File name:

SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe

Full analysis: https://app.any.run/tasks/bb2bafdf-b60e-4972-995a-aeb815e24f49
Verdict: Malicious activity
Analysis date: November 29, 2023, 14:50:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

744D7BF9E35BF88236700E2514EC3EA8

SHA1:

6C2177F0887AE2AFF174730F98F07411462E9DA2

SHA256:

CB0CF9343C7A12B3825E13585C6D32A3A0642F31A1794A81EFEE078CD8DC944A

SSDEEP:

98304:pz4HYabXeVLmL1oxi19MjlA53gnDTsQe0TmMsykwTO4w5EveiUUIIGYkQ1kk/lfj:dO0JALcnQ2Rssz/QgEFlW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Creates a writable file in the system directory

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)
      • drvinst.exe (PID: 1128)

    • Drops the executable file immediately after the start

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Reads security settings of Internet Explorer

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Checks Windows Trust Settings

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)
      • drvinst.exe (PID: 1128)

    • Reads settings of System Certificates

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)
      • rundll32.exe (PID: 3068)

    • Drops a system driver (possible attempt to evade defenses)

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Creates files in the driver directory

      • drvinst.exe (PID: 1128)

  • INFO

    • Reads the computer name

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)
      • drvinst.exe (PID: 1128)

    • Reads Environment values

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Create files in a temporary directory

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Checks supported languages

      • drvinst.exe (PID: 1128)
      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Reads the machine GUID from the registry

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)
      • drvinst.exe (PID: 1128)

    • Creates files in the program directory

      • SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe (PID: 4028)

    • Reads security settings of Internet Explorer

      • rundll32.exe (PID: 3068)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | NSIS - Nullsoft Scriptable Install System (91.9)
.exe | Win32 Executable MS Visual C++ (generic) (3.3)
.exe | Win64 Executable (generic) (3)
.dll | Win32 Dynamic Link Library (generic) (0.7)
.exe | Win32 Executable (generic) (0.4)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2008:08:16 22:26:20+02:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 23552
InitializedDataSize: 164864
UninitializedDataSize: 1024
EntryPoint: 0x30e3
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 3.8.204.61
ProductVersionNumber: 3.8.204.61
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Windows, Latin1
CompanyName: Zyxel
FileDescription: ZyWALL IPSec VPN Client Setup
Language: English (United States)
LegalCopyright: © Zyxel 2019. All rights reserved.
LegalTrademarks: Zyxel
ProductName: ZyWALL IPSec VPN Client
ProductVersion: 3.8.204.61.32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start secuextender ipsecvpn_windows 3.8.204.61.32.exe drvinst.exe no specs rundll32.exe no specs secuextender ipsecvpn_windows 3.8.204.61.32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1128DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{001fcf81-49b1-2044-5650-a8713dad5b19}\TGBVPNVirtM.inf" "0" "6580295eb" "000005BC" "WinSta0\Default" "00000564" "208" "C:\Program Files\Common Files\temp\DriverVPN"C:\Windows\System32\drvinst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2876"C:\Users\admin\AppData\Local\Temp\SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe" C:\Users\admin\AppData\Local\Temp\SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeexplorer.exe
User:
admin
Company:
Zyxel
Integrity Level:
MEDIUM
Description:
ZyWALL IPSec VPN Client Setup
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\temp\secuextender ipsecvpn_windows 3.8.204.61.32.exe
c:\windows\system32\ntdll.dll
3068rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2dc7cab3-f13c-670b-c51a-28507d092941} Global\{541235ab-f6ea-2969-f64f-023c2f84aa36} C:\Windows\System32\DriverStore\Temp\{77f006d4-d94f-227e-811f-a150a6c8ab54}\TGBVPNVirtM.inf C:\Windows\System32\DriverStore\Temp\{77f006d4-d94f-227e-811f-a150a6c8ab54}\TGBVPNVirtM.catC:\Windows\System32\rundll32.exedrvinst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\imagehlp.dll
4028"C:\Users\admin\AppData\Local\Temp\SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe" C:\Users\admin\AppData\Local\Temp\SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
explorer.exe
User:
admin
Company:
Zyxel
Integrity Level:
HIGH
Description:
ZyWALL IPSec VPN Client Setup
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\secuextender ipsecvpn_windows 3.8.204.61.32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll
Total events
10 482
Read events
10 446
Write events
36
Delete events
0

Modification events

(PID) Process:(4028) SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1128) drvinst.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3068) rundll32.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\17F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
Executable files
40
Suspicious files
8
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\ProgramData\Zyxel\ZyWALL IPSec VPN Client\CertChainVerif.logtext
MD5:A2BF8F76CC4C12952945D93DF4D6CDFB
SHA256:3F733837145C40092526F6FED4A290102A61A4F4FD58CFD8EC14B7F32E8261E7
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Program Files\Common Files\sauv.initext
MD5:EF18730212925CD3CB5F2B3C1027541A
SHA256:932E2801DB189CD8C2886C9A2C602F5FCCAA8E35F68A43EA0573FF76E766FF98
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Users\admin\AppData\Local\Temp\nspDD9C.tmp\SetupDll.dllexecutable
MD5:3C4CAA5B341C9E2B36592727E567A651
SHA256:123998AFF8EA280D7BF6DF109603B95AEC680A7A91C10D3783B2170A7ACA2129
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\ProgramData\Zyxel\ZyWALL IPSec VPN Client\tgbparam_2024_admin.dattext
MD5:EF18730212925CD3CB5F2B3C1027541A
SHA256:932E2801DB189CD8C2886C9A2C602F5FCCAA8E35F68A43EA0573FF76E766FF98
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Users\admin\AppData\Local\Temp\pubSha2.cerbinary
MD5:3962435CF783D836C0F1A000DF827428
SHA256:AC3C066C7B5C07EF174C546FCB492B83C32638A30100F4DEF10B2EAB9CCAF513
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Users\admin\AppData\Local\Temp\nspDD9C.tmp\modern-wizard.bmpimage
MD5:7256C8A7D5E944A54710978A350B1B2A
SHA256:AA50397D25E9296AFB5A6FF0F244E1E587414145E6DDADCCE28F10473EB6D759
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Program Files\Zyxel\ZyWALL IPSec VPN Client\Languages\dan.dllexecutable
MD5:17AED8B8F3E9FECB2E12908DFD43A763
SHA256:7FF2064944DE10CB4667697660B24DF7B2C055CD92D6114F5482F26FF21E397F
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Users\admin\AppData\Local\Temp\nspDD9C.tmp\AccessControl.dllexecutable
MD5:055F4F9260E07FC83F71877CBB7F4FAD
SHA256:4209588362785B690D08D15CD982B8D1C62C348767CA19114234B21D5DF74DDC
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Users\admin\AppData\Local\Temp\pubSha1.cerbinary
MD5:E9283317FE9B12BA4610F61AB3F68B99
SHA256:E4681690C3853367611B96EE1BE7A15B2CC3E46C1C8D6950F57B1583F6F12E2F
4028SecuExtender IPSecVPN_Windows 3.8.204.61.32.exeC:\Users\admin\AppData\Local\Temp\nspDD9C.tmp\System.dllexecutable
MD5:7D85B1F619A3023CC693A88F040826D2
SHA256:DC198967B0FB2BC7AAAB0886A700C7F4D8CB346C4F9D48B9B220487B0DFE8A18
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted

DNS requests

No data

Threats

No threats detected
Process
Message
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
binary
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
=> Verifying
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
C:\Users\admin\AppData\Local\Temp\SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
[VPNCONF] The file "C:\Users\admin\AppData\Local\Temp\SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe" is signed and the signature was verified.
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
status 2
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
TGBSYSDEP: <= GetCertificateInfo
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe
TGBSYSDEP: => GetCertificateInfo
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SecuExtender IPSecVPN_Windows 3.8.204.61.32.exe