File name:	softether.exe
Full analysis:	https://app.any.run/tasks/cd28b5f8-ef81-4d4d-b2ae-01e77521fd43
Verdict:	Malicious activity
Analysis date:	March 10, 2025, 21:03:52
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	rdp
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	186F4721B80F390BDF6AA14133D50F91
SHA1:	250EE62F3FAF0817DD7CAA0D9F20C1AFE6B9DC84
SHA256:	B7E06A4FF2E5B5CF05F8E35F0433ECA32CAB72E1BB3D99A8E8F0F228F276E372
SSDEEP:	786432:xIAGoyXsQ8BqiszZyPxZCPe9Naw/kyKKEq9z:qAGogsVBZYZy7Cm9MyKKEqh

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2023:08:31 01:51:48+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	9
CodeSize:	4411904
InitializedDataSize:	54450688
UninitializedDataSize:	-
EntryPoint:	0x41854b
OSVersion:	5
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.43.0.9799
ProductVersionNumber:	4.43.0.9799
FileFlagsMask:	0x0017
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Japanese
CharacterSet:	Unicode
CompanyName:	SoftEther VPN Project at University of Tsukuba, Japan.
FileDescription:	SoftEther VPN
FileVersion:	4, 43, 0, 9799
InternalName:	vpnsetup
LegalCopyright:	Copyright (C) 2012-2023 SoftEther VPN Project. All Rights Reserved.
LegalTrademarks:	SoftEther(R) is a registered trademark of SoftEther Corporation in Japan, United Status and People's Republic of China. SoftEther Corporation is a company founded at University of Tsukuba, Japan in 2004.
OriginalFileName:	vpnsetup.exe
ProductName:	SoftEther VPN
ProductVersion:	4, 43, 0, 9799


(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE
Operation:	write	Name:	Vpn_Check_Admin_Key_4003674586
Value: 7DD3EDA3F408497C1CF8926A16F77B079C9F0A06B8C42A6C49A72153B7BF6837
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE
Operation:	delete value	Name:	Vpn_Check_Admin_Key_4003674586
Value: 퍽ꏭࣴ籉檒ݻ龜؊쒸氪ꝉ匡뾷㝨
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\Setup\SetupapiLogStatus
Operation:	write	Name:	setupapi.dev.log
Value: 4096
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6808\|SeLow\|{FEE27966-D653-4D74-847F-5544508A807A}\Ndi
Operation:	write	Name:	Service
Value: SeLow
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6808\|SeLow\|{FEE27966-D653-4D74-847F-5544508A807A}\Ndi
Operation:	write	Name:	HelpText
Value: A lightweight helper kernel-mode module for PacketiX VPN / SoftEther VPN.
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6808\|SeLow\|{FEE27966-D653-4D74-847F-5544508A807A}\Ndi\Interfaces
Operation:	write	Name:	UpperRange
Value: noupper
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Network\TemporaryInstallStage\|6808\|SeLow\|{FEE27966-D653-4D74-847F-5544508A807A}\Ndi\Interfaces
Operation:	write	Name:	LowerRange
Value: ndis5,ndis4
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\GroupOrderList
Operation:	write	Name:	PNP_TDI
Value: 080000000500000001000000020000000300000004000000060000000700000008000000
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SeLow
Operation:	write	Name:	SlVersion_Win10
Value: 48
(PID) Process:	(4652) vpnsetup.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SeLow
Operation:	write	Name:	Start
Value: 1

PID	Process	Filename		Type
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\hamcore.se2		—
		MD5:—	SHA256:—
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\installer.cache		—
		MD5:—	SHA256:—
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpnsetup_x64.exe		executable
		MD5:43017413E07BC2E6BBD2E55189666A4A	SHA256:2C0E307879F381C10D48921DB2AB38A69FAC06535711774035DE7AC58F276FA9
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpncmd.exe		executable
		MD5:C0847C1AA7C92A24CF477FEE38CF3990	SHA256:FB919F469214A11D98F5168CC7F50A062B9F6F483753B3E2C909829B090DA194
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpnsetup.exe		executable
		MD5:4E0AE023B67CEE4B5A1EC15151757573	SHA256:0A45AD33F8BBA71F69213DFEE21CF4472D4888642F4CB108A505FB686A575586
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpnserver_x64.exe		executable
		MD5:45E50E7975374C3E8DAA0C46B9289D7E	SHA256:FA10F23220AB85FECC7F351F97FB6F56F3BE3DB587F5E0BA9A4069697279C774
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpncmd_x64.exe		executable
		MD5:3744B85D67545C8DD8067395B314037C	SHA256:8315D1CDB7BFE13E3FD03517307A389D89DF52AAA5C9ED606ABD0EA40BF8D2A1
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpnbridge_x64.exe		executable
		MD5:F333BCC066C69BD98F754E4870A85B95	SHA256:4F9D9A6CBA88832FCB7CFB845472B63FF15CB9B417F4F02CB8086552C19CEFFC
2564	vpnsetup.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\lang.config		text
		MD5:233A7DF4DE14FE71D5A8391429C64F3B	SHA256:198A807286EFE5D84BCCCD01CA6D2E4B71DD0B4024919406395483117B745B81
5124	softether.exe	C:\Users\admin\AppData\Local\Temp\VPN_7032\vpnbridge.exe		executable
		MD5:96E5AC9FAD4B7A0824BAF38D7010619E	SHA256:F7C892710FE003F5386AACD7F17DDD169ECD28E4C239331D72509E5928D39CD2

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4528	vpnserver_x64.exe	GET	200	103.41.63.79:80	http://get-my-ip.ddns.softether-network.net/ddns/getmyip.ashx?v=17393608821649943909	unknown	—	—	unknown
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	—	—	whitelisted
—	—	POST	500	40.91.76.224:443	https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail	unknown	xml	512 b	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4528	vpnserver_x64.exe	130.158.6.60:5004	x2.x9.servers.nat-traversal.softether-network.net	—	—	unknown
4528	vpnserver_x64.exe	184.24.77.24:80	www.msftncsi.com	Akamai International B.V.	DE	whitelisted
4528	vpnserver_x64.exe	103.41.63.66:443	xf.x3.servers.ddns.softether-network.net	SoftEther Corporation	JP	unknown
4528	vpnserver_x64.exe	103.41.63.79:80	get-my-ip.ddns.softether-network.net	SoftEther Corporation	JP	unknown
5436	vpnsmgr_x64.exe	130.158.6.62:443	update-check.softether-network.net	University of Tsukuba	JP	unknown
2284	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 20.73.194.208	whitelisted
google.com	142.250.185.142	whitelisted
keepalive.softether.org	—	whitelisted
xf.x3.servers.ddns.softether-network.net	103.41.63.66	unknown
x2.x9.servers.nat-traversal.softether-network.net	130.158.6.60	unknown
www.msftncsi.com	184.24.77.24 184.24.77.4	whitelisted
xf.x3.servers-v6.ddns.softether-network.net	2401:af80:8000::1201	unknown
get-my-ip.ddns.softether-network.net	103.41.63.79 54.70.59.22 133.242.145.163 103.95.185.148	unknown
get-my-ip-v6.ddns.softether-network.net	2600:1f13:475:4201:1f17:8114:d1c6:b0d8 2401:5e40:1:462::30 2401:2500:102:1205:133:242:145:163 2401:af80:8000::1401	unknown
update-check.softether-network.net	130.158.6.62	unknown

General Info

softether.exe

186F4721B80F390BDF6AA14133D50F91

250EE62F3FAF0817DD7CAA0D9F20C1AFE6B9DC84

B7E06A4FF2E5B5CF05F8E35F0433ECA32CAB72E1BB3D99A8E8F0F228F276E372

786432:xIAGoyXsQ8BqiszZyPxZCPe9Naw/kyKKEq9z:qAGogsVBZYZy7Cm9MyKKEqh

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Accesses name of a computer manufacturer via WMI (SCRIPT)

SUSPICIOUS

There is functionality for enable RDP (YARA)

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Application launched itself

Drops a system driver (possible attempt to evade defenses)

Creates files in the driver directory

The process executes VB scripts

Suspicious use of NETSH.EXE

Creates or modifies Windows services

Executes as Windows Service

Process drops legitimate windows executable

Accesses WMI object, sets custom ImpersonationLevel (SCRIPT)

Creates a software uninstall entry

INFO

Reads Environment values

The sample compiled with japanese language support

Checks supported languages

Reads the machine GUID from the registry

Process checks computer location settings

Reads the computer name

Create files in a temporary directory

Reads the software policy settings

Creates files in the program directory

Reads security settings of Internet Explorer

Disables trace logs

The sample compiled with english language support

Reads Windows Product ID

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests