File name:

BJCA certificate assistant.7z

Full analysis: https://app.any.run/tasks/f1077f56-185d-4c02-a2dd-b142c632f567
Verdict: Malicious activity
Analysis date: June 21, 2021, 12:19:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

994B6A4C18A00A10F5CB78654AF974EE

SHA1:

828F71C361C709D38F69FE73390CB1DD2AAF832D

SHA256:

C8DC89C38B37BB8464C43772A44EF5EC1E3B61B01C4BECE5B4B0D914F2612757

SSDEEP:

393216:ZW0b07U7qtYClVAQk2FHfTtcPSylLMf7rq:ZWrAGjVA+b6PSy+D2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • CertAppEnv_Setup.exe (PID: 2988)
      • CertAppEnv_Setup.exe (PID: 3956)
      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • ns1AE3.tmp (PID: 2220)
      • ns1C3C.tmp (PID: 2748)
      • ns1D18.tmp (PID: 1076)
      • ns1E71.tmp (PID: 2708)
      • ns29AE.tmp (PID: 2384)
      • ns2E05.tmp (PID: 2540)
      • ns2C4F.tmp (PID: 2988)
      • RegSvr32_x86.exe (PID: 3316)
      • RegSvr32_x86.exe (PID: 1004)
      • ns1FBA.tmp (PID: 2820)
      • ns2FCB.tmp (PID: 2580)
      • XTXCoreSvr.exe (PID: 3232)
      • RegSvr32_x86.exe (PID: 3736)
      • XTXLogProxy.exe (PID: 3020)
      • ns324D.tmp (PID: 972)
      • XTXCoreSvr.exe (PID: 2224)
      • ns3A1E.tmp (PID: 2896)
      • RegSvr32_x86.exe (PID: 2180)
      • XTXCoreSvr.exe (PID: 3480)
      • regrepair.exe (PID: 1544)
      • SetupHelper.exe (PID: 3288)
      • BJCAScheduleJob.exe (PID: 3248)
      • ns620A.tmp (PID: 2364)
      • XTXCoreSvr.exe (PID: 2564)
      • BJCAUpdateSetup.exe (PID: 1704)
      • BJCAUpdate.exe (PID: 1188)
      • BJCAUpdate.exe (PID: 3384)
      • SetupHelper.exe (PID: 1588)
      • BjcaCertAide.exe (PID: 3704)
      • BJCAUpdate.exe (PID: 1868)
      • XTXLogProxy.exe (PID: 1012)
      • PubLib_Setup.exe (PID: 3032)

    • Drops executable file immediately after starts

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • BJCAUpdateSetup.exe (PID: 1704)
      • PubLib_Setup.exe (PID: 3032)

    • Loads dropped or rewritten executable

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • RegSvr32_x86.exe (PID: 3316)
      • RegSvr32_x86.exe (PID: 1004)
      • RegSvr32_x86.exe (PID: 3736)
      • XTXCoreSvr.exe (PID: 2224)
      • RegSvr32_x86.exe (PID: 2180)
      • XTXCoreSvr.exe (PID: 3232)
      • XTXCoreSvr.exe (PID: 2564)
      • XTXCoreSvr.exe (PID: 3480)
      • BJCAUpdate.exe (PID: 1188)
      • BJCAUpdate.exe (PID: 1868)
      • PubLib_Setup.exe (PID: 3032)
      • BJCAUpdate.exe (PID: 3384)
      • BjcaCertAide.exe (PID: 3704)

    • Starts NET.EXE for service management

      • ns1AE3.tmp (PID: 2220)
      • ns1D18.tmp (PID: 1076)
      • ns1E71.tmp (PID: 2708)

    • Changes settings of System certificates

      • SetupHelper.exe (PID: 3288)
      • BJCAUpdate.exe (PID: 1188)

    • Changes internet zones settings

      • regrepair.exe (PID: 1544)
      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)

    • Loads the Task Scheduler COM API

      • BJCAScheduleJob.exe (PID: 3248)
      • BJCAUpdate.exe (PID: 1188)

    • Loads the Task Scheduler DLL interface

      • BJCAUpdate.exe (PID: 1188)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3404)
      • CertAppEnv_Setup.exe (PID: 3956)
      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • BJCAUpdateSetup.exe (PID: 1704)
      • BJCAUpdate.exe (PID: 1188)
      • PubLib_Setup.exe (PID: 3032)

    • Drops a file with too old compile date

      • CertAppEnv_Setup.exe (PID: 3956)
      • WinRAR.exe (PID: 3404)
      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • PubLib_Setup.exe (PID: 3032)

    • Starts application with an unusual extension

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)

    • Drops a file that was compiled in debug mode

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • BJCAUpdateSetup.exe (PID: 1704)
      • BJCAUpdate.exe (PID: 1188)
      • PubLib_Setup.exe (PID: 3032)

    • Starts SC.EXE for service management

      • ns1FBA.tmp (PID: 2820)

    • Creates a directory in Program Files

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • BJCAUpdate.exe (PID: 1188)
      • PubLib_Setup.exe (PID: 3032)

    • Creates files in the program directory

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • WriteCertAideCfg.exe (PID: 2452)
      • XTXCoreSvr.exe (PID: 2224)
      • BJCAScheduleJob.exe (PID: 3248)
      • BJCAUpdate.exe (PID: 1188)
      • PubLib_Setup.exe (PID: 3032)

    • Creates/Modifies COM task schedule object

      • RegSvr32_x86.exe (PID: 3316)
      • RegSvr32_x86.exe (PID: 1004)
      • RegSvr32_x86.exe (PID: 2180)
      • RegSvr32_x86.exe (PID: 3736)
      • BJCAUpdate.exe (PID: 1868)
      • BJCAUpdate.exe (PID: 1188)

    • Drops a file with a compile date too recent

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)

    • Application launched itself

      • XTXCoreSvr.exe (PID: 2564)

    • Creates files in the Windows directory

      • XTXCoreSvr.exe (PID: 3480)
      • XTXCoreSvr.exe (PID: 2564)
      • BJCAUpdate.exe (PID: 1188)

    • Executed as Windows Service

      • XTXCoreSvr.exe (PID: 2564)

    • Removes files from Windows directory

      • XTXCoreSvr.exe (PID: 2564)

    • Creates a software uninstall entry

      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)
      • PubLib_Setup.exe (PID: 3032)

    • Adds / modifies Windows certificates

      • BJCAUpdate.exe (PID: 1188)

    • Starts itself from another location

      • BJCAUpdate.exe (PID: 1188)

    • Disables SEHOP

      • BJCAUpdate.exe (PID: 1188)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • CertAppEnv_Setup.exe (PID: 3956)
      • WriteCertAideCfg.exe (PID: 2452)
      • CertAppEnv_SetupV3.1.02.0253.exe (PID: 3688)

    • Reads settings of System Certificates

      • SetupHelper.exe (PID: 3288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
97
Monitored processes
44
Malicious processes
9
Suspicious processes
10

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe certappenv_setup.exe no specs certappenv_setup.exe certappenv_setupv3.1.02.0253.exe ns1ae3.tmp no specs net.exe no specs net1.exe no specs ns1c3c.tmp no specs ns1d18.tmp no specs net.exe no specs net1.exe no specs ns1e71.tmp no specs net.exe no specs net1.exe no specs ns1fba.tmp no specs sc.exe no specs writecertaidecfg.exe no specs ns29ae.tmp no specs regsvr32_x86.exe no specs ns2c4f.tmp no specs regsvr32_x86.exe no specs ns2e05.tmp no specs regsvr32_x86.exe no specs ns2fcb.tmp no specs regsvr32_x86.exe no specs xtxlogproxy.exe no specs ns324d.tmp no specs xtxcoresvr.exe no specs ns3a1e.tmp no specs xtxcoresvr.exe no specs xtxcoresvr.exe no specs xtxcoresvr.exe no specs setuphelper.exe no specs regrepair.exe no specs ns620a.tmp no specs bjcaschedulejob.exe no specs bjcaupdatesetup.exe bjcaupdate.exe bjcaupdate.exe no specs bjcaupdate.exe no specs setuphelper.exe no specs bjcacertaide.exe no specs publib_setup.exe xtxlogproxy.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
972"C:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns324D.tmp" "C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\XTXCoreSvr.exe" -k installC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns324D.tmpCertAppEnv_SetupV3.1.02.0253.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\nsyf69.tmp\ns324d.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1004"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\RegSvr32_x86.exe" /s "C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\XTXVersion.dll"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\RegSvr32_x86.exens2C4F.tmp
User:
admin
Company:
BeiJing Certificate Authority
Integrity Level:
HIGH
Description:
BJCA® Register Server
Exit code:
0
Version:
4.00
Modules
Images
c:\program files\bjcaclient\certappenvv3.1.02.0253\program\regsvr32_x86.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
1012"C:\Program Files\BJCAClient\Common\XTXLogProxy.exe" /RegServerC:\Program Files\BJCAClient\Common\XTXLogProxy.exePubLib_Setup.exe
User:
admin
Company:
北京数字认证股份有限公司
Integrity Level:
HIGH
Description:
XTXAppCOM日志代理程序
Exit code:
0
Version:
2.14.1.0
Modules
Images
c:\program files\bjcaclient\common\xtxlogproxy.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1076"C:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1D18.tmp" net stop "ASKeyServer"C:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1D18.tmpCertAppEnv_SetupV3.1.02.0253.exe
User:
admin
Integrity Level:
HIGH
Exit code:
2
Modules
Images
c:\users\admin\appdata\local\temp\nsyf69.tmp\ns1d18.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1188C:\Users\admin\AppData\Local\Temp\GUM66A0.tmp\BJCAUpdate.exe /silent /install "runtime=true&needsadmin=true"C:\Users\admin\AppData\Local\Temp\GUM66A0.tmp\BJCAUpdate.exe
BJCAUpdateSetup.exe
User:
admin
Company:
BJCA.,ltd
Integrity Level:
HIGH
Description:
BJCA Installer
Exit code:
0
Version:
1.3.23.0
Modules
Images
c:\users\admin\appdata\local\temp\gum66a0.tmp\bjcaupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
1544"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\regrepair.exe"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\regrepair.exeCertAppEnv_SetupV3.1.02.0253.exe
User:
admin
Company:
北京数字认证股份有限公司
Integrity Level:
HIGH
Description:
regrepair
Exit code:
0
Version:
0.0.0.1
Modules
Images
c:\program files\bjcaclient\certappenvv3.1.02.0253\program\regrepair.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
1552C:\Windows\system32\net1 stop "XTXCoreSvr"C:\Windows\system32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\net1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dsrole.dll
c:\windows\system32\netutils.dll
1588"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\SetupHelper.exe" /WirteUpdateReg {BF720538-7840-4325-93CD-CF72FBF3232F}C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\Program\SetupHelper.exeCertAppEnv_SetupV3.1.02.0253.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Modules
Images
c:\program files\bjcaclient\certappenvv3.1.02.0253\program\setuphelper.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1704"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\BJCAUpdateSetup.exe" /silent /install "runtime=true&needsadmin=true"C:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\BJCAUpdateSetup.exe
CertAppEnv_SetupV3.1.02.0253.exe
User:
admin
Company:
BJCA.,Ltd
Integrity Level:
HIGH
Description:
BJCA Update Setup
Exit code:
0
Version:
1.3.23.0
Modules
Images
c:\program files\bjcaclient\certappenvv3.1.02.0253\bjcaupdatesetup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1868"C:\Program Files\BJCA\Update\BJCAUpdate.exe" /regserverC:\Program Files\BJCA\Update\BJCAUpdate.exeBJCAUpdate.exe
User:
admin
Company:
BJCA.,ltd
Integrity Level:
HIGH
Description:
BJCA Installer
Exit code:
0
Version:
1.3.23.0
Modules
Images
c:\program files\bjca\update\bjcaupdate.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
2 382
Read events
1 502
Write events
856
Delete events
24

Modification events

(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3404) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3404) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13D\52C64B7E
Operation:writeName:@C:\Windows\system32\NetworkExplorer.dll,-1
Value:
Network
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\BJCA certificate assistant.7z
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3404) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
82
Suspicious files
11
Text files
147
Unknown types
8

Dropped files

PID
Process
Filename
Type
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1D18.tmp
MD5:
SHA256:
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1FBA.tmp
MD5:
SHA256:
3404WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3404.34917\CertAppEnv_Setup.exeexecutable
MD5:
SHA256:
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ioSpecial.initext
MD5:
SHA256:
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1AE3.tmpexecutable
MD5:
SHA256:
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1C3C.tmpexecutable
MD5:
SHA256:
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Users\admin\AppData\Local\Temp\nsyF69.tmp\ns1E71.tmpexecutable
MD5:
SHA256:
3956CertAppEnv_Setup.exeC:\Users\admin\AppData\Local\Temp\SubPackage\client_setup.initext
MD5:
SHA256:
3956CertAppEnv_Setup.exeC:\Users\admin\AppData\Local\Temp\SubPackage\CertAppEnv_SetupV3.1.02.0253.exeexecutable
MD5:
SHA256:
3688CertAppEnv_SetupV3.1.02.0253.exeC:\Program Files\BJCAClient\CertAppEnvV3.1.02.0253\BjcaCertAide\DriverCfg\zfc3201_bjcakey_c.dllexecutable
MD5:F1F5AAA5C35A546BC2D3A90E7F7FA7FF
SHA256:5C06A264435011B071EFDDC0510D3FDB9459D234C9FAD5101C3FCAFC6AEC27EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

Domain
IP
Reputation
time.bjca.org.cn
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BJCA certificate assistant.7z