| File name: | sentinel system driver installer 7.6.0.exe |
| Full analysis: | https://app.any.run/tasks/ed2e3fc8-8203-4c8c-a8a4-cc045f3146b7 |
| Verdict: | Malicious activity |
| Analysis date: | February 28, 2024, 18:55:23 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | E3006EADEC01D29CFDECDF62D3DB8F19 |
| SHA1: | 688BF60EEA3F28CA5A85E30721DC981FFDF4071D |
| SHA256: | B4CA8929F476DAE2BA666F34C129E6D9D2459A7D11186472C4338CB8AF91C006 |
| SSDEEP: | 49152:GKJxfxwO8snmTQs932d+NXf1lhftB7ut/XiB6PO2GkaV9WKe:BJnwO8snPExbuh/PO2naVAt |
MALICIOUS
Drops the executable file immediately after the start
- sentinel system driver installer 7.6.0.exe (PID: 1776)
- drvinst.exe (PID: 1860)
Creates a writable file in the system directory
- drvinst.exe (PID: 1860)
SUSPICIOUS
Executable content was dropped or overwritten
- sentinel system driver installer 7.6.0.exe (PID: 1776)
- drvinst.exe (PID: 1860)
Drops a system driver (possible attempt to evade defenses)
- drvinst.exe (PID: 1860)
Reads the Internet Settings
- sipnotify.exe (PID: 1676)
Executes as Windows Service
- VSSVC.exe (PID: 4008)
Checks Windows Trust Settings
- drvinst.exe (PID: 1860)
Creates files in the driver directory
- drvinst.exe (PID: 1860)
The process executes via Task Scheduler
- ctfmon.exe (PID: 1688)
- sipnotify.exe (PID: 1676)
Reads settings of System Certificates
- sipnotify.exe (PID: 1676)
INFO
Create files in a temporary directory
- sentinel system driver installer 7.6.0.exe (PID: 1776)
Checks supported languages
- sentinel system driver installer 7.6.0.exe (PID: 1776)
- drvinst.exe (PID: 1860)
- IMEKLMG.EXE (PID: 2032)
- wmpnscfg.exe (PID: 2268)
- wmpnscfg.exe (PID: 2296)
- wmpnscfg.exe (PID: 2448)
- IMEKLMG.EXE (PID: 1552)
Reads the machine GUID from the registry
- sentinel system driver installer 7.6.0.exe (PID: 1776)
- drvinst.exe (PID: 1860)
Executable content was dropped or overwritten
- msiexec.exe (PID: 3848)
Drops the executable file immediately after the start
- msiexec.exe (PID: 3848)
Reads the computer name
- drvinst.exe (PID: 1860)
- wmpnscfg.exe (PID: 2268)
- wmpnscfg.exe (PID: 2296)
- wmpnscfg.exe (PID: 2448)
- IMEKLMG.EXE (PID: 2032)
- IMEKLMG.EXE (PID: 1552)
Manual execution by a user
- IMEKLMG.EXE (PID: 1552)
- IMEKLMG.EXE (PID: 2032)
- ctfmon.exe (PID: 1944)
- wmpnscfg.exe (PID: 2268)
- wmpnscfg.exe (PID: 2296)
- wmpnscfg.exe (PID: 2448)
Reads the software policy settings
- drvinst.exe (PID: 1860)
- sipnotify.exe (PID: 1676)
Reads security settings of Internet Explorer
- sipnotify.exe (PID: 1676)
Process checks whether UAC notifications are on
- IMEKLMG.EXE (PID: 2032)
- IMEKLMG.EXE (PID: 1552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (36.8) |
|---|---|---|
| .exe | | | Win32 Executable MS Visual C++ (generic) (26.6) |
| .exe | | | Win64 Executable (generic) (23.6) |
| .dll | | | Win32 Dynamic Link Library (generic) (5.6) |
| .exe | | | Win32 Executable (generic) (3.8) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2004:04:19 21:49:29+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 159744 |
| InitializedDataSize: | 106496 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x1d92c |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 9.50.98.0 |
| ProductVersionNumber: | 9.50.0.0 |
| FileFlagsMask: | 0x0002 |
| FileFlags: | Pre-release |
| FileOS: | Windows 16-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | |
| CompanyName: | SafeNet, Inc. |
| FileDescription: | Sentinel System Driver Installer 7.6.0 |
| FileVersion: | 7.6.0 |
| InternalName: | setup.exe |
| OriginalFileName: | setup.exe |
| LegalCopyright: | Copyright (C) 2015 SafeNet, Inc. |
| ProductName: | Sentinel System Driver Installer 7.6.0 |
| ProductVersion: | 7.6.0 |
Total processes
100
Monitored processes
13
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1552 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /JPN /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 1676 | C:\Windows\system32\sipnotify.exe -LogonOrUnlock | C:\Windows\System32\sipnotify.exe | taskeng.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: sipnotify Exit code: 0 Version: 6.1.7602.20480 (win7sp1_ldr_escrow.191010-1716) Modules
| |||||||||||||||
| 1688 | C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | taskeng.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1776 | "C:\Users\admin\AppData\Local\Temp\sentinel system driver installer 7.6.0.exe" | C:\Users\admin\AppData\Local\Temp\sentinel system driver installer 7.6.0.exe | explorer.exe | ||||||||||||
User: admin Company: SafeNet, Inc. Integrity Level: HIGH Description: Sentinel System Driver Installer 7.6.0 Exit code: 1073807364 Version: 7.6.0 Modules
| |||||||||||||||
| 1860 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{670c3c2d-d3ec-766a-5bbe-8459dad2361f}\sntnlusb.inf" "0" "6dd04a27f" "00000558" "WinSta0\Default" "00000550" "208" "C:\Program Files\Common Files\SafeNet Sentinel\Sentinel System Driver" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1944 | "C:\Windows\System32\ctfmon.exe" C:\Windows\System32\ctfmon.exe | C:\Windows\System32\ctfmon.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CTF Loader Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2032 | "C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE" /SetPreload /KOR /Log | C:\Program Files\Common Files\microsoft shared\IME14\SHARED\IMEKLMG.EXE | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Office IME 2010 Exit code: 1 Version: 14.0.4734.1000 Modules
| |||||||||||||||
| 2268 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2296 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2448 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
8 618
Read events
8 455
Write events
159
Delete events
4
Modification events
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000EA5164BF776ADA01A80F0000740F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000EA5164BF776ADA01A80F0000A00F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000EA5164BF776ADA01A80F00002C070000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 4000000000000000EA5164BF776ADA01A80F0000400D0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000EA5164BF776ADA01A80F0000A00F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 400000000000000044B466BF776ADA01A80F0000400D0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 40000000000000009E1669BF776ADA01A80F0000740F0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 40000000000000009E1669BF776ADA01A80F00002C070000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} |
| Operation: | write | Name: | PROVIDER_BEGINPREPARE (Enter) |
Value: 40000000000000004C90C7C0776ADA01A80F00002C070000010400000100000000000000000000003081AD75033E3542972D5C2DFCFBAAD20000000000000000 | |||
| (PID) Process: | (4008) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SwProvider_{b5946137-7b9f-4925-af80-51abd60b20d5} |
| Operation: | write | Name: | PROVIDER_BEGINPREPARE (Leave) |
Value: 40000000000000004C90C7C0776ADA01A80F00002C070000010400000000000000000000000000003081AD75033E3542972D5C2DFCFBAAD20000000000000000 | |||
Executable files
5
Suspicious files
6
Text files
6
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1776 | sentinel system driver installer 7.6.0.exe | C:\Users\admin\AppData\Local\Temp\~F7FC.tmp | binary | |
MD5:9737C9B19D56DC226C7FBBF72316176C | SHA256:1D155FF4359B8F8D6EC08B6D1A960B35B19760AADA45609F93E9DBD6A393C0FE | |||
| 1860 | drvinst.exe | C:\Windows\System32\DriverStore\Temp\{72ee2f5b-d31a-6c80-7468-402d60297d16}\SET4DDD.tmp | binary | |
MD5:E730B57B00AE49976C1A67A1D5ED7C42 | SHA256:287548CC7747F3B165C32E89FEE746A9D74E18600444A58A70AF4CE66EFF1D3A | |||
| 3848 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\MSI51B.tmp | executable | |
MD5:F6A6B99623D80FC8E10D04A82F61A806 | SHA256:ADB43809B9D164A220CF80045FCBB4AABD665F83715AC05DEF245EDE8E0F1355 | |||
| 1860 | drvinst.exe | C:\Windows\System32\DriverStore\Temp\{72ee2f5b-d31a-6c80-7468-402d60297d16}\SET4DCD.tmp | cat | |
MD5:B80FE4DD69D644361C56A2DE2BAF64D2 | SHA256:E7AD638D1008DE24D1D1339EFCBCC0B7BD09847D48974044F3945A314289CE2B | |||
| 1776 | sentinel system driver installer 7.6.0.exe | C:\Users\admin\AppData\Local\Temp\_isF80D\_ISMSIDEL.INI | text | |
MD5:AB5B24D3BD4E39CF854F0D75A037FB27 | SHA256:A5AB95833C837392B4451EF247CCD3690A7D752380B596B0BE345E91D07AB8EC | |||
| 1860 | drvinst.exe | C:\Windows\System32\DriverStore\Temp\{72ee2f5b-d31a-6c80-7468-402d60297d16}\sntnlusb.inf | binary | |
MD5:E730B57B00AE49976C1A67A1D5ED7C42 | SHA256:287548CC7747F3B165C32E89FEE746A9D74E18600444A58A70AF4CE66EFF1D3A | |||
| 1776 | sentinel system driver installer 7.6.0.exe | C:\Users\admin\AppData\Local\Temp\_isF80D\0x0409.ini | binary | |
MD5:CF9BD8FDD8ED91EBCD0D73DD97DE41A3 | SHA256:121C1209BD2B0F2755DEBEAD7B9DC4B5F39B9E87F3C105A38DBDF7920DE45544 | |||
| 1860 | drvinst.exe | C:\Windows\System32\DriverStore\INFCACHE.2 | binary | |
MD5:ABB638661D737D9457D78D28C4145066 | SHA256:7602F549ABBAC7DE5CD8125329869D02A0C82AA8C9AAF78011162175AA319261 | |||
| 1860 | drvinst.exe | C:\Windows\System32\DriverStore\Temp\{72ee2f5b-d31a-6c80-7468-402d60297d16}\SNTNLUSB.SYS | executable | |
MD5:41408F4FE7E79AADA6317045FA325693 | SHA256:CAF8B25A78C7E75BB69EAD600C3C971BE06C7A5DCE520683708606DDD046C0C5 | |||
| 1860 | drvinst.exe | C:\Windows\System32\DriverStore\Temp\{72ee2f5b-d31a-6c80-7468-402d60297d16}\SET4DDE.tmp | executable | |
MD5:41408F4FE7E79AADA6317045FA325693 | SHA256:CAF8B25A78C7E75BB69EAD600C3C971BE06C7A5DCE520683708606DDD046C0C5 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
11
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1676 | sipnotify.exe | HEAD | 200 | 23.197.138.118:80 | http://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RE2JgkA?v=133536201864370000 | unknown | — | — | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1112 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1676 | sipnotify.exe | 23.197.138.118:80 | query.prod.cms.rt.microsoft.com | Akamai International B.V. | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
query.prod.cms.rt.microsoft.com |
| unknown |