analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

easytether.exe

Full analysis: https://app.any.run/tasks/3c809d57-b7f7-42b1-9ea8-0a629b47fe1d
Verdict: Malicious activity
Analysis date: May 15, 2019, 07:21:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

148891321BAACF74D256D8020B7A78E5

SHA1:

06B1ACA2036CEE473B71801957E2713F35E595A4

SHA256:

8D9C740B013685E29D8F61E79D97790F5C7CDDD9DD2EF4C53F0FE76D310E58BF

SSDEEP:

98304:GfUbaFTldrQrV3sNPGlxuqcBNC3Wg2aDcezBSK778Srn9vtsh5BdYOZl+ZtmOdNe:GfU+FlOtKCWCms7778Srn9vtshH/ZkZ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • easytether.exe (PID: 2640)
      • easytether-bundle.exe (PID: 2072)
      • easytthr.exe (PID: 3412)
      • easytether.exe (PID: 3084)
      • easytether-bundle.exe (PID: 3004)
      • easytthr.exe (PID: 3880)
    • Loads dropped or rewritten executable

      • easytether.exe (PID: 2640)
      • easytether.exe (PID: 3084)
    • Changes the autorun value in the registry

      • easytether-bundle.exe (PID: 2072)
      • easytether-bundle.exe (PID: 3004)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • easytether.exe (PID: 3908)
      • easytether.exe (PID: 2640)
      • easytether-bundle.exe (PID: 2072)
      • msiexec.exe (PID: 2608)
      • DrvInst.exe (PID: 1340)
      • MsiExec.exe (PID: 3760)
      • MsiExec.exe (PID: 1388)
      • DrvInst.exe (PID: 2068)
      • easytether.exe (PID: 3984)
      • easytether.exe (PID: 3084)
      • MsiExec.exe (PID: 2300)
      • MsiExec.exe (PID: 1100)
      • DrvInst.exe (PID: 2224)
    • Searches for installed software

      • easytether-bundle.exe (PID: 2072)
      • DrvInst.exe (PID: 1340)
      • DrvInst.exe (PID: 2068)
      • easytether-bundle.exe (PID: 3004)
      • DrvInst.exe (PID: 2224)
    • Starts itself from another location

      • easytether.exe (PID: 2640)
      • easytether.exe (PID: 3084)
    • Creates a software uninstall entry

      • easytether-bundle.exe (PID: 2072)
      • easytether-bundle.exe (PID: 3004)
    • Creates files in the program directory

      • easytether-bundle.exe (PID: 2072)
    • Creates files in the Windows directory

      • DrvInst.exe (PID: 1340)
      • MsiExec.exe (PID: 3760)
      • DrvInst.exe (PID: 2068)
      • MsiExec.exe (PID: 2300)
      • DrvInst.exe (PID: 2224)
    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 1340)
      • DrvInst.exe (PID: 2068)
      • DrvInst.exe (PID: 2224)
    • Removes files from Windows directory

      • DrvInst.exe (PID: 1340)
      • MsiExec.exe (PID: 3760)
      • DrvInst.exe (PID: 2068)
      • MsiExec.exe (PID: 2300)
      • DrvInst.exe (PID: 2224)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 1340)
      • MsiExec.exe (PID: 3760)
      • DrvInst.exe (PID: 2068)
      • DrvInst.exe (PID: 2224)
    • Changes the autorun value in the registry

      • msiexec.exe (PID: 2608)
  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1740)
    • Changes settings of System certificates

      • DrvInst.exe (PID: 3020)
    • Adds / modifies Windows certificates

      • DrvInst.exe (PID: 3020)
    • Creates files in the program directory

      • msiexec.exe (PID: 2608)
    • Application launched itself

      • msiexec.exe (PID: 2608)
    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3072)
      • MsiExec.exe (PID: 3760)
      • MsiExec.exe (PID: 1388)
      • MsiExec.exe (PID: 3108)
      • MsiExec.exe (PID: 2300)
      • MsiExec.exe (PID: 3208)
      • MsiExec.exe (PID: 1100)
      • msiexec.exe (PID: 2608)
      • MsiExec.exe (PID: 3168)
    • Creates or modifies windows services

      • MsiExec.exe (PID: 3760)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 2608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 1.3.4
ProductName: EasyTether
OriginalFileName: easytether-bundle.exe
LegalCopyright: Copyright (c) Mobile Stream. All rights reserved.
InternalName: setup
FileVersion: 1.3.4
FileDescription: EasyTether
CompanyName: Mobile Stream
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.3.4.0
FileVersionNumber: 1.3.4.0
Subsystem: Windows GUI
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x2e2a6
UninitializedDataSize: -
InitializedDataSize: 159232
CodeSize: 301568
LinkerVersion: 14.11
PEType: PE32
TimeStamp: 2017:11:18 23:00:38+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 18-Nov-2017 22:00:38
Detected languages:
  • English - United States
Debug artifacts:
  • C:\agent\_work\8\s\build\ship\x86\burn.pdb
CompanyName: Mobile Stream
FileDescription: EasyTether
FileVersion: 1.3.4
InternalName: setup
LegalCopyright: Copyright (c) Mobile Stream. All rights reserved.
OriginalFilename: easytether-bundle.exe
ProductName: EasyTether
ProductVersion: 1.3.4

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000110

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 6
Time date stamp: 18-Nov-2017 22:00:38
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_NET_RUN_FROM_SWAP
  • IMAGE_FILE_REMOVABLE_RUN_FROM_SWAP

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x00049937
0x00049A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.57001
.rdata
0x0004B000
0x0001ED60
0x0001EE00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.11423
.data
0x0006A000
0x00001730
0x00000A00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.15266
.wixburn8
0x0006C000
0x00000038
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.731255
.rsrc
0x0006D000
0x000035FC
0x00003600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.15101
.reloc
0x00071000
0x00003DFC
0x00003E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
6.79434

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.30829
1234
Latin 1 / Western European
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
Cabinet.dll (delay-loaded)
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
RPCRT4.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
29
Malicious processes
10
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start drop and start easytether.exe easytether.exe easytether-bundle.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs easytthr.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs easytether.exe easytether.exe easytether-bundle.exe drvinst.exe no specs easytthr.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs msiexec.exe drvinst.exe rundll32.exe no specs drvinst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3908"C:\Users\admin\Desktop\easytether.exe" C:\Users\admin\Desktop\easytether.exe
explorer.exe
User:
admin
Company:
Mobile Stream
Integrity Level:
MEDIUM
Description:
EasyTether
Exit code:
0
Version:
1.3.4
2640"C:\Users\admin\AppData\Local\Temp\{93807057-B9DB-431C-ADFD-82874CC9751C}\.cr\easytether.exe" -burn.clean.room="C:\Users\admin\Desktop\easytether.exe" -burn.filehandle.attached=148 -burn.filehandle.self=156 C:\Users\admin\AppData\Local\Temp\{93807057-B9DB-431C-ADFD-82874CC9751C}\.cr\easytether.exe
easytether.exe
User:
admin
Company:
Mobile Stream
Integrity Level:
MEDIUM
Description:
EasyTether
Exit code:
0
Version:
1.3.4
2072"C:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\.be\easytether-bundle.exe" -q -burn.elevated BurnPipe.{6C01A58D-C4A5-4B75-A683-1FB38F0FCED7} {F934A517-D4C5-4CEA-AA53-304BB812648C} 2640C:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\.be\easytether-bundle.exe
easytether.exe
User:
admin
Company:
Mobile Stream
Integrity Level:
HIGH
Description:
EasyTether
Exit code:
0
Version:
1.3.4
1740C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3020DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000574" "00000304"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2608C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3072C:\Windows\system32\MsiExec.exe -Embedding CFFCB1DBE0DCD93C42761B5EDB2E34D9C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3760C:\Windows\system32\MsiExec.exe -Embedding 74B26317BB5C27C918E12433C2711285 M Global\MSI0000C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1340DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{7c10f8c2-e933-184b-7781-a5651c438621}\easytthr.inf" "0" "63cc35f7b" "00000574" "WinSta0\Default" "000004D8" "208" "C:\Windows\system32\DRVSTORE\easytthr_77932899B7A0A3A1A551BD93D66DAE7B655D4D4D"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2660rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3007b528-e7f3-6a71-0181-b47e6cbe2509} Global\{2a4b6381-00ac-06b3-5d1d-eb24ce34e038} C:\Windows\System32\DriverStore\Temp\{38617568-b83f-5068-72d2-8f1ccc9a9d68}\easytthr.inf C:\Windows\System32\DriverStore\Temp\{38617568-b83f-5068-72d2-8f1ccc9a9d68}\easytthr.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 251
Read events
1 791
Write events
0
Delete events
0

Modification events

No data
Executable files
41
Suspicious files
60
Text files
659
Unknown types
29

Dropped files

PID
Process
Filename
Type
2072easytether-bundle.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
3908easytether.exeC:\Users\admin\AppData\Local\Temp\{93807057-B9DB-431C-ADFD-82874CC9751C}\.cr\easytether.exeexecutable
MD5:79A7A89C4CD9A35D2B6184A926ADC80D
SHA256:E75C53E861696E875BBD87F233D6F2E5B22DC3FF8396D57CAC9B95705EB6CA4C
2640easytether.exeC:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\.be\easytether-bundle.exeexecutable
MD5:79A7A89C4CD9A35D2B6184A926ADC80D
SHA256:E75C53E861696E875BBD87F233D6F2E5B22DC3FF8396D57CAC9B95705EB6CA4C
2072easytether-bundle.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:1BF1E97F272107466910A285A59B2A23
SHA256:5C1711EA834FD7EEF7D68613E3C2A19F8FF382572520E18C179045DF8A681987
2640easytether.exeC:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\.ba\logo.pngimage
MD5:8346E21859A269DCCF1E408DC7593CCA
SHA256:CD2E8ED1FBB308D9D166F49794D323A9B22EFBA1033CDF906D1F4B030319E01B
2640easytether.exeC:\Users\admin\AppData\Local\Temp\{4060503E-0D33-4733-9CB7-EE300D8A3A2C}\easytether_adb_x86.msi
MD5:
SHA256:
2072easytether-bundle.exeC:\ProgramData\Package Cache\.unverified\easytether_core_x86.msi
MD5:
SHA256:
2072easytether-bundle.exeC:\ProgramData\Package Cache\.unverified\easytether_adb_x86.msi
MD5:
SHA256:
3020DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
3020DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:934A780DD316ED1826C8F2D72C7D33C5
SHA256:020B16A07C34A85D0D1FF435E05384094E60E6FE4659B962D611D4349E3CDC10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info