File name:

Windows 7 IconPack By 2013Windows8.1.exe

Full analysis: https://app.any.run/tasks/5b978367-adea-4383-aec9-b9be8d812812
Verdict: Malicious activity
Analysis date: March 14, 2024, 09:05:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
MD5:

1EE1EE05AB5C8EE34D87982DE8E7E4F1

SHA1:

82BF599FF8F1332F84F3ADFB04BF69571F935B84

SHA256:

9D6F3B28A79EF0F15A4DD42038C07648869EF17E905C9CD394C543F0A6A0EE7F

SSDEEP:

98304:SK3kToLgryUhxtGvNcOGDO101l+8jHs2/x/IxBvHAuZhHB+QMgWNVcm5Kq575cvZ:71zN6BZo/t/wfozhEZTVA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • iPack_Installer.exe (PID: 3948)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • iPack_Installer.exe (PID: 3948)

    • Reads security settings of Internet Explorer

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • iPack_Installer.exe (PID: 3948)

    • Reads the Internet Settings

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • iPack_Installer.exe (PID: 3948)

    • Reads Microsoft Outlook installation path

      • iPack_Installer.exe (PID: 3948)

    • Reads Internet Explorer settings

      • iPack_Installer.exe (PID: 3948)

    • Executes as Windows Service

      • VSSVC.exe (PID: 3180)

    • Searches for installed software

      • dllhost.exe (PID: 2420)

    • Uses TASKKILL.EXE to kill process

      • iPack_Installer.exe (PID: 3948)

    • Uses ICACLS.EXE to modify access control lists

      • iPack_Installer.exe (PID: 3948)
      • cmd.exe (PID: 680)

    • Process drops legitimate windows executable

      • iPack_Installer.exe (PID: 3948)

    • Starts CMD.EXE for commands execution

      • iPack_Installer.exe (PID: 3948)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 680)

    • Drops 7-zip archiver for unpacking

      • iPack_Installer.exe (PID: 3948)

  • INFO

    • Checks supported languages

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • iPack_Installer.exe (PID: 3948)
      • 7z.exe (PID: 3936)
      • Patcher.exe (PID: 3984)

    • Reads the computer name

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • iPack_Installer.exe (PID: 3948)

    • Creates files in the program directory

      • Windows 7 IconPack By 2013Windows8.1.exe (PID: 2844)
      • 7z.exe (PID: 3936)
      • icacls.exe (PID: 980)
      • iPack_Installer.exe (PID: 3948)
      • Patcher.exe (PID: 3984)

    • Reads Environment values

      • iPack_Installer.exe (PID: 3948)

    • Reads the machine GUID from the registry

      • iPack_Installer.exe (PID: 3948)

    • Checks proxy server information

      • iPack_Installer.exe (PID: 3948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:06:27 07:06:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 61440
InitializedDataSize: 53248
UninitializedDataSize: 172032
EntryPoint: 0x39320
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: 2013Windows8.1
FileDescription: iPack
FileVersion: 1
InternalName: iPack
LegalCopyright: 2013Windows8.1
OriginalFileName: Windows 7 IconPack By 2013Windows8.1.exe
ProductName: Windows 7 IconPack By 2013Windows8.1
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
13
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start windows 7 iconpack by 2013windows8.1.exe ipack_installer.exe 7z.exe no specs SPPSurrogate no specs vssvc.exe no specs taskkill.exe no specs icacls.exe no specs cmd.exe no specs takeown.exe no specs icacls.exe no specs icacls.exe no specs patcher.exe no specs windows 7 iconpack by 2013windows8.1.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
568takeown /a /F "C:\Windows\System32\imageres.dll" C:\Windows\System32\takeown.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Takes ownership of a file
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\takeown.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
680"C:\Windows\System32\cmd.exe" /c takeown /a /F "C:\Windows\System32\imageres.dll" && icacls "C:\Windows\System32\imageres.dll" /grant:r "%username%":F && icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F && exitC:\Windows\System32\cmd.exeiPack_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
980"C:\Windows\System32\icacls.exe" "C:\Windows\System32\imageres.dll" /save "Resource Files\ACL\System32\imageres.dll.AclFile"C:\Windows\System32\icacls.exeiPack_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
1848icacls "C:\Windows\System32\imageres.dll" /grant:r "admin":F C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2112icacls "C:\Windows\System32\imageres.dll" /grant:r "administrators":F C:\Windows\System32\icacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
2420C:\Windows\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801}C:\Windows\System32\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2844"C:\Users\admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe" C:\Users\admin\AppData\Local\Temp\Windows 7 IconPack By 2013Windows8.1.exe
explorer.exe
User:
admin
Company:
2013Windows8.1
Integrity Level:
HIGH
Description:
iPack
Exit code:
0
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\windows 7 iconpack by 2013windows8.1.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3180C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3324"C:\Windows\System32\taskkill.exe" /f /im explorer.exeC:\Windows\System32\taskkill.exeiPack_Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Terminates Processes
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
3936"C:\Program Files\Windows 7 IconPack By 2013Windows8.1\7z.exe" x -y -bd "C:\Program Files\Windows 7 IconPack By 2013Windows8.1\Resource.7z"C:\Program Files\Windows 7 IconPack By 2013Windows8.1\7z.exeiPack_Installer.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
9.20
Modules
Images
c:\program files\windows 7 iconpack by 2013windows8.1\7z.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
5 264
Read events
5 111
Write events
153
Delete events
0

Modification events

(PID) Process:(2844) Windows 7 IconPack By 2013Windows8.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2844) Windows 7 IconPack By 2013Windows8.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2844) Windows 7 IconPack By 2013Windows8.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2844) Windows 7 IconPack By 2013Windows8.1.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3948) iPack_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3948) iPack_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3948) iPack_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3948) iPack_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3948) iPack_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3948) iPack_Installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
Executable files
5
Suspicious files
0
Text files
6
Unknown types
3

Dropped files

PID
Process
Filename
Type
2844Windows 7 IconPack By 2013Windows8.1.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\Resource.iPack
MD5:
SHA256:
3948iPack_Installer.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\Resource.7z
MD5:
SHA256:
39367z.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\Resource Files\imageres.dll.res
MD5:
SHA256:
2420dllhost.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2844Windows 7 IconPack By 2013Windows8.1.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\logo.pngimage
MD5:7AFBAB69BE0A0944AFFBD12CAF817419
SHA256:8B49F823404FD591A391C48B8DE4B258CAF896E42C6395E04B49936FB5F714A0
2844Windows 7 IconPack By 2013Windows8.1.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\Setup files-iPack\License.txttext
MD5:A58AFBC0B7E20AAC1ACDF903B2CC71C6
SHA256:07D2F43C25EB083574A7A76D1C73F561B9844EB59CD40C0C7DDB872614924D83
2844Windows 7 IconPack By 2013Windows8.1.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exe.configxml
MD5:CB143EEF30F7AD481E715926B63928F4
SHA256:6105A59EAA1401813A363239FB193A79179D3ABC93ABC4F65F180E60770B6E17
2844Windows 7 IconPack By 2013Windows8.1.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\iPack_Installer.exeexecutable
MD5:06582ED92CB413E0E26229B34D471A51
SHA256:D8C6CE39D337A997133D7C3175E554B5615039CE12FDE1014C284ACF3BDB8893
3948iPack_Installer.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\7z.exeexecutable
MD5:F3D2F74E271DA7FA59D9A4C860E6F338
SHA256:D2C632A87F70039F8812F0BD5602379E288BFAC237B0FCE41CB5D8C757C70BE3
3948iPack_Installer.exeC:\Program Files\Windows 7 IconPack By 2013Windows8.1\Patcher.exeexecutable
MD5:E92786023781296F23DB1D42BE4148DC
SHA256:908A411EC3B024B1AF6538A6ED00DD0FFC98C9337A657CC4C9531A24E852EDE8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
unknown
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Windows 7 IconPack By 2013Windows8.1.exe