analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

click_install.exe

Full analysis: https://app.any.run/tasks/59299947-52f9-4b51-9b39-fd855beabc85
Verdict: Malicious activity
Analysis date: August 13, 2019, 16:18:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

1DDE7914C7E30DB8E6F63A50D43204C4

SHA1:

AF6249C78ECE8E4549830262C2B71EB83305472E

SHA256:

AF691967F586DFDB1B906E4822423540F0244A3B581D99BABED0A7A25B41138F

SSDEEP:

393216:N2s8qD9nenkXjaEdns7JUo9vAb2w/7n4taDcqnfOIsZKNdpMM3kB:ks8+6kXGHtUohAb2wDCqcq98IpMBB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2900)
      • javaw.exe (PID: 2212)
    • Application was dropped or rewritten from another process

      • Click.exe (PID: 1716)
      • PollingSupport.exe (PID: 2764)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • click_install.exe (PID: 2144)
      • msiexec.exe (PID: 2072)
      • msiexec.exe (PID: 4080)
      • Click.exe (PID: 1716)
      • javaw.exe (PID: 2212)
    • Creates files in the user directory

      • click_install.exe (PID: 2144)
      • Click.exe (PID: 1716)
      • javaw.exe (PID: 2212)
      • wscript.exe (PID: 3664)
    • Executed as Windows Service

      • vssvc.exe (PID: 1748)
    • Executed via COM

      • DrvInst.exe (PID: 3968)
    • Starts Internet Explorer

      • MsiExec.exe (PID: 1444)
    • Creates files in the program directory

      • Click.exe (PID: 1716)
    • Executes scripts

      • javaw.exe (PID: 2212)
    • Executes JAVA applets

      • PollingSupport.exe (PID: 2764)
  • INFO

    • Searches for installed software

      • msiexec.exe (PID: 4080)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 1748)
    • Application launched itself

      • msiexec.exe (PID: 4080)
      • iexplore.exe (PID: 360)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 4080)
    • Creates files in the program directory

      • msiexec.exe (PID: 4080)
    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 1444)
    • Changes internet zones settings

      • iexplore.exe (PID: 360)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3084)
    • Creates files in the user directory

      • iexplore.exe (PID: 360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

ProductVersion: 1.22
ProductName: Click
OriginalFileName: click_install.exe
LegalCopyright: Copyright (C) C3 SoftWorks
InternalName: click_install
FileVersion: 1.22
FileDescription: This installer database contains the logic and data required to install Click.
CompanyName: C3 SoftWorks
CharacterSet: Unicode
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Dynamic link library
FileOS: Win32
FileFlags: Debug
FileFlagsMask: 0x003f
ProductVersionNumber: 1.22.0.0
FileVersionNumber: 1.22.0.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x20b90
UninitializedDataSize: -
InitializedDataSize: 40448
CodeSize: 135680
LinkerVersion: 7.1
PEType: PE32
TimeStamp: 2009:05:27 11:57:29+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 27-May-2009 09:57:29
Detected languages:
  • English - United States
CompanyName: C3 SoftWorks
FileDescription: This installer database contains the logic and data required to install Click.
FileVersion: 1.22
InternalName: click_install
LegalCopyright: Copyright (C) C3 SoftWorks
OriginalFileName: click_install.exe
ProductName: Click
ProductVersion: 1.22

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000108

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 4
Time date stamp: 27-May-2009 09:57:29
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x000210A1
0x00021200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.47012
.rdata
0x00023000
0x00003BA6
0x00003C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.60439
.data
0x00027000
0x00000700
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.86115
.rsrc
0x00028000
0x00005A2C
0x00005C00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.29574

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.85667
975
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.44886
1384
Latin 1 / Western European
English - United States
RT_ICON
3
3.91708
744
Latin 1 / Western European
English - United States
RT_ICON
4
3.78674
2216
Latin 1 / Western European
English - United States
RT_ICON
9
3.37783
1116
Latin 1 / Western European
English - United States
RT_STRING
10
3.35468
1136
Latin 1 / Western European
English - United States
RT_STRING
11
3.31743
760
Latin 1 / Western European
English - United States
RT_STRING
12
3.23118
1432
Latin 1 / Western European
English - United States
RT_STRING
13
3.32779
978
Latin 1 / Western European
English - United States
RT_STRING
14
3.19507
1974
Latin 1 / Western European
English - United States
RT_STRING

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
OLEAUT32.dll
SHELL32.dll
USER32.dll
VERSION.dll
WININET.dll (delay-loaded)
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
13
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start click_install.exe msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs iexplore.exe iexplore.exe no specs click.exe pollingsupport.exe no specs javaw.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2144"C:\Users\admin\AppData\Local\Temp\click_install.exe" C:\Users\admin\AppData\Local\Temp\click_install.exe
explorer.exe
User:
admin
Company:
C3 SoftWorks
Integrity Level:
MEDIUM
Description:
This installer database contains the logic and data required to install Click.
Exit code:
0
Version:
1.22
2072 /i "C:\Users\admin\AppData\Roaming\C3 SoftWorksinstall\Click\install\click_install_final.msi" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\click_install.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\"C:\Windows\system32\msiexec.exe
click_install.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
4080C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1444C:\Windows\system32\MsiExec.exe -Embedding A049248CF3A5741B9FCEAAAD54462B85 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1748C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3968DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot22" "" "" "695c3f483" "00000000" "00000540" "000005DC"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2900"C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\C3 SoftWorks\Click\Reply2005.ocx"C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
360"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\C3 SoftWorks\Click\help\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3084"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:360 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1716"C:\Program Files\C3 SoftWorks\Click\Click.exe" C:\Program Files\C3 SoftWorks\Click\Click.exe
MsiExec.exe
User:
admin
Company:
C3 SoftWorks
Integrity Level:
MEDIUM
Description:
BRAVO! Click
Exit code:
0
Version:
3.0.0.0
Total events
1 940
Read events
1 362
Write events
0
Delete events
0

Modification events

No data
Executable files
45
Suspicious files
14
Text files
93
Unknown types
30

Dropped files

PID
Process
Filename
Type
2144click_install.exeC:\Users\admin\AppData\Roaming\C3 SoftWorksinstall\Click\install\disk1.cab
MD5:
SHA256:
2072msiexec.exeC:\Users\admin\AppData\Local\Temp\MSIFA76.tmp
MD5:
SHA256:
4080msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2144click_install.exeC:\Users\admin\AppData\Roaming\C3 SoftWorksinstall\Click\install\click_install_final.msiexecutable
MD5:B16201DA0C46CBB528BC84796E49DBC9
SHA256:CC8B906E9BEDDF8997C2983F30380EB233B68398C5B2FC92CC07D80EFD13503E
3968DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:1DA8E9C1DA42257542108A357FA63908
SHA256:4385E2847E1B7D34C156CA985EF12B6089AB283B8FA5EA1143FDF8831DD3DC36
4080msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{1b6ed263-d176-4ecc-bac9-0780c193e324}_OnDiskSnapshotPropbinary
MD5:2A88E0E18C8429C676D2D7B080ABA722
SHA256:C4733AD762F04262081C5BA09AF86CF4D9F0E64CA4878273E9135C01B0ABF800
3968DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:D3EEC9E5D954D0939FEE7E27851ABB6D
SHA256:0FB711EE824B95F8C503F15A48B35702F8D4B1012EFCE66DB1FEF4A64605D046
4080msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:2A88E0E18C8429C676D2D7B080ABA722
SHA256:C4733AD762F04262081C5BA09AF86CF4D9F0E64CA4878273E9135C01B0ABF800
4080msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF8C10FC92FA0F3EE8.TMP
MD5:
SHA256:
1748vssvc.exeC:
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
360
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
360
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1716
Click.exe
162.242.144.107:80
virtual.c3softworks.com
Rackspace Ltd.
US
suspicious
1716
Click.exe
162.242.144.107:443
virtual.c3softworks.com
Rackspace Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
virtual.c3softworks.com
  • 162.242.144.107
suspicious

Threats

PID
Process
Class
Message
1716
Click.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
Process
Message
Click.exe
setfocus main form 0
Click.exe
killfocus main form 0
Click.exe
setfocus main form 0
Click.exe
killfocus main form 0
Click.exe
setfocus main form 0
Click.exe
killfocus main form 0
Click.exe
WM_PAINT
Click.exe
mdm.hasEI
Click.exe
-
Click.exe