Malware analysis Instalar comuns - Seattle x86.exe Malicious activity

Add for printing

File name:	Instalar comuns - Seattle x86.exe
Full analysis:	https://app.any.run/tasks/8b982b20-8462-47e9-92b3-d8f9d81b5744
Verdict:	Malicious activity
Analysis date:	August 07, 2024, 20:46:36
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	090AAC28E2130A947AECB44268537E0B
SHA1:	24E2866F6D140996D99980C157973B2AB298E9E0
SHA256:	9C2630ECC6BF3B9F8C1A22E3426E30F2F62CFF98F7B884EF87FC6A6C6EABA0D7
SSDEEP:	98304:+mNpa5WfX/YmGT4zcNrZ+lOwhZ+65UoXoTR6gvasIRG0+Gu/ZHkj700f0x5Z9Wdw:kY9UtTHLOh7+DjB+lu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - Instalar comuns - Seattle x86.exe (PID: 6432)
  - Instalar comuns - Seattle x86.exe (PID: 6572)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Reads Microsoft Outlook installation path
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Reads the date of Windows installation
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Reads Internet Explorer settings
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Application launched itself
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Executable content was dropped or overwritten
  - Instalar comuns - Seattle x86.exe (PID: 6572)
- Process drops legitimate windows executable
  - Instalar comuns - Seattle x86.exe (PID: 6572)
INFO
- Reads the computer name
  - Instalar comuns - Seattle x86.exe (PID: 6432)
  - Instalar comuns - Seattle x86.exe (PID: 6572)
  - TextInputHost.exe (PID: 5032)
- Checks proxy server information
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Process checks Internet Explorer phishing filters
  - Instalar comuns - Seattle x86.exe (PID: 6432)
- Checks supported languages
  - Instalar comuns - Seattle x86.exe (PID: 6432)
  - Instalar comuns - Seattle x86.exe (PID: 6572)
  - TextInputHost.exe (PID: 5032)
- Process checks computer location settings
  - Instalar comuns - Seattle x86.exe (PID: 6432)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2016:01:03 11:34:21+00:00
ImageFileCharacteristics:	No relocs, Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	168960
InitializedDataSize:	186368
UninitializedDataSize:	-
EntryPoint:	0x1e35b
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	5
Subsystem:	Windows GUI

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

133

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

5032

"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Version:

123.26505.0.0

Modules

Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll

6432

"C:\Users\admin\AppData\Local\Temp\Instalar comuns - Seattle x86.exe"

C:\Users\admin\AppData\Local\Temp\Instalar comuns - Seattle x86.exe

—

explorer.exe

User:

admin

Integrity Level:

MEDIUM

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\instalar comuns - seattle x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

6572

"C:\Users\admin\AppData\Local\Temp\Instalar comuns - Seattle x86.exe" -el -s2 "-dC:\Windows\System32" "-p" "-sp"

C:\Users\admin\AppData\Local\Temp\Instalar comuns - Seattle x86.exe

Instalar comuns - Seattle x86.exe

User:

admin

Integrity Level:

HIGH

Exit code:

Modules

Images
c:\users\admin\appdata\local\temp\instalar comuns - seattle x86.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ole32.dll

6848

C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\System32\rundll32.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Windows host process (Rundll32)

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll

Add for printing

Total events

5 659

Read events

5 646

Write events

Delete events

Modification events


(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	ProxyBypass
Value: 1
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	IntranetName
Value: 1
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 1
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 0
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFavoritesInitialSelection
Value:
(PID) Process:	(6432) Instalar comuns - Seattle x86.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Operation:	delete value	Name:	AddToFeedsInitialSelection
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\EZTW32.DLL		executable
		MD5:B0E83146FF918F0C69C4C96918AA6E7B	SHA256:E0876A0F42388F0151D5312C9A34F8C769DCC5CE5D85F15001F6CC19CD727C9F
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\vclactnband230.bpl		executable
		MD5:BF8C0C12A8F5731DCC47D4696C791207	SHA256:85C1757674C1C2F252830408939BCC89AB91815024A617B0A946BDDAE696A4C0
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\rtl230.bpl		executable
		MD5:9354E3E7ACA7B30CE9CAD4738B083677	SHA256:F4F60D3FEEC65FE4BF66750CE81299A9BF88F1F7C9F240CC47C6BF7F6A3D7AAB
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\SBE6@PTB.DLL		executable
		MD5:E12C8F16809699E03477CFBB890BF021	SHA256:EDA1CB9B272B5881B6CCD57FD5C31175E35E00C600D7A7087D893598E5600500
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\rtlBenner230.bpl		executable
		MD5:1FC8DE6869A3B62AE116F7F3F1E5382C	SHA256:058FA8F81C17167FCF8514879B90B582A6A2259C0FDCCD93FDAB3F13AE839769
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\SB6ENT.OCX		executable
		MD5:2D5CC0AE51E74722A357F1677B09E997	SHA256:85EC9F253D8C3A83972D56165479A2C285DCF24F6AA7B8881F5FA5BB08F6CF19
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\rtlBennerDb230.bpl		executable
		MD5:06718469C54AEAE6D871B3153AD95F71	SHA256:6AD8D96A251712C940D1A4F2F169350B84C966C0E3618509B5B401D064E08161
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\MSSOAPR3.dll		executable
		MD5:0180D57B4C0145C855369A9608022863	SHA256:FB7FDC200117760BA28007AECE7ED01C37A5570B4D88294511333C3609266BC0
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\SOAPIS30.dll		executable
		MD5:E750281AF02D6202E221AE4A9D583A1D	SHA256:9EC4CE9A1AAC7CA783B6958C89F2D6DACCC6A7011EE4D96BAD6D5C16E2CAB5AD
6572	Instalar comuns - Seattle x86.exe	C:\Windows\SysWOW64\IndyCore230.bpl		executable
		MD5:122907A8AD1BE06C1782E96F3E49091A	SHA256:ADC2C7CAAEA4A2787A15CC7979D2FE12E46FB7F0043C30B59A4FAF22130BA1FE

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2876	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2876	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6944	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
6976	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5028	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
1536	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
2120	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
5028	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5336	SearchApp.exe	2.23.209.185:443	www.bing.com	Akamai International B.V.	GB	whitelisted
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2876	svchost.exe	20.190.159.71:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.185.206	whitelisted
www.bing.com	2.23.209.185 2.23.209.187 2.23.209.150 2.23.209.149 2.23.209.179 2.23.209.182 2.23.209.176 2.23.209.177 2.23.209.140	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.71 40.126.31.69 20.190.159.64 40.126.31.73 40.126.31.67 20.190.159.2 20.190.159.0 40.126.31.71	whitelisted
client.wns.windows.com	40.115.3.253	whitelisted
th.bing.com	2.23.209.133 2.23.209.140 2.23.209.177 2.23.209.176 2.23.209.179 2.23.209.149 2.23.209.185 2.23.209.130 2.23.209.189	whitelisted
fd.api.iris.microsoft.com	20.199.58.43	whitelisted
arc.msn.com	20.223.36.55	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

Instalar comuns - Seattle x86.exe

090AAC28E2130A947AECB44268537E0B

24E2866F6D140996D99980C157973B2AB298E9E0

9C2630ECC6BF3B9F8C1A22E3426E30F2F62CFF98F7B884EF87FC6A6C6EABA0D7

98304:+mNpa5WfX/YmGT4zcNrZ+lOwhZ+65UoXoTR6gvasIRG0+Gu/ZHkj700f0x5Z9Wdw:kY9UtTHLOh7+DjB+lu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

SUSPICIOUS

Reads security settings of Internet Explorer

Reads Microsoft Outlook installation path

Reads the date of Windows installation

Reads Internet Explorer settings

Application launched itself

Executable content was dropped or overwritten

Process drops legitimate windows executable

INFO

Reads the computer name

Checks proxy server information

Process checks Internet Explorer phishing filters

Checks supported languages

Process checks computer location settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings