Malware analysis HWiNFO64[1].exe Malicious activity | ANY.RUN

Add for printing

File name:	HWiNFO64[1].exe
Full analysis:	https://app.any.run/tasks/c30bc38c-0232-4e51-8e87-7932a37b19fc
Verdict:	Malicious activity
Analysis date:	November 27, 2024, 21:09:08
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	upx antivm
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 3 sections
MD5:	DDC37BB951D7E0EB3FB340C65F04D0E3
SHA1:	3379533D80A8604C6BBBADE7CDB09CB01918516E
SHA256:	D3810EFE8ECA9FCAE71C09409A859506A469BAC9417609F9A02ABBFD3B56ED29
SSDEEP:	98304:AawkBKI0osH9I5XMHR3EsMeEc8Cs4wYUUhIcM9sBkcsS7iEFL5K5rlgKE2STJPIu:chD8wMN2e/qZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Creates file in the systems drive root
  - HWiNFO64[1].exe (PID: 6508)
- Executable content was dropped or overwritten
  - HWiNFO64[1].exe (PID: 6508)
- Drops a system driver (possible attempt to evade defenses)
  - HWiNFO64[1].exe (PID: 6508)
- Reads security settings of Internet Explorer
  - HWiNFO64[1].exe (PID: 6508)
- Reads the BIOS version
  - HWiNFO64[1].exe (PID: 6508)
- Checks Windows Trust Settings
  - HWiNFO64[1].exe (PID: 6508)
- There is functionality for VM detection antiVM strings (YARA)
  - HWiNFO64[1].exe (PID: 6508)
- The process checks if it is being run in the virtual environment
  - HWiNFO64[1].exe (PID: 6508)
INFO
- Reads the computer name
  - HWiNFO64[1].exe (PID: 6508)
- Checks supported languages
  - HWiNFO64[1].exe (PID: 6508)
- Reads CPU info
  - HWiNFO64[1].exe (PID: 6508)
- Create files in a temporary directory
  - HWiNFO64[1].exe (PID: 6508)
- Checks proxy server information
  - HWiNFO64[1].exe (PID: 6508)
- Reads the machine GUID from the registry
  - HWiNFO64[1].exe (PID: 6508)
- Reads the time zone
  - HWiNFO64[1].exe (PID: 6508)
- Reads the software policy settings
  - HWiNFO64[1].exe (PID: 6508)
- UPX packer has been detected
  - HWiNFO64[1].exe (PID: 6508)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	UPX compressed Win32 Executable (87.1)
.exe	\|	Generic Win/DOS Executable (6.4)
.exe	\|	DOS Executable Generic (6.4)

EXIF

EXE

MachineType:	AMD AMD64
TimeStamp:	2024:11:25 07:28:39+00:00
ImageFileCharacteristics:	No relocs, Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.29
CodeSize:	9424896
InitializedDataSize:	114688
UninitializedDataSize:	19611648
EntryPoint:	0x1bb06b0
OSVersion:	6.1
ImageVersion:	-
SubsystemVersion:	6.1
Subsystem:	Windows GUI
FileVersionNumber:	8.16.5600.0
ProductVersionNumber:	8.16.5600.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
CompanyName:	REALiX s.r.o.
FileVersion:	8.16-5600
ProductVersion:	8.16-5600
LegalCopyright:	Copyright (c)1999-2024 Martin Malik, REALiX s.r.o.
InternalName:	HWiNFO® 64
FileDescription:	HWiNFO® 64 (x64)
OriginalFileName:	HWiNFO64.EXE
ProductName:	Hardware Info Program for x64 (HWiNFO® 64)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

121

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6360

"C:\HWiNFO64[1].exe"

C:\HWiNFO64[1].exe

—

explorer.exe

User:

admin

Company:

REALiX s.r.o.

Integrity Level:

MEDIUM

Description:

HWiNFO® 64 (x64)

Exit code:

3221226540

Version:

8.16-5600

Modules

Images
c:\hwinfo64[1].exe
c:\windows\system32\ntdll.dll

6508

"C:\HWiNFO64[1].exe"

C:\HWiNFO64[1].exe

explorer.exe

User:

admin

Company:

REALiX s.r.o.

Integrity Level:

HIGH

Description:

HWiNFO® 64 (x64)

Version:

8.16-5600

Modules

Images
c:\hwinfo64[1].exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

8 065

Read events

5 866

Write events

Delete events

2 171

Modification events


(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:	write	Name:	CachePrefix
Value:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:	write	Name:	CachePrefix
Value: Cookie:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:	write	Name:	CachePrefix
Value: Visited:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64
Operation:	write	Name:	FontFace
Value: Tahoma
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\F000EA00_0\Other1
Operation:	delete value	Name:	LgLcdValueType
Value:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\F000EA00_0\Other1
Operation:	delete value	Name:	TrayDivideBy
Value:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\F000EA00_0\Other1
Operation:	delete value	Name:	TrayFontFace
Value:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\F000EA00_0\Other1
Operation:	delete value	Name:	TrayFontSize
Value:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\F000EA00_0\Other1
Operation:	delete value	Name:	TrayMaxDigits
Value:
(PID) Process:	(6508) HWiNFO64[1].exe	Key:	HKEY_CURRENT_USER\SOFTWARE\HWiNFO64\Sensors\F000EA00_0\Other1
Operation:	delete value	Name:	TrayFontBold
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6508	HWiNFO64[1].exe	C:\Windows\INF\display.PNF		binary
		MD5:62887E3F2C67C748F05C629DB62182A4	SHA256:1B686CFC6E98A6034A28BA9BE22C190723467365477E75A18A78104A26554CE9
6508	HWiNFO64[1].exe	C:\HWiNFO64.INI		text
		MD5:3374593BE3E6B939DFB668CE69D47545	SHA256:E367CF415149B37D4D3376D7D5EA17D4E7B4FCE73C5C07DB69F2C01AF43B9565
6508	HWiNFO64[1].exe	C:\Windows\INF\basicrender.PNF		binary
		MD5:8567F128605CC616A38D0870D077D165	SHA256:7B2D28D317F49EED7BC242241E54EB3FFFB512C5FB6F719C4F5E9395E6B1F533
6508	HWiNFO64[1].exe	C:\Windows\INF\basicdisplay.PNF		binary
		MD5:914DCB989709A0CE3F4B24A4CD147F1A	SHA256:C2FEE0EAD23C7B3B509FDDE94DDD6A549F999F364C5CA9D09AC084F22BC0ECB4
6508	HWiNFO64[1].exe	C:\Windows\INF\wvid.PNF		binary
		MD5:001A053A392EF45B9336D4CF9748BE29	SHA256:258ED93549F63B9A368086660F32A95DF07E7603ED01BA8722EE8C1DA27789C2
6508	HWiNFO64[1].exe	C:\Users\admin\AppData\Local\Temp\HWiNFO_x64_204.sys		executable
		MD5:3E7E10631FC581DBB9C5F97793F07F15	SHA256:F79C9CCF61C35B7DDAE2D68BF74DEDCD87364430E76CA4E9955B8E5F606EEE51
6508	HWiNFO64[1].exe	C:\Windows\INF\machine.PNF		binary
		MD5:2832AC38B3F7C5EAE6490E5DB414B98E	SHA256:DFE57032C2FC69400AD3CA6D96566387B4336FD19A363F4F32041EC81E35F12B

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1684	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
3976	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
6508	HWiNFO64[1].exe	104.21.22.164:443	www.hwinfo.com	CLOUDFLARENET	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
www.bing.com	—	whitelisted
google.com	142.250.185.78	whitelisted
www.hwinfo.com	104.21.22.164 172.67.205.235	whitelisted
self.events.data.microsoft.com	20.42.65.90	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

HWiNFO64[1].exe

DDC37BB951D7E0EB3FB340C65F04D0E3

3379533D80A8604C6BBBADE7CDB09CB01918516E

D3810EFE8ECA9FCAE71C09409A859506A469BAC9417609F9A02ABBFD3B56ED29

98304:AawkBKI0osH9I5XMHR3EsMeEc8Cs4wYUUhIcM9sBkcsS7iEFL5K5rlgKE2STJPIu:chD8wMN2e/qZ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Creates file in the systems drive root

Executable content was dropped or overwritten

Drops a system driver (possible attempt to evade defenses)

Reads security settings of Internet Explorer

Reads the BIOS version

Checks Windows Trust Settings

There is functionality for VM detection antiVM strings (YARA)

The process checks if it is being run in the virtual environment

INFO

Reads the computer name

Checks supported languages

Reads CPU info

Create files in a temporary directory

Checks proxy server information

Reads the machine GUID from the registry

Reads the time zone

Reads the software policy settings

UPX packer has been detected

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings