analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe

Full analysis: https://app.any.run/tasks/e8d03be3-49d1-49f9-8ee6-aadf99b0de9f
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: October 09, 2019, 18:57:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
stealer
Indicators:
MD5:

66A921EDFF305214926F6F65FDC3EEF8

SHA1:

0104474C28C5AD716D7C9C340BBD4A385AA6822B

SHA256:

D861925A5E834465CBE580B91569BAA8361C7E36793D1FA0B84E5C9B2FB347D1

SSDEEP:

3:N8DSL5EjLCx0KxAWKRzKC18zVlqQDh4A:2OL5EjLCLADzKC18zVoeh4A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • irsetup.exe (PID: 1828)
      • irsetup.exe (PID: 1644)
      • Repair_Windows.exe (PID: 1828)
      • Repair_Windows.exe (PID: 1668)
      • WR_Tray_Icon.exe (PID: 2680)
      • TweakingRegistryBackup.exe (PID: 720)
      • tweaking_ras.exe (PID: 3888)
      • Tweaking_CleanMem.exe (PID: 2756)
      • tweaking_ras.exe (PID: 3676)
      • tweaking_ras.exe (PID: 3452)
      • tweaking_ras.exe (PID: 3968)
      • ManageACL_32.exe (PID: 2532)
      • ManageACL_32.exe (PID: 2516)
      • tweaking_ras.exe (PID: 3000)
      • tweaking_ras.exe (PID: 3932)
      • ManageACL_32.exe (PID: 3188)
      • ManageACL_32.exe (PID: 3216)
      • ManageACL_32.exe (PID: 3372)
      • ManageACL_32.exe (PID: 364)
      • ManageACL_32.exe (PID: 2780)
      • ManageACL_32.exe (PID: 1656)

    • Loads dropped or rewritten executable

      • irsetup.exe (PID: 1644)
      • Repair_Windows.exe (PID: 1668)
      • Repair_Windows.exe (PID: 1828)
      • TweakingRegistryBackup.exe (PID: 720)

    • Loads the Task Scheduler DLL interface

      • Repair_Windows.exe (PID: 1668)

    • Loads the Task Scheduler COM API

      • Repair_Windows.exe (PID: 1668)

    • Stealing of credential data

      • TweakingRegistryBackup.exe (PID: 720)

    • Starts NET.EXE to view/change users group

      • cmd.exe (PID: 1404)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 1456)
      • cmd.exe (PID: 3500)
      • cmd.exe (PID: 2600)

    • Actions looks like stealing of personal data

      • ManageACL_32.exe (PID: 3372)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • tweaking.com_windows_repair_aio_setup[1].exe (PID: 3060)
      • irsetup.exe (PID: 1644)

    • Creates files in the Windows directory

      • irsetup.exe (PID: 1644)
      • TweakingRegistryBackup.exe (PID: 720)
      • Repair_Windows.exe (PID: 1828)

    • Uses REG.EXE to modify Windows registry

      • Repair_Windows.exe (PID: 1668)
      • cmd.exe (PID: 1404)

    • Creates a software uninstall entry

      • irsetup.exe (PID: 1644)
      • Repair_Windows.exe (PID: 1828)

    • Executed as Windows Service

      • tweaking_ras.exe (PID: 3676)
      • tweaking_ras.exe (PID: 3968)
      • tweaking_ras.exe (PID: 3000)

    • Creates files in the program directory

      • Repair_Windows.exe (PID: 1828)
      • irsetup.exe (PID: 1644)
      • ManageACL_32.exe (PID: 2532)
      • ManageACL_32.exe (PID: 3188)
      • ManageACL_32.exe (PID: 364)
      • ManageACL_32.exe (PID: 3372)
      • ManageACL_32.exe (PID: 3216)
      • ManageACL_32.exe (PID: 2780)
      • ManageACL_32.exe (PID: 1656)

    • Starts CMD.EXE for commands execution

      • tweaking_ras.exe (PID: 3888)
      • tweaking_ras.exe (PID: 3676)
      • cmd.exe (PID: 3028)
      • tweaking_ras.exe (PID: 3968)
      • cmd.exe (PID: 2536)
      • tweaking_ras.exe (PID: 3452)
      • tweaking_ras.exe (PID: 3000)
      • tweaking_ras.exe (PID: 3932)
      • cmd.exe (PID: 3720)

    • Removes files from Windows directory

      • cmd.exe (PID: 1404)
      • Repair_Windows.exe (PID: 1828)
      • cmd.exe (PID: 3952)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2884)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 928)
      • iexplore.exe (PID: 2884)

    • Dropped object may contain Bitcoin addresses

      • irsetup.exe (PID: 1644)
      • Repair_Windows.exe (PID: 1828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
118
Monitored processes
62
Malicious processes
17
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe tweaking.com_windows_repair_aio_setup[1].exe irsetup.exe no specs irsetup.exe repair_windows.exe no specs repair_windows.exe reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs wr_tray_icon.exe no specs tweakingregistrybackup.exe tweaking_cleanmem.exe no specs tweaking_ras.exe no specs tweaking_ras.exe no specs cmd.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs net.exe no specs net1.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs tweaking_ras.exe no specs tweaking_ras.exe no specs cmd.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net1.exe no specs manageacl_32.exe no specs manageacl_32.exe no specs tweaking_ras.exe no specs tweaking_ras.exe no specs cmd.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs net1.exe no specs manageacl_32.exe no specs manageacl_32.exe manageacl_32.exe no specs manageacl_32.exe no specs manageacl_32.exe no specs manageacl_32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2884"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2884 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3060"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe
iexplore.exe
User:
admin
Company:
Tweaking.com
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
0
Version:
4.6.0.0
1828"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1803178 "__IRAFN:C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe" "__IRCT:3" "__IRTSS:39476756" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exetweaking.com_windows_repair_aio_setup[1].exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
Setup Application
Exit code:
3221226540
Version:
9.5.3.0
1644"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1803178 "__IRAFN:C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe" "__IRCT:3" "__IRTSS:39476756" "__IRSID:S-1-5-21-1302019708-1500728564-335382590-1000"C:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
tweaking.com_windows_repair_aio_setup[1].exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
Setup Application
Exit code:
0
Version:
9.5.3.0
1668"C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe" /traystartupC:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exeirsetup.exe
User:
admin
Company:
Tweaking.com
Integrity Level:
HIGH
Description:
Tweaking.com - Windows Repair
Exit code:
1
Version:
4.6.0.0
1828"C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe" C:\Program Files\Tweaking.com\Windows Repair (All in One)\Repair_Windows.exe
irsetup.exe
User:
admin
Company:
Tweaking.com
Integrity Level:
HIGH
Description:
Tweaking.com - Windows Repair
Version:
4.6.0.0
4044"C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Option /fC:\Windows\System32\reg.exeRepair_Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2316"C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\ControlSet002\Control\SafeBoot\Option /fC:\Windows\System32\reg.exeRepair_Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2656"C:\Windows\System32\reg.exe" DELETE HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Option /fC:\Windows\System32\reg.exeRepair_Windows.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 544
Read events
1 342
Write events
0
Delete events
0

Modification events

No data
Executable files
43
Suspicious files
41
Text files
1 019
Unknown types
23

Dropped files

PID
Process
Filename
Type
2884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2884iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2884iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFE6BB2A2215C609A7.TMP
MD5:
SHA256:
928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1KS7E6X7\tweaking.com_windows_repair_aio_setup[1].exe
MD5:
SHA256:
2884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\tweaking.com_windows_repair_aio_setup[1].exe
MD5:
SHA256:
2884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019092020190921\index.dat
MD5:
SHA256:
1644irsetup.exeC:\Users\admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.dat
MD5:
SHA256:
2884iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF39ECA9ED55740781.TMP
MD5:
SHA256:
2884iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{BF214A8B-EAC6-11E9-837B-5254004A04AF}.dat
MD5:
SHA256:
1644irsetup.exeC:\Program Files\Tweaking.com\Windows Repair (All in One)\Uninstall\uni8360.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1828
Repair_Windows.exe
GET
200
199.119.100.39:80
http://www.tweaking.com/files/updates/windows_repair/update.htm
US
text
5 b
suspicious
1828
Repair_Windows.exe
GET
200
199.119.100.39:80
http://update.tweaking.com/update4.php?fr=1&nt=61&k=Free_Version&v=4.6.0&r=na
US
text
41 b
suspicious
1644
irsetup.exe
GET
200
52.21.98.236:80
http://track.tweaking.com/ev-install-start.php?type=install-start&computer=S-1-5-21-1302019708-1500728564-335382590-1000
US
text
9 b
malicious
1644
irsetup.exe
GET
200
52.21.98.236:80
http://track.tweaking.com/ev-install-start.php?type=install-start&computer=S-1-5-21-1302019708-1500728564-335382590-1000
US
text
9 b
malicious
1644
irsetup.exe
GET
200
52.21.98.236:80
http://track.tweaking.com/ev-install-end.php?type=install-end&computer=S-1-5-21-1302019708-1500728564-335382590-1000
US
text
9 b
malicious
1644
irsetup.exe
GET
200
52.21.98.236:80
http://track.tweaking.com/ev-install-end.php?type=install-end&computer=S-1-5-21-1302019708-1500728564-335382590-1000
US
text
9 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2884
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1644
irsetup.exe
52.21.98.236:80
track.tweaking.com
Amazon.com, Inc.
US
suspicious
928
iexplore.exe
199.119.100.39:443
www.tweaking.com
HIVELOCITY VENTURES CORP
US
suspicious
1828
Repair_Windows.exe
199.119.100.39:80
www.tweaking.com
HIVELOCITY VENTURES CORP
US
suspicious

DNS requests

Domain
IP
Reputation
www.tweaking.com
  • 199.119.100.39
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
track.tweaking.com
  • 52.21.98.236
  • 3.221.210.78
malicious
update.tweaking.com
  • 199.119.100.39
suspicious

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.tweaking.com/files/setups/tweaking.com_windows_repair_aio_setup.exe