Malware analysis f101v10b5836.exe Malicious activity | ANY.RUN

Add for printing

download:	f101v10b5836.exe
Full analysis:	https://app.any.run/tasks/c7acc5b6-5a1f-462b-9b12-1c46e0c335fd
Verdict:	Malicious activity
Analysis date:	April 23, 2019, 21:22:33
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	CF082D0CE4A47634365464C52FE9A35E
SHA1:	F8115C5AEFF40009126EC999EFD36B8AD22A7682
SHA256:	C795C816CA2438EE173DF19EC37B45E06C481FCD18B6C4706D7032B60F9C76D5
SSDEEP:	393216:cPDQIqd4kqImjqcdnVdO8HzoULyFKLfcSQC8zPw+a0jeQiTO+a8ftz:crQIqddqIOqcdLLLyk0ST+a0/iR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 60 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Changes settings of System certificates
  - MSIEXEC.EXE (PID: 3488)
- Changes the login/logoff helper path in the registry
  - MsiExec.exe (PID: 2544)
- Loads dropped or rewritten executable
  - FSRT.exe (PID: 3240)
- Application was dropped or rewritten from another process
  - fortres.exe (PID: 1816)
  - FSRTU.EXE (PID: 2880)
  - FSRT.exe (PID: 3240)
  - FLOGO.EXE (PID: 3536)
SUSPICIOUS
- Adds / modifies Windows certificates
  - MSIEXEC.EXE (PID: 3488)
- Starts Microsoft Installer
  - f101v10b5836.exe (PID: 2792)
- Executable content was dropped or overwritten
  - msiexec.exe (PID: 3680)
- Creates files in the driver directory
  - msiexec.exe (PID: 3680)
- Changes the autorun value in the registry
  - msiexec.exe (PID: 3680)
- Creates files in the Windows directory
  - msiexec.exe (PID: 3680)
- Creates COM task schedule object
  - msiexec.exe (PID: 3680)
- Creates files in the program directory
  - FSRT.exe (PID: 3240)
INFO
- Application launched itself
  - msiexec.exe (PID: 3680)
- Searches for installed software
  - msiexec.exe (PID: 3680)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2916)
- Dropped object may contain Bitcoin addresses
  - msiexec.exe (PID: 3680)
- Creates files in the program directory
  - msiexec.exe (PID: 3680)
- Loads dropped or rewritten executable
  - MsiExec.exe (PID: 2544)
- Creates or modifies windows services
  - msiexec.exe (PID: 3680)
- Creates a software uninstall entry
  - msiexec.exe (PID: 3680)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 EXE PECompact compressed (generic) (83)
.exe	\|	Win32 Executable (generic) (9)
.exe	\|	Generic Win/DOS Executable (3.9)
.exe	\|	DOS Executable Generic (3.9)

EXIF

EXE

ProductVersion:	1, 0, 0, 1
ProductName:	Fortres Grand Installer
OriginalFileName:	MSIStub.exe
LegalCopyright:	Copyright © 2007 Fortres Grand Corporation
FileVersion:	1, 0, 0, 1
FileDescription:	Fortres Grand Setup Launcher
CompanyName:	Fortres Grand Corporation
CharacterSet:	Unicode
LanguageCode:	English (U.S.)
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Win32
FileFlags:	(none)
FileFlagsMask:	0x0017
ProductVersionNumber:	1.0.0.1
FileVersionNumber:	1.0.0.1
Subsystem:	Windows GUI
SubsystemVersion:	5.1
ImageVersion:	-
OSVersion:	5.1
EntryPoint:	0x7fa1
UninitializedDataSize:	-
InitializedDataSize:	27126272
CodeSize:	103936
LinkerVersion:	14
PEType:	PE32
TimeStamp:	2018:10:17 07:20:43+02:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	17-Oct-2018 05:20:43
Detected languages:	English - United States
Debug artifacts:	C:\Users\Public\sandbox2013\WiX\Release\MSIStub.pdb
CompanyName:	Fortres Grand Corporation
FileDescription:	Fortres Grand Setup Launcher
FileVersion:	1, 0, 0, 1
LegalCopyright:	Copyright © 2007 Fortres Grand Corporation
OriginalFilename:	MSIStub.exe
ProductName:	Fortres Grand Installer
ProductVersion:	1, 0, 0, 1

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x00000118

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	6
Time date stamp:	17-Oct-2018 05:20:43
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00019546	0x00019600	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.61128
.rdata	0x0001B000	0x00009950	0x00009A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.03292
.data	0x00025000	0x0000171C	0x00000C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	3.11492
.tls	0x00027000	0x00000009	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	0.0203931
.gfids	0x00028000	0x000000F4	0x00000200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	1.98748
.rsrc	0x00029000	0x019D3F78	0x019D4000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	7.7894

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.31786	833	Latin 1 / Western European	English - United States	RT_MANIFEST
2	5.17787	2216	Latin 1 / Western European	English - United States	RT_ICON
3	4.48224	1736	Latin 1 / Western European	English - United States	RT_ICON
4	3.21515	1384	Latin 1 / Western European	English - United States	RT_ICON
5	4.28558	9640	Latin 1 / Western European	English - United States	RT_ICON
6	4.67587	4264	Latin 1 / Western European	English - United States	RT_ICON
7	1.66997	60	Latin 1 / Western European	English - United States	RT_STRING
8	5.06089	1128	Latin 1 / Western European	English - United States	RT_ICON
9	5.10208	2216	Latin 1 / Western European	English - United States	RT_ICON
107	2.85812	118	Latin 1 / Western European	English - United States	RT_GROUP_ICON

Imports


ADVAPI32.dll
KERNEL32.dll
SHELL32.dll
SHLWAPI.dll
USER32.dll
msi.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3568	"C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe"	C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe	—	explorer.exe
User: admin Company: Fortres Grand Corporation Integrity Level: MEDIUM Description: Fortres Grand Setup Launcher Exit code: 3221226540 Version: 1, 0, 0, 1
2792	"C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe"	C:\Users\admin\AppData\Local\Temp\f101v10b5836.exe		explorer.exe
User: admin Company: Fortres Grand Corporation Integrity Level: HIGH Description: Fortres Grand Setup Launcher Exit code: 0 Version: 1, 0, 0, 1
3488	C:\Windows\SYSTEM32\MSIEXEC.EXE /I C:\Users\admin\AppData\Local\Temp\f101v10.msi	C:\Windows\SYSTEM32\MSIEXEC.EXE		f101v10b5836.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 1641 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3680	C:\Windows\system32\msiexec.exe /V	C:\Windows\system32\msiexec.exe		services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2984	C:\Windows\system32\MsiExec.exe -Embedding 8112D7700085D0D92CBFEEC10EDE81F1 C	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
2916	C:\Windows\system32\vssvc.exe	C:\Windows\system32\vssvc.exe	—	services.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3660	DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A0" "000005BC"	C:\Windows\system32\DrvInst.exe	—	svchost.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
2544	C:\Windows\system32\MsiExec.exe -Embedding B61C9938711B335FDB245CADC11876FC	C:\Windows\system32\MsiExec.exe		msiexec.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
4076	C:\Windows\system32\MsiExec.exe -Embedding 0E2474A15E89B13147C9DD5EF8A7D44D M Global\MSI0000	C:\Windows\system32\MsiExec.exe	—	msiexec.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255)
3240	"C:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\FSRT.exe"	C:\Program Files\Fortres Grand\Fortres Security Runtime 6.0\FSRT.exe		services.exe
User: SYSTEM Company: Fortres Grand Corporation Integrity Level: SYSTEM Description: Fortres Security Runtime Version: 8.0.1611.0

Add for printing

Total events

1 157

Read events

461

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2792	f101v10b5836.exe	C:\Users\admin\AppData\Local\Temp\f101v10.msi		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Cab2E18.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Tar2E19.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Cab2E2A.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Tar2E2B.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Cab2E3B.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Tar2E3C.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Cab2ECA.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\Tar2ECB.tmp		—
		MD5:—	SHA256:—
3488	MSIEXEC.EXE	C:\Users\admin\AppData\Local\Temp\MSI5F13.tmp		—
		MD5:—	SHA256:—

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3488	MSIEXEC.EXE	GET	200	93.184.221.240:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	55.6 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2544	MsiExec.exe	168.62.48.183:443	www.fortresgrand.com	Microsoft Corporation	US	whitelisted
3488	MSIEXEC.EXE	93.184.221.240:80	www.download.windowsupdate.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted

DNS requests

Domain	IP	Reputation
www.download.windowsupdate.com	93.184.221.240	whitelisted
www.fortresgrand.com	168.62.48.183	suspicious

Threats

No threats detected

Add for printing

Process	Message
f101v10b5836.exe	Error opening registry key: 2
f101v10b5836.exe
f101v10b5836.exe	Unable to load fgcnwrk.dll
f101v10b5836.exe
f101v10b5836.exe
f101v10b5836.exe
f101v10b5836.exe	Product ID: {0258A16C-6117-4234-8FCD-9B2BB30FD013}
f101v10b5836.exe
f101v10b5836.exe	MSI File: f101v10.msi
f101v10b5836.exe

General Info

f101v10b5836.exe

CF082D0CE4A47634365464C52FE9A35E

F8115C5AEFF40009126EC999EFD36B8AD22A7682

C795C816CA2438EE173DF19EC37B45E06C481FCD18B6C4706D7032B60F9C76D5

393216:cPDQIqd4kqImjqcdnVdO8HzoULyFKLfcSQC8zPw+a0jeQiTO+a8ftz:crQIqddqIOqcdLLLyk0ST+a0/iR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes settings of System certificates

Changes the login/logoff helper path in the registry

Loads dropped or rewritten executable

Application was dropped or rewritten from another process

SUSPICIOUS

Adds / modifies Windows certificates

Starts Microsoft Installer

Executable content was dropped or overwritten

Creates files in the driver directory

Changes the autorun value in the registry

Creates files in the Windows directory

Creates COM task schedule object

Creates files in the program directory

INFO

Application launched itself

Searches for installed software

Low-level read access rights to disk partition

Dropped object may contain Bitcoin addresses

Creates files in the program directory

Loads dropped or rewritten executable

Creates or modifies windows services

Creates a software uninstall entry

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings