File name:

kingsoftSecurity_install.exe

Full analysis: https://app.any.run/tasks/713807b7-5e87-4a7e-a047-a1ade9dc23bd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 25, 2021, 00:24:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
kis
kingsoft
antivirus
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

7D44967848022F5B65EF128E1CB62027

SHA1:

E050D124147F5C33E14BF4F7D5DB22EA281F55AE

SHA256:

8C083EEF2B1D558884C3FA9AA19877EFEE3B7F0D48BDAEFF770F0DAB8DAF2ABF

SSDEEP:

24576:7cTGnrlIKAI2SmVZg3jOsGmZiIzq6NNwf9C78f76+CyMAO0eQiUMB80eQiUMB9RD:YKnrlINI2SIgSsdzq6TuUmm+xMbyiUM6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • kingsoftSecurity_install.exe (PID: 1340)
      • duba_100_50.exe (PID: 1440)

    • Application was dropped or rewritten from another process

      • duba_100_50.exe (PID: 1440)

    • Changes the autorun value in the registry

      • duba_100_50.exe (PID: 1440)

  • SUSPICIOUS

    • Creates files in the driver directory

      • duba_100_50.exe (PID: 1440)

    • Drops a file that was compiled in debug mode

      • duba_100_50.exe (PID: 1440)

    • Executable content was dropped or overwritten

      • duba_100_50.exe (PID: 1440)

    • Creates files in the Windows directory

      • duba_100_50.exe (PID: 1440)

    • Removes files from Windows directory

      • duba_100_50.exe (PID: 1440)

    • Low-level read access rights to disk partition

      • kingsoftSecurity_install.exe (PID: 1340)

    • Creates a directory in Program Files

      • duba_100_50.exe (PID: 1440)

    • Creates a software uninstall entry

      • duba_100_50.exe (PID: 1440)

    • Drops a file with too old compile date

      • kingsoftSecurity_install.exe (PID: 1340)
      • duba_100_50.exe (PID: 1440)

    • Creates/Modifies COM task schedule object

      • duba_100_50.exe (PID: 1440)

    • Creates files in the program directory

      • duba_100_50.exe (PID: 1440)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (46.3)
.exe | Win64 Executable (generic) (41)
.exe | Win32 Executable (generic) (6.6)
.exe | Generic Win/DOS Executable (2.9)
.exe | DOS Executable Generic (2.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2020:12:10 14:05:42+01:00
PEType: PE32
LinkerVersion: 8
CodeSize: 741376
InitializedDataSize: 724992
UninitializedDataSize: -
EntryPoint: 0x716a4
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 2020.12.10.65
ProductVersionNumber: 9.3.0.65
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Dynamic link library
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Security - 安装程序
FileVersion: 2020,12,10,65
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2020 Kingsoft Corporation
OriginalFileName: KInstallTool.exe
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,0,65

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 10-Dec-2020 13:05:42
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • e:\KINGSOFT_DUBA\Build\Build_Src\kisengine_git\1337\product\win32\dbginfo\kinstuiofficial.pdb
CompanyName: Kingsoft Corporation
FileDescription: Kingsoft Security - 安装程序
FileVersion: 2020,12,10,65
InternalName: KInstallTool
LegalCopyright: Copyright (C) 1998-2020 Kingsoft Corporation
OriginalFilename: KInstallTool.exe
ProductName: Kingsoft Internet Security
ProductVersion: 9,3,0,65

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 10-Dec-2020 13:05:42
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000B4BAC
0x000B5000
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.60814
.rdata
0x000B6000
0x0002522E
0x00026000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.80104
.data
0x000DC000
0x00008DC8
0x00005000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.63633
.rsrc
0x000E5000
0x000850C4
0x00086000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.69088

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.253
1054
Latin 1 / Western European
English - United States
RT_MANIFEST
2
6.56924
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
6.61484
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
4.67813
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
6.44522
38056
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
6.56924
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
6.61484
4264
Latin 1 / Western European
Chinese - PRC
RT_ICON
8
4.67813
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
9
7.21166
361
Latin 1 / Western European
Chinese - PRC
PNG
10
6.01791
1101
Latin 1 / Western European
Chinese - PRC
PNG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
MSIMG32.dll
OLEAUT32.dll
PSAPI.DLL
RASAPI32.dll
SHELL32.dll
SHLWAPI.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
download and start start kingsoftsecurity_install.exe duba_100_50.exe kingsoftsecurity_install.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1340"C:\Users\admin\Downloads\kingsoftSecurity_install.exe" C:\Users\admin\Downloads\kingsoftSecurity_install.exe
explorer.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
Kingsoft Security - 安装程序
Exit code:
0
Version:
2020,12,10,65
Modules
Images
c:\users\admin\downloads\kingsoftsecurity_install.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1440"C:\Users\admin\AppData\Local\Temp\duba_100_50.exe" /rcmdfromkinst /rcmdSceneId=2 /rcmdSoftId=0 /rcmdcheck=1 /rcmdreason="NoRcmdItem" /rcmdCid=0 /rcmdTid=0 /rcmdCanRcmd=0 /autoinstall ##silence=0&installpath="C:\Program Files\kingsoft\kingsoft antivirus\"&hwnd=5013c&tid1=100 tid2=50 tod1=100 tod2=51C:\Users\admin\AppData\Local\Temp\duba_100_50.exe
kingsoftSecurity_install.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
HIGH
Description:
安装程序
Exit code:
0
Version:
2019,06,20,22255
Modules
Images
c:\users\admin\appdata\local\temp\duba_100_50.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\gdi32.dll
2672"C:\Users\admin\Downloads\kingsoftSecurity_install.exe" C:\Users\admin\Downloads\kingsoftSecurity_install.exeexplorer.exe
User:
admin
Company:
Kingsoft Corporation
Integrity Level:
MEDIUM
Description:
Kingsoft Security - 安装程序
Exit code:
3221226540
Version:
2020,12,10,65
Modules
Images
c:\systemroot\system32\ntdll.dll
Total events
276
Read events
85
Write events
119
Delete events
72

Modification events

(PID) Process:(1340) kingsoftSecurity_install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idex
Value:
78534eb65e0bbc63b210104eaf85b681
(PID) Process:(1340) kingsoftSecurity_install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idno
Value:
1
(PID) Process:(1340) kingsoftSecurity_install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:writeName:did
Value:
7D5C48EBB0D7E21D0E7F78ABD6D11F8A
(PID) Process:(1340) kingsoftSecurity_install.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}
Operation:writeName:PacketPath_1_3_1
Value:
C:\Users\admin\AppData\Local\Temp\duba_100_50.exe
(PID) Process:(1440) duba_100_50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idno
Value:
1
(PID) Process:(1440) duba_100_50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:idex
Value:
78534eb65e0bbc63b210104eaf85b681
(PID) Process:(1440) duba_100_50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:svrid
Value:
(PID) Process:(1340) kingsoftSecurity_install.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Session Manager
Operation:writeName:PendingFileRenameOperations
Value:
\??\C:\Users\admin\AppData\Local\Temp\duba_100_50.exe
(PID) Process:(1440) duba_100_50.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{9B7A98EC-7EF9-468c-ACC8-37C793DBD7E0}\Implemented Categories\{A5F7140E-4311-4ef9-AABC-F55941B5EBE5}
Operation:writeName:svrid
Value:
9w4hjooiejuqu5wza29twykhcgav
(PID) Process:(1440) duba_100_50.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
Executable files
12
Suspicious files
35
Text files
252
Unknown types
3

Dropped files

PID
Process
Filename
Type
1340kingsoftSecurity_install.exeC:\Users\admin\AppData\Local\Temp\jcqgx.ini
MD5:
SHA256:
1340kingsoftSecurity_install.exeC:\Users\admin\AppData\Local\Temp\KInstallRcmdCfg.dat
MD5:
SHA256:
1340kingsoftSecurity_install.exeC:\Users\admin\AppData\Local\Temp\duba_100_50.exe
MD5:
SHA256:
1340kingsoftSecurity_install.exeC:\Users\admin\AppData\Local\Temp\kinst.logtext
MD5:
SHA256:
1440duba_100_50.exeC:\ProgramData\Kingsoft\KIS\hg.dattext
MD5:
SHA256:
1440duba_100_50.exeC:\Users\admin\AppData\Local\Temp\kantivirus\~e6bd5\install_res\2.jpgimage
MD5:D2FE241B32B67B67AEA896867054BFA3
SHA256:287187541B240F6A4A9B504D0D9FC21F49BC7C2CE6A474A5C84489984C61B147
1440duba_100_50.exeC:\Users\admin\AppData\Local\Temp\kantivirus\~e6bd5\install_res\1.jpgimage
MD5:BCE3D32BC31D8866C7AE6001A0B7F2B2
SHA256:6E992E0C2FCB0B6DEF7F0C371F20837BE7539DB17A3AA76732B2225650C5595F
1440duba_100_50.exeC:\Users\admin\AppData\Local\Temp\kantivirus\~e6bd5\install_res\507.pngimage
MD5:F32E41405FBEA85B58AA473A067CF86A
SHA256:47FDA3F7C5A74A75833BE72D235649305DCE7D6F28540357D8BCE990B6BE73D8
1440duba_100_50.exeC:\Users\admin\AppData\Local\Temp\kantivirus\~e6bd5\install_res\509.pngimage
MD5:1840709E2C22AB4F7F0F41EAD45FFD31
SHA256:F36B04F4FEF585D4ADF6949417624DB9A2F46D1056F6C14F956958FAB827E01B
1440duba_100_50.exeC:\Users\admin\AppData\Local\Temp\kantivirus\~e6bd5\install_res\511.pngimage
MD5:E05A9755F52747825218DEEA947E5ABC
SHA256:BAF3CE22616BAA76A00234EA91868515BF99602B287C1226346545CF8D90C3B9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
51
DNS requests
36
Threats
33

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1340
kingsoftSecurity_install.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
1340
kingsoftSecurity_install.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
1340
kingsoftSecurity_install.exe
GET
200
58.218.203.248:80
http://config.i.duba.net/lminstall3/1.json?time=1619310289
CN
text
2.17 Kb
whitelisted
1440
duba_100_50.exe
POST
200
139.199.218.80:80
http://did.ijinshan.com/db/?v=2&p=db&u=78534EB65E0BBC63B210104EAF85B681&m=1203334a04af0000&ip=744794304&s=1667e3a1406a54fde15817aa758a9dc4
CN
text
45 b
malicious
1340
kingsoftSecurity_install.exe
GET
200
58.218.203.248:80
http://config.i.duba.net/lminstall3/unioncfg.dat?time=1619310285
CN
binary
96.9 Kb
whitelisted
1340
kingsoftSecurity_install.exe
HEAD
200
58.218.203.248:80
http://config.i.duba.net/lminstall3/unioncfg.dat?time=1619310285
CN
whitelisted
1340
kingsoftSecurity_install.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
1340
kingsoftSecurity_install.exe
POST
200
119.29.49.207:80
http://infoc0.duba.net/c/
CN
binary
43 b
whitelisted
1340
kingsoftSecurity_install.exe
GET
200
58.216.4.240:80
http://config.i.duba.net/installrcmd/KInstallRcmdCfg.dat
CN
binary
164 Kb
whitelisted
1340
kingsoftSecurity_install.exe
GET
200
120.52.95.242:80
http://2398.35go.net/defend/o1/jcqgx.ini
CN
text
10 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1340
kingsoftSecurity_install.exe
120.52.95.242:80
2398.35go.net
China Unicom IP network
CN
malicious
1340
kingsoftSecurity_install.exe
119.29.49.207:80
infoc0.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1340
kingsoftSecurity_install.exe
58.218.203.248:80
config.i.duba.net
No.31,Jin-rong Street
CN
suspicious
1440
duba_100_50.exe
139.199.218.80:80
did.ijinshan.com
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1440
duba_100_50.exe
120.52.95.243:80
2398.35go.net
China Unicom IP network
CN
malicious
1440
duba_100_50.exe
139.199.215.55:80
ct.duba.net
Shenzhen Tencent Computer Systems Company Limited
CN
malicious
1440
duba_100_50.exe
111.230.160.42:80
dbsu.cmcm.com
Shenzhen Tencent Computer Systems Company Limited
CN
unknown
1340
kingsoftSecurity_install.exe
58.216.4.240:80
config.i.duba.net
AS Number for CHINANET jiangsu province backbone
CN
suspicious
1340
kingsoftSecurity_install.exe
182.207.100.37:80
cd002.www.duba.net
No.31,Jin-rong Street
CN
malicious
1440
duba_100_50.exe
134.175.158.111:80
cct.duba.com
US
unknown

DNS requests

Domain
IP
Reputation
2398.35go.net
  • 120.52.95.242
  • 218.12.76.151
  • 218.12.76.150
  • 120.52.95.243
whitelisted
infoc0.duba.net
  • 119.29.49.207
whitelisted
config.i.duba.net
  • 58.216.4.240
  • 58.216.15.242
  • 117.91.179.129
  • 221.230.245.249
  • 58.218.203.238
  • 218.94.206.238
  • 117.91.179.130
  • 58.218.203.248
  • 58.216.4.238
  • 58.216.15.239
  • 117.91.179.229
  • 117.91.179.126
whitelisted
cd002.www.duba.net
  • 182.207.100.37
malicious
did.ijinshan.com
  • 139.199.218.80
malicious
www.baidu.com
  • 104.193.88.77
  • 104.193.88.123
whitelisted
cct.duba.com
  • 134.175.158.111
unknown
ct.duba.net
  • 139.199.215.55
whitelisted
dbsu.cmcm.com
  • 111.230.160.42
unknown

Threats

PID
Process
Class
Message
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
1340
kingsoftSecurity_install.exe
Potentially Bad Traffic
ET INFO Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
11 ETPRO signatures available at the full report
Process
Message
duba_100_50.exe
01:25:40|~00272| [KAVMENU] reg_duba_32bit
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
kingsoftSecurity_install.exe