analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

HCupdateInstall.exe

Full analysis: https://app.any.run/tasks/25082fec-3da2-4d51-946c-c610b3ff312f
Verdict: Malicious activity
Analysis date: September 30, 2020, 06:51:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

20A01B1EF5D3CACCFAC2930D198CC679

SHA1:

3A6F1220B78AA3C0F2BF1EA00E4C5061205A96FB

SHA256:

D8BD540E92361824FB1F966A3A8680E399363C9E75660785BF358C904139AC36

SSDEEP:

98304:rljrwm1z1m7kmm5SUVhaYLu55rp2aja9wKXgI0uifgup:xnf1mZmNTq5rp2AaiK/Y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Engine.exe (PID: 2600)
      • HCupdate.exe (PID: 2896)
      • HCupdate.exe (PID: 2652)

    • Loads dropped or rewritten executable

      • Engine.exe (PID: 2600)
      • HCupdate.exe (PID: 2896)

  • SUSPICIOUS

    • Removes files from Windows directory

      • Engine.exe (PID: 2600)

    • Executable content was dropped or overwritten

      • Engine.exe (PID: 2600)
      • HCupdateInstall.exe (PID: 3328)

    • Creates files in the program directory

      • Engine.exe (PID: 2600)
      • HCupdate.exe (PID: 2896)

    • Creates a software uninstall entry

      • Engine.exe (PID: 2600)

  • INFO

    • Manual execution by user

      • HCupdate.exe (PID: 2652)
      • HCupdate.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (49.2)
.exe | Win32 Executable Delphi generic (16.2)
.scr | Windows screen saver (14.9)
.dll | Win32 Dynamic Link Library (generic) (7.5)
.exe | Win32 Executable (generic) (5.1)

EXIF

EXE

ProductVersion: 1.01.0014
ProductName: HCupdate
OriginalFileName: HCupdate.exe
LegalCopyright: Copyright © 2004 Celestron
InternalName: Celestron HCupdate Setup
FileVersion: 1.01.0014
FileDescription: Celestron Hand Controller Updater
CompanyName: Celestron
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 1.1.14.0
FileVersionNumber: 1.1.14.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x26590
UninitializedDataSize: -
InitializedDataSize: 33792
CodeSize: 153088
LinkerVersion: 2.25
PEType: PE32
TimeStamp: 1992:06:20 00:22:17+02:00
MachineType: Intel 386 or later, and compatibles
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
11
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start hcupdateinstall.exe no specs hcupdateinstall.exe engine.exe cacls.exe no specs cacls.exe no specs cacls.exe no specs cacls.exe no specs cacls.exe no specs cacls.exe no specs hcupdate.exe no specs hcupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
2384"C:\Users\admin\AppData\Local\Temp\HCupdateInstall.exe" C:\Users\admin\AppData\Local\Temp\HCupdateInstall.exeexplorer.exe
User:
admin
Company:
Celestron
Integrity Level:
MEDIUM
Description:
Celestron Hand Controller Updater
Exit code:
3221226540
Version:
1.01.0014
3328"C:\Users\admin\AppData\Local\Temp\HCupdateInstall.exe" C:\Users\admin\AppData\Local\Temp\HCupdateInstall.exe
explorer.exe
User:
admin
Company:
Celestron
Integrity Level:
HIGH
Description:
Celestron Hand Controller Updater
Exit code:
0
Version:
1.01.0014
2600C:\Users\admin\AppData\Local\Temp\SETUP_15993\Engine.exe /TH_ID=_3364 /OriginExe="C:\Users\admin\AppData\Local\Temp\HCupdateInstall.exe"C:\Users\admin\AppData\Local\Temp\SETUP_15993\Engine.exe
HCupdateInstall.exe
User:
admin
Company:
Pantaray Research Ltd.
Integrity Level:
HIGH
Description:
Setup/UnInstall Engine
Exit code:
0
Version:
10.0.0.0
440C:\Windows\system32\cacls.exe "C:\Program Files\Celestron\HCupdate\UnInstall_HCupdate.exe" /E /C /G Everyone:FC:\Windows\system32\cacls.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2848C:\Windows\system32\cacls.exe "C:\Windows\system32\MSCOMCT2.OCX" /E /C /G Everyone:FC:\Windows\system32\cacls.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3128C:\Windows\system32\cacls.exe "C:\Windows\system32\MSCOMM32.OCX" /E /C /G Everyone:FC:\Windows\system32\cacls.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1344C:\Windows\system32\cacls.exe "C:\Windows\system32\VSFLEX7.OCX" /E /C /G Everyone:FC:\Windows\system32\cacls.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3540C:\Windows\system32\cacls.exe "C:\Windows\___Registering Files -- Please Wait ___" /E /C /G Everyone:FC:\Windows\system32\cacls.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3164C:\Windows\system32\cacls.exe "C:\Program Files\Celestron\HCupdate" /T /E /C /G Everyone:FC:\Windows\system32\cacls.exeEngine.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2652"C:\Program Files\Celestron\HCupdate\HCupdate.exe" C:\Program Files\Celestron\HCupdate\HCupdate.exeexplorer.exe
User:
admin
Company:
Celestron
Integrity Level:
MEDIUM
Description:
Celestron Hand Controller Updater
Exit code:
3221226540
Version:
1.01.0014
Total events
460
Read events
194
Write events
0
Delete events
0

Modification events

No data
Executable files
17
Suspicious files
57
Text files
78
Unknown types
5

Dropped files

PID
Process
Filename
Type
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\00003#___Registering Files -- Please Wait ___
MD5:
SHA256:
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\Sidebar.bmpimage
MD5:46749397289E514DEC3971251BD4C134
SHA256:A2597A7143E0C4E552A47EE976E37E85D012D5CB01925D98366EEBA8951DA097
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\00011#OLEPRO32.DLLexecutable
MD5:238C0CA54696851045AFB54C8B73DC55
SHA256:8E37515524F54878C9B63310B105D3BFF9FD66ABE322B8C189ADFA5EFCB6A6F4
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\HCupdate.qsptext
MD5:1E7A9BB892E396838F90A73EF21B66DD
SHA256:79286B34C7C2BB397279B3FE7821A4701351FB81ACA9FDFF2B9D1B2A4C36AD89
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\Setup.txttext
MD5:F9633A70A8C65B1113D460E8D5C9EFDD
SHA256:CFC4A2AC7603CB92574E3793750E08CED7C8DD3C7488747848A8C7BC3B13EC49
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\00005#COMCAT.DLLexecutable
MD5:4E72C4B7EB91BCA165FD04E0AB4F121E
SHA256:22586FB4B37523DD7DD6E00259F7BDFBF05B794F17297D9E1D8CA6BE288D2238
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\00000#HCupdate.chmchm
MD5:B3CF17F16FFD92B0630F822B3D2AAA80
SHA256:6623A1F65E7B8DC63C8FA848C78B046AB170E5FEBD9D7C4E533BF8FAEDC3B29C
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\Engine.exeexecutable
MD5:ABA059C2245EF87EFAB42EF045C1AABE
SHA256:D235CCA6BB8891A32F9913938481DBD9839E5D52AD636EB8D40B8B20632982A1
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\00001#HCupdate.exeexecutable
MD5:4F49A7E7ECA573DA2D678A4B3F8D3F71
SHA256:675146E98CB76390F014716F84D0764C688F4E5A858472BCE1882B7D947E2EEE
3328HCupdateInstall.exeC:\Users\admin\AppData\Local\Temp\SETUP_15993\00002#License.txttext
MD5:BE58A30881E0AAC30A2EFED872BDE1AC
SHA256:D930592B7E3C82924826DD3319345CFBEEDF615463C7982E3CCBFCBD7E8B7013
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HCupdateInstall.exe