File name:

iris-mini-0.4.1-installer.exe

Full analysis: https://app.any.run/tasks/cd0eaff9-83f5-4ee3-a802-ba6a8b8923c9
Verdict: Malicious activity
Analysis date: June 02, 2024, 20:21:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

45E49B8CB6773D286F9D6854B9B4EDDB

SHA1:

D7986C156A565290BB5D0E51CDC85E117C0D8B91

SHA256:

A98328B86D1532D23487D898EE15E67065F3B27AAC35861F7C1B4D3C9E284C4A

SSDEEP:

98304:X6QiT8rks/L1tmMYetrxiJxnFCZXHeXqnrsQf9FIw8Ggmz6bb/8rtL+wrSsnBNxo:dxxWMlWwHk2pjBX9e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Changes the autorun value in the registry

      • iris-mini-dynamic.exe (PID: 928)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • The process drops C-runtime libraries

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Creates a software uninstall entry

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Process drops legitimate windows executable

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Reads security settings of Internet Explorer

      • iris-mini-0.4.1-installer.exe (PID: 3968)
      • iris-mini-dynamic.exe (PID: 928)

    • Reads the Internet Settings

      • iris-mini-0.4.1-installer.exe (PID: 3968)
      • iris-mini-dynamic.exe (PID: 928)

    • Reads settings of System Certificates

      • iris-mini-dynamic.exe (PID: 928)

    • Uses REG/REGEDIT.EXE to modify registry

      • iris-mini-dynamic.exe (PID: 928)

    • Checks for external IP

      • iris-mini-dynamic.exe (PID: 928)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • The process creates files with name similar to system file names

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Executable content was dropped or overwritten

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Uses TASKKILL.EXE to kill process

      • ns543E.tmp (PID: 4000)

  • INFO

    • Checks supported languages

      • iris-mini-0.4.1-installer.exe (PID: 3968)
      • iris-mini-dynamic.exe (PID: 928)
      • wmpnscfg.exe (PID: 1488)
      • iris-mini-dynamic.exe (PID: 1588)
      • ns543E.tmp (PID: 4000)

    • Create files in a temporary directory

      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Reads the computer name

      • iris-mini-dynamic.exe (PID: 928)
      • wmpnscfg.exe (PID: 1488)
      • iris-mini-0.4.1-installer.exe (PID: 3968)

    • Reads the machine GUID from the registry

      • iris-mini-dynamic.exe (PID: 928)

    • Creates files or folders in the user directory

      • iris-mini-0.4.1-installer.exe (PID: 3968)
      • iris-mini-dynamic.exe (PID: 928)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1488)
      • iris-mini-dynamic.exe (PID: 1588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:12:15 22:24:41+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x320c
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iris-mini-0.4.1-installer.exe ns543e.tmp no specs taskkill.exe no specs iris-mini-dynamic.exe regedit.exe wmpnscfg.exe no specs iris-mini-dynamic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
524"C:\Windows\regedit.exe" /s "C:\Users\admin\AppData\Local\gamma_ramp.reg"C:\Windows\regedit.exe
iris-mini-dynamic.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Editor
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\regedit.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
928"C:\Users\admin\AppData\Local\Iris mini\iris-mini-dynamic.exe" C:\Users\admin\AppData\Local\Iris mini\iris-mini-dynamic.exe
iris-mini-0.4.1-installer.exe
User:
admin
Company:
IrisTech
Integrity Level:
MEDIUM
Description:
Iris mini - Software for eye protection
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\iris mini\iris-mini-dynamic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\iris mini\qt5core.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1488"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1588"C:\Users\admin\AppData\Local\Iris mini\iris-mini-dynamic.exe" C:\Users\admin\AppData\Local\Iris mini\iris-mini-dynamic.exeexplorer.exe
User:
admin
Company:
IrisTech
Integrity Level:
MEDIUM
Description:
Iris mini - Software for eye protection
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\iris mini\iris-mini-dynamic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\iris mini\qt5core.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
3968"C:\Users\admin\AppData\Local\Temp\iris-mini-0.4.1-installer.exe" C:\Users\admin\AppData\Local\Temp\iris-mini-0.4.1-installer.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\iris-mini-0.4.1-installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
4000"C:\Users\admin\AppData\Local\Temp\nsz3674.tmp\ns543E.tmp" taskkill /F /IM iris-mini-dynamic.exeC:\Users\admin\AppData\Local\Temp\nsz3674.tmp\ns543E.tmpiris-mini-0.4.1-installer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
128
Modules
Images
c:\users\admin\appdata\local\temp\nsz3674.tmp\ns543e.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
4024taskkill /F /IM iris-mini-dynamic.exeC:\Windows\System32\taskkill.exens543E.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
Total events
5 758
Read events
5 451
Write events
307
Delete events
0

Modification events

(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:DisplayName
Value:
Iris mini - Software for eye protection
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:UninstallString
Value:
"C:\Users\admin\AppData\Local\Iris mini\uninstall.exe"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:QuietUninstallString
Value:
"C:\Users\admin\AppData\Local\Iris mini\uninstall.exe" /S
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:InstallLocation
Value:
"C:\Users\admin\AppData\Local\Iris mini"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:DisplayIcon
Value:
"C:\Users\admin\AppData\Local\Iris mini\logo.ico"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:Publisher
Value:
"IrisTech"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:HelpLink
Value:
"http://iristech.co/"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:URLUpdateInfo
Value:
"http://iristech.co/"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:URLInfoAbout
Value:
"http://iristech.co/"
(PID) Process:(3968) iris-mini-0.4.1-installer.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\IrisTech Iris mini
Operation:writeName:DisplayVersion
Value:
"0.4.1"
Executable files
17
Suspicious files
3
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Temp\nsz3674.tmp\modern-header.bmpimage
MD5:940C56737BF9BB69CE7A31C623D4E87A
SHA256:766A893FE962AEFD27C574CB05F25CF895D3FC70A00DB5A6FA73D573F571AEFC
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Iris mini\Qt5Network.dllexecutable
MD5:C6E586373EF7F9118AC7C0CDFEF12971
SHA256:CB3B77A492825DAB30413389A3E45E343E729ACF26B40E649651C2F898155500
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Temp\nsz3674.tmp\System.dllexecutable
MD5:FBE295E5A1ACFBD0A6271898F885FE6A
SHA256:A1390A78533C47E55CC364E97AF431117126D04A7FAED49390210EA3E89DD0E1
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Temp\nsz3674.tmp\nsDialogs.dllexecutable
MD5:AB101F38562C8545A641E95172C354B4
SHA256:3CDF3E24C87666ED5C582B8B028C01EE6AC16D5A9B8D8D684AE67605376786EA
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Iris mini\Qt5Core.dllexecutable
MD5:00BB6AC5601DE561CD2D9AD3ADF5A214
SHA256:246FBA0F175EA8146C8FD3C17C278BA279224320FA97F56B73E6545C46A2067F
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Temp\nsz3674.tmp\nsExec.dllexecutable
MD5:50BA20CAD29399E2DB9FA75A1324BD1D
SHA256:E7B145ABC7C519E6BD91DC06B7B83D1E73735AC1AC37D30A7889840A6EED38FC
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Iris mini\Qt5Widgets.dllexecutable
MD5:2FF65EB0669728E99448CEE07497E1FE
SHA256:10A13E22D67D95146247D06C1FCDE3DECF8AA77AC0D9BC6BE0D311B1E59DAE6E
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Temp\nsz3674.tmp\ns543E.tmpexecutable
MD5:50BA20CAD29399E2DB9FA75A1324BD1D
SHA256:E7B145ABC7C519E6BD91DC06B7B83D1E73735AC1AC37D30A7889840A6EED38FC
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Iris mini\iris-mini-dynamic.exeexecutable
MD5:308488CDB5A7853F2883A905161DD292
SHA256:9B0CBAC56F288043AE4DD001B6E29845C513A62C0EDBD468CFC65483FFE9BA3D
3968iris-mini-0.4.1-installer.exeC:\Users\admin\AppData\Local\Iris mini\SSLeay32.dllexecutable
MD5:F50E5955E71034B57D33850877E970C0
SHA256:BF49DC783FFC58C81461DF85B1672998219A05FFF8C4AE9BD3051AD7B753E3E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
3
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
928
iris-mini-dynamic.exe
GET
302
185.123.188.60:80
http://iristech.co/custom-code/ip-to-location/
unknown
unknown
POST
200
142.250.185.174:80
http://www.google-analytics.com/collect
unknown
unknown
928
iris-mini-dynamic.exe
GET
200
185.123.188.60:80
http://iristech.co/custom-code/iris_mini_license.php?activation_code=&machine_fingerprint=4667614486:3300537927:0:770:v3&version=0.4.1
unknown
unknown
928
iris-mini-dynamic.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
928
iris-mini-dynamic.exe
142.250.185.174:80
www.google-analytics.com
GOOGLE
US
whitelisted
928
iris-mini-dynamic.exe
185.123.188.60:80
iristech.co
SuperHosting.BG Ltd.
BG
unknown
928
iris-mini-dynamic.exe
208.95.112.1:80
ip-api.com
TUT-AS
US
unknown

DNS requests

Domain
IP
Reputation
iristech.co
  • 185.123.188.60
whitelisted
www.google-analytics.com
  • 142.250.185.174
whitelisted
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
928
iris-mini-dynamic.exe
Device Retrieving External IP Address Detected
ET POLICY External IP Lookup ip-api.com
4 ETPRO signatures available at the full report
Process
Message
iris-mini-dynamic.exe
QObject::startTimer: Timers cannot have negative intervals
iris-mini-dynamic.exe
"4667614486:3300537927:0:770:v3"
iris-mini-dynamic.exe
Keyboard connected
iris-mini-dynamic.exe
0x877f8
iris-mini-dynamic.exe
No such code. There is no such activation code
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
iris-mini-0.4.1-installer.exe