File name:

RidNacs-3.0-Setup.exe

Full analysis: https://app.any.run/tasks/5fe3a307-4e40-4cc0-83c6-b058d5ed48f6
Verdict: Malicious activity
Analysis date: March 08, 2024, 07:42:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

C97223EDAF1DAB5ACA230A62DDCFEA8C

SHA1:

7735FFDFC7D9D6BA541EBF21DE441C874EBECB07

SHA256:

D9494C4A32B0CAA76E8559A129462834F1A90DD34CF206C21BD6F9366F908425

SSDEEP:

98304:J+cD4dnQ5QLhqfsihkOq+awMB/gQZ82LXRMVbUPaEsH3zOCsrRtF8VAi1NCI0QHS:TlyJwW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • RidNacs-3.0-Setup.exe (PID: 3700)
      • RidNacs-3.0-Setup.tmp (PID: 1876)
      • RidNacs-3.0-Setup.exe (PID: 3228)

    • Actions looks like stealing of personal data

      • RidNacs.exe (PID: 1696)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • RidNacs-3.0-Setup.exe (PID: 3700)
      • RidNacs-3.0-Setup.tmp (PID: 1876)
      • RidNacs-3.0-Setup.exe (PID: 3228)

    • Reads the Windows owner or organization settings

      • RidNacs-3.0-Setup.tmp (PID: 1876)

    • Non-standard symbols in registry

      • RidNacs-3.0-Setup.tmp (PID: 1876)

  • INFO

    • Create files in a temporary directory

      • RidNacs-3.0-Setup.exe (PID: 3700)
      • RidNacs-3.0-Setup.exe (PID: 3228)

    • Checks supported languages

      • RidNacs-3.0-Setup.exe (PID: 3700)
      • RidNacs-3.0-Setup.exe (PID: 3228)
      • RidNacs-3.0-Setup.tmp (PID: 3656)
      • RidNacs-3.0-Setup.tmp (PID: 1876)
      • RidNacs.exe (PID: 1696)
      • wmpnscfg.exe (PID: 2960)

    • Reads the computer name

      • RidNacs-3.0-Setup.tmp (PID: 1876)
      • RidNacs-3.0-Setup.tmp (PID: 3656)
      • RidNacs.exe (PID: 1696)
      • wmpnscfg.exe (PID: 2960)

    • Creates a software uninstall entry

      • RidNacs-3.0-Setup.tmp (PID: 1876)

    • Creates files in the program directory

      • RidNacs-3.0-Setup.tmp (PID: 1876)

    • Creates files or folders in the user directory

      • RidNacs.exe (PID: 1696)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 2960)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Inno Setup installer (53.5)
.exe | InstallShield setup (21)
.exe | Win32 EXE PECompact compressed (generic) (20.2)
.exe | Win32 Executable (generic) (2.1)
.exe | Win16/32 Executable Delphi generic (1)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:04:14 16:10:23+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 741888
InitializedDataSize: 89600
UninitializedDataSize: -
EntryPoint: 0xb5eec
OSVersion: 6.1
ImageVersion: 6
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 3.0.0.0
ProductVersionNumber: 3.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: This installation was built with Inno Setup.
CompanyName: Stephan Plath
FileDescription: RidNacs Setup
FileVersion: 3.0.0.0
LegalCopyright: Stephan Plath
OriginalFileName:
ProductName: RidNacs
ProductVersion: 3.0.0.0
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
6
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start ridnacs-3.0-setup.exe ridnacs-3.0-setup.tmp no specs ridnacs-3.0-setup.exe ridnacs-3.0-setup.tmp ridnacs.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1696"C:\Program Files\RidNacs\RidNacs.exe"C:\Program Files\RidNacs\RidNacs.exe
RidNacs-3.0-Setup.tmp
User:
admin
Integrity Level:
MEDIUM
Description:
RidNacs
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\program files\ridnacs\ridnacs.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1876"C:\Users\admin\AppData\Local\Temp\is-KHL38.tmp\RidNacs-3.0-Setup.tmp" /SL5="$100130,2013463,832512,C:\Users\admin\AppData\Local\Temp\RidNacs-3.0-Setup.exe" /SPAWNWND=$18013E /NOTIFYWND=$E0170 C:\Users\admin\AppData\Local\Temp\is-KHL38.tmp\RidNacs-3.0-Setup.tmp
RidNacs-3.0-Setup.exe
User:
admin
Company:
Stephan Plath
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-khl38.tmp\ridnacs-3.0-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2960"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3228"C:\Users\admin\AppData\Local\Temp\RidNacs-3.0-Setup.exe" /SPAWNWND=$18013E /NOTIFYWND=$E0170 C:\Users\admin\AppData\Local\Temp\RidNacs-3.0-Setup.exe
RidNacs-3.0-Setup.tmp
User:
admin
Company:
Stephan Plath
Integrity Level:
HIGH
Description:
RidNacs Setup
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ridnacs-3.0-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3656"C:\Users\admin\AppData\Local\Temp\is-VUCMK.tmp\RidNacs-3.0-Setup.tmp" /SL5="$E0170,2013463,832512,C:\Users\admin\AppData\Local\Temp\RidNacs-3.0-Setup.exe" C:\Users\admin\AppData\Local\Temp\is-VUCMK.tmp\RidNacs-3.0-Setup.tmpRidNacs-3.0-Setup.exe
User:
admin
Company:
Stephan Plath
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-vucmk.tmp\ridnacs-3.0-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mpr.dll
c:\windows\system32\comdlg32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3700"C:\Users\admin\AppData\Local\Temp\RidNacs-3.0-Setup.exe" C:\Users\admin\AppData\Local\Temp\RidNacs-3.0-Setup.exe
explorer.exe
User:
admin
Company:
Stephan Plath
Integrity Level:
MEDIUM
Description:
RidNacs Setup
Exit code:
0
Version:
3.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\ridnacs-3.0-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
4 195
Read events
4 164
Write events
25
Delete events
6

Modification events

(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
54070000C4E260472C71DA01
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
5C48D8FC31821091B8ABF07E93CC097BF416ACE30696F0630AE39EA47273C18A
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\RidNacs\RidNacs.exe
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
8DB2CF3352F4EDF17EDA002A20E912F72179D34F71F2BBACB445F07D5EC0541D
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RidNacs_is1
Operation:writeName:Inno Setup: Setup Version
Value:
6.2.1
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RidNacs_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\RidNacs
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RidNacs_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\RidNacs\
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RidNacs_is1
Operation:writeName:Inno Setup: Icon Group
Value:
RidNacs
(PID) Process:(1876) RidNacs-3.0-Setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RidNacs_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
6
Suspicious files
8
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\locale\de\LC_MESSAGES\is-SGD1U.tmpbinary
MD5:D653BDCBB7242743B7AB566232CB5F42
SHA256:7A3F501440DE29F71246F54803B8DE2D8FA86A3378FAB3E1EDE61D4EFED8C817
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\license.rtftext
MD5:F4663786B771534D00DDF4A7A886C819
SHA256:11F41108A858AAD69BA9C902D196192A14C30D4DADE37FDC4FF7E04FCE9088A7
3700RidNacs-3.0-Setup.exeC:\Users\admin\AppData\Local\Temp\is-VUCMK.tmp\RidNacs-3.0-Setup.tmpexecutable
MD5:392BD695CFB280E1B8145FB7A91805AD
SHA256:914B4441CA44E23B9070A8CB3026BB9AC5222A6279C94FCC87CB55E13266C403
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\is-VIKKA.tmptext
MD5:E3F0EA9D58A8786437F55FCA76B0671A
SHA256:A236D417B8B675703BD4D513D5F23D16579BEA1EA8BA9E9C993987AE85AB4846
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\locale\is-5N23A.tmpbinary
MD5:8986C33DBCE3F5DA27DADB792942017F
SHA256:99D1D831E0A26DC91ED5256F203A905B4CED253B435274B2547919E2DFA219BA
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\lizenz.rtftext
MD5:E3F0EA9D58A8786437F55FCA76B0671A
SHA256:A236D417B8B675703BD4D513D5F23D16579BEA1EA8BA9E9C993987AE85AB4846
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\is-BAG5E.tmptext
MD5:F4663786B771534D00DDF4A7A886C819
SHA256:11F41108A858AAD69BA9C902D196192A14C30D4DADE37FDC4FF7E04FCE9088A7
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\locale\rtl.mobinary
MD5:8986C33DBCE3F5DA27DADB792942017F
SHA256:99D1D831E0A26DC91ED5256F203A905B4CED253B435274B2547919E2DFA219BA
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\is-6AO34.tmpexecutable
MD5:590FC3376F7EF56DD090A0754688C9E0
SHA256:C17B02B1B8BFB8FD46C3F6E4C33608997351955F0790824A50E6C0811F17FE5F
1876RidNacs-3.0-Setup.tmpC:\Program Files\RidNacs\is-DUH9O.tmpexecutable
MD5:0433EFF2EFBBFCA611950CAB4A1F6200
SHA256:0C3E2971E0B5321BF854F59A0A0AA82800D55BAC6E7052B8C6FA9B4C10411FF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
Process
Message
RidNacs.exe
error - Couldn't read configuration file "C:\Program Files\RidNacs\log.cfg" - Datei C:\Program Files\RidNacs\log.cfg kann nicht geöffnet werden. The system cannot find the file specified
RidNacs.exe
error - Ignoring configuration file "C:\Program Files\RidNacs\log.cfg"
RidNacs.exe
OnCreate1: 0.002 s
RidNacs.exe
OnCreate3: 0.035 s
RidNacs.exe
OnCreate4: 0.073 s
RidNacs.exe
OnCreate5: 0.074 s
RidNacs.exe
Refresh3: 0.003 s
RidNacs.exe
OnCreate9: 0.081 s
RidNacs.exe
140 [1692] info RidNacs - CmdLine: "C:\Program Files\RidNacs\RidNacs.exe"
RidNacs.exe
OnCreate8: 0.076 s
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RidNacs-3.0-Setup.exe