| download: | /InstallSetup.exe |
| Full analysis: | https://app.any.run/tasks/da749f31-9ce6-4868-aff9-17dcbba42c46 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | January 29, 2024, 10:33:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 2D7D2BB1ABFDDD1B311CEB66AF30F191 |
| SHA1: | C7842BC21D0AD5542FDCCB75BD50D4906F4751D6 |
| SHA256: | D9C69816853AA37860C69A0FFC570EC762A3672CB33625D2CFA96F875CC7C98A |
| SSDEEP: | 12288:6mitnE/AsgmV9cmjm+Q0nl6O9TZdxiSXo3Tq7toGZV/V9+VVMzmVFVOVlV0:titsLVljA0nl6O9LxiSXo0W |
MALICIOUS
Drops the executable file immediately after the start
- InstallSetup.exe (PID: 1380)
STEALC has been detected (SURICATA)
- u12c.0.exe (PID: 1172)
Connects to the CnC server
- u12c.0.exe (PID: 1172)
Steals credentials from Web Browsers
- u12c.1.exe (PID: 3416)
Actions looks like stealing of personal data
- u12c.1.exe (PID: 3416)
SUSPICIOUS
Executable content was dropped or overwritten
- InstallSetup.exe (PID: 1380)
Reads the Internet Settings
- InstallSetup.exe (PID: 1380)
- u12c.0.exe (PID: 1172)
Windows Defender mutex has been found
- u12c.0.exe (PID: 1172)
Starts application with an unusual extension
- cmd.exe (PID: 2544)
Starts CMD.EXE for commands execution
- u12c.1.exe (PID: 3416)
Write to the desktop.ini file (may be used to cloak folders)
- u12c.1.exe (PID: 3416)
Starts application from unusual location
- cmd.exe (PID: 3380)
Executing commands from a ".bat" file
- u12c.1.exe (PID: 3416)
Process requests binary or script from the Internet
- InstallSetup.exe (PID: 1380)
Connects to the server without a host name
- InstallSetup.exe (PID: 1380)
INFO
Reads the computer name
- InstallSetup.exe (PID: 1380)
- u12c.0.exe (PID: 1172)
- u12c.1.exe (PID: 3416)
Checks supported languages
- InstallSetup.exe (PID: 1380)
- u12c.0.exe (PID: 1172)
- chcp.com (PID: 3020)
- u12c.1.exe (PID: 3416)
Create files in a temporary directory
- InstallSetup.exe (PID: 1380)
Checks proxy server information
- u12c.0.exe (PID: 1172)
Reads the machine GUID from the registry
- u12c.0.exe (PID: 1172)
Creates files or folders in the user directory
- u12c.1.exe (PID: 3416)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:02:03 08:07:57+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 363520 |
| InitializedDataSize: | 169984 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x2bcd |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 86.0.0.0 |
| ProductVersionNumber: | 63.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Debug, Pre-release, Patched, Private build, Special build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
Total processes
48
Monitored processes
8
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1172 | "C:\Users\admin\AppData\Local\Temp\u12c.0.exe" | C:\Users\admin\AppData\Local\Temp\u12c.0.exe | InstallSetup.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1380 | "C:\Users\admin\Desktop\InstallSetup.exe" | C:\Users\admin\Desktop\InstallSetup.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 2496 | schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2544 | C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Temp\Task.bat" " | C:\Windows\System32\cmd.exe | — | u12c.1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3000 | cmd /c rd /s /q c:\$Recycle.bin | C:\Windows\System32\cmd.exe | — | u12c.1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 5 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3020 | chcp 1251 | C:\Windows\System32\chcp.com | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3380 | cmd /c rd /s /q c:\recycler | C:\Windows\System32\cmd.exe | — | u12c.1.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 2 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 3416 | "C:\Users\admin\AppData\Local\Temp\u12c.1.exe" | C:\Users\admin\AppData\Local\Temp\u12c.1.exe | InstallSetup.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Broom Exit code: 0 Version: 1.0.0.0 Modules
| |||||||||||||||
Total events
2 451
Read events
2 423
Write events
28
Delete events
0
Modification events
| (PID) Process: | (1380) InstallSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1380) InstallSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1380) InstallSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1380) InstallSetup.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1172) u12c.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (1172) u12c.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (1172) u12c.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (1172) u12c.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1172) u12c.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1172) u12c.0.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
3
Suspicious files
0
Text files
1
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1380 | InstallSetup.exe | C:\Users\admin\AppData\Local\Temp\u12c.1.exe | executable | |
MD5:5E94F0F6265F9E8B2F706F1D46BBD39E | SHA256:50A46B3120DA828502EF0CABA15DEFBAD004A3ADB88E6EACF1F9604572E2D503 | |||
| 1380 | InstallSetup.exe | C:\Users\admin\AppData\Local\Temp\u12c.0.exe | executable | |
MD5:22ABFF0AAA56C472EEDE86410C994D1F | SHA256:868131D07BA3FD0104598BFC82F08C0F31412D5610D09BCBDB9F283D9F6713A1 | |||
| 3416 | u12c.1.exe | C:\$RECYCLE.BIN\S-1-5-21-1302019708-1500728564-335382590-1000\desktop.ini | text | |
MD5:AD0B0B4416F06AF436328A3C12DC491B | SHA256:23521DE51CA1DB2BC7B18E41DE7693542235284667BF85F6C31902547A947416 | |||
| 3416 | u12c.1.exe | C:\Users\admin\AppData\Roaming\Temp\Task.bat | text | |
MD5:FB501777AD5B28DCA09A699F1A44AF99 | SHA256:D66A5ACC7A87718F84028CE983FACA0BCDCA211AAF97EB3D30E4D4C9684C6BD6 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
0
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1380 | InstallSetup.exe | GET | 200 | 5.42.64.33:80 | http://5.42.64.33/syncUpd.exe | unknown | executable | 336 Kb | unknown |
1380 | InstallSetup.exe | GET | 200 | 5.42.64.33:80 | http://5.42.64.33/ping.php?substr=0 | unknown | — | — | unknown |
1380 | InstallSetup.exe | GET | 200 | 185.172.128.90:80 | http://185.172.128.90/cpa/ping.php?substr=0&s=ab&sub=0 | unknown | binary | 1 b | unknown |
1172 | u12c.0.exe | POST | 200 | 185.172.128.79:80 | http://185.172.128.79/3886d2276f6914c4.php | unknown | text | 8 b | unknown |
1380 | InstallSetup.exe | GET | 200 | 185.172.128.109:80 | http://185.172.128.109/BroomSetup.exe | unknown | executable | 4.75 Mb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1380 | InstallSetup.exe | 185.172.128.90:80 | — | OOO Nadym Svyaz Service | RU | malicious |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1380 | InstallSetup.exe | 5.42.64.33:80 | — | CJSC Kolomna-Sviaz TV | RU | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1380 | InstallSetup.exe | 185.172.128.109:80 | — | OOO Nadym Svyaz Service | RU | unknown |
1172 | u12c.0.exe | 185.172.128.79:80 | — | OOO Nadym Svyaz Service | RU | unknown |
DNS requests
Threats
PID | Process | Class | Message |
|---|---|---|---|
1380 | InstallSetup.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
1380 | InstallSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1380 | InstallSetup.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
1380 | InstallSetup.exe | Potentially Bad Traffic | ET INFO Executable Download from dotted-quad Host |
1380 | InstallSetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1380 | InstallSetup.exe | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
1172 | u12c.0.exe | Malware Command and Control Activity Detected | STEALER [ANY.RUN] Stealc |
1172 | u12c.0.exe | Malware Command and Control Activity Detected | ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in |
1 ETPRO signatures available at the full report