield (R) Setup Engine Exit code: 0 Version: 6, 31, 100, 1190 Modules
| |||||||||||||||
| 6648 | "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | — | IKernel.exe | |||||||||||
User: admin Company: InstallShield Software Corporation Integrity Level: HIGH Description: InstallShield (R) Setup Engine Exit code: 0 Version: 6, 31, 100, 1190 Modules
| |||||||||||||||
| 6808 | "C:\Users\admin\Desktop\SSHSecureShellClient-3.2.9.exe" | C:\Users\admin\Desktop\SSHSecureShellClient-3.2.9.exe | explorer.exe | ||||||||||||
User: admin Company: SSH Communications Security Corp Integrity Level: HIGH Description: SSH Secure Shell Setup Version: 3.2 Modules
| |||||||||||||||
| 7052 | "C:\Users\admin\Desktop\SSHSecureShellClient-3.2.9.exe" | C:\Users\admin\Desktop\SSHSecureShellClient-3.2.9.exe | — | explorer.exe | |||||||||||
User: admin Company: SSH Communications Security Corp Integrity Level: MEDIUM Description: SSH Secure Shell Setup Exit code: 3221226540 Version: 3.2 Modules
| |||||||||||||||
Total events
1 538
Read events
1 379
Write events
159
Delete events
0
Modification events
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA7E2068-CB55-11D2-8094-00104B1F9838}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AA7E2066-CB55-11D2-8094-00104B1F9838}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{CC096170-E2CB-11D2-80C8-00104B1F6CEA}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C3C1B11-E59D-11D2-B40B-00A024B9DDDD}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
| (PID) Process: | (5524) IKernel.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8C3C1B13-E59D-11D2-B40B-00A024B9DDDD}\TypeLib |
| Operation: | write | Name: | Version |
Value: 1.0 | |||
Executable files
21
Suspicious files
8
Text files
15
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\pftw1.pkg | — | |
MD5:— | SHA256:— | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\data2.cab | — | |
MD5:— | SHA256:— | |||
| 4976 | Setup.exe | C:\Users\admin\AppData\Local\Temp\IECB32B.tmp | ex_ | |
MD5:4D63BBFF28AFC7A69B6DEFAF048306A7 | SHA256:4EB9A6A4C0B1147290C74D2160533E49E043335255BE9A60B6C83638D83E5590 | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\plfAF91.tmp | text | |
MD5:19A2283172165182D05BBD5745372F62 | SHA256:379ADDFC2E4A0309EC0526507D564FC79EEB6635963C0E84F10CB8B103036C54 | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\extAF92.tmp | text | |
MD5:19A2283172165182D05BBD5745372F62 | SHA256:379ADDFC2E4A0309EC0526507D564FC79EEB6635963C0E84F10CB8B103036C54 | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\data1.hdr | hdr | |
MD5:D8AE531B02F3BCEE317BFC2655428F4B | SHA256:B58EDB78CD99C55AB87E5E46FFE7497E6F6B14D0F1F0490DCD5022EBFB6B2328 | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\layout.bin | binary | |
MD5:B4385C44428DBB8D360B550313543B9C | SHA256:A55AEC14971B63C99F8DC2AFB26EFF96B7188C6D69D05C776EAA3F8AB4C7678F | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\Setup.ini | text | |
MD5:2AC0AEB6D59C55155B97A687582686AD | SHA256:F97FD0E2B6B3A0A7F02BF6E282D84E71117D763C36FF4769A099139C81EDB59A | |||
| 2180 | SSHPackage1.exe | C:\Users\admin\AppData\Local\Temp\pftB07E~tmp\Disk1\data1.cab | compressed | |
MD5:908E2667EC1E133CB58F7812C7CD1F90 | SHA256:63B2E5BC023DFA62C3595E91E3C077A9EF0F40AE3C302FC147AC0EF8C3DA8AE2 | |||
| 4976 | Setup.exe | C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe | executable | |
MD5:BF25EB6A1E0AA2FFF0CB190270B95418 | SHA256:4535320C5B9596A6210109F68C647DBDBD0289BA63286FD389DEA910855491F1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
14
DNS requests
2
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5644 | RUXIMICS.exe | 13.71.55.58:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IN | unknown |
2120 | MoUsoCoreWorker.exe | 13.71.55.58:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IN | unknown |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
6164 | svchost.exe | 13.71.55.58:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IN | unknown |
2120 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6164 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3888 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |
4324 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |