| File name: | dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe |
| Full analysis: | https://app.any.run/tasks/5fd95703-7d40-43f8-b39e-ddd55b51c969 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | January 02, 2025, 07:50:25 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections |
| MD5: | E004E5FA086DD1D19FE194FA9B0DCC9C |
| SHA1: | 416BFC60B33CF8D5DD15F7860E88853DC0A14E9D |
| SHA256: | DD1235B8D2D04E02070CC1D7083AF1BACDDDE6BB071678E0C16FF5E40A3B74D5 |
| SSDEEP: | 12288:PNg483REehdznMEj5cT9C4GAl+2o2hx9c7Aa7v+Jv4dotdWVSRQFzg:PshxoNl+Mhx9c7z7vQ4dOdWVSRQFM |
MALICIOUS
Executing a file with an untrusted certificate
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6428)
SOLIMBA has been detected (SURICATA)
- s1036.exe (PID: 6632)
SUSPICIOUS
Reads security settings of Internet Explorer
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
- s1036.exe (PID: 6632)
Executable content was dropped or overwritten
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
Write to the desktop.ini file (may be used to cloak folders)
- s1036.exe (PID: 6632)
Access to an unwanted program domain was detected
- s1036.exe (PID: 6632)
INFO
Reads the computer name
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
- s1036.exe (PID: 6632)
Checks supported languages
- s1036.exe (PID: 6632)
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
Create files in a temporary directory
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
Process checks computer location settings
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
The process uses the downloaded file
- dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe (PID: 6588)
Reads the machine GUID from the registry
- s1036.exe (PID: 6632)
Reads Environment values
- s1036.exe (PID: 6632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (42.2) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (37.3) |
| .dll | | | Win32 Dynamic Link Library (generic) (8.8) |
| .exe | | | Win32 Executable (generic) (6) |
| .exe | | | Generic Win/DOS Executable (2.7) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2014:04:25 10:04:04+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 10 |
| CodeSize: | 119808 |
| InitializedDataSize: | 385024 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xef44 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 3.1.10.30 |
| ProductVersionNumber: | 3.1.10.0 |
| FileFlagsMask: | 0x0017 |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | pinstaller |
| FileDescription: | pinstaller |
| FileVersion: | 3.1.10.30 |
| InternalName: | psetup.exe |
| LegalCopyright: | Copyright ©2014 |
| OriginalFileName: | pinstaller.exe |
| ProductVersion: | 3.1.10 |
Total processes
121
Monitored processes
4
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2192 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6428 | "C:\Users\admin\Desktop\dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe" | C:\Users\admin\Desktop\dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe | — | explorer.exe | |||||||||||
User: admin Company: pinstaller Integrity Level: MEDIUM Description: pinstaller Exit code: 3221226540 Version: 3.1.10.30 Modules
| |||||||||||||||
| 6588 | "C:\Users\admin\Desktop\dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe" | C:\Users\admin\Desktop\dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe | explorer.exe | ||||||||||||
User: admin Company: pinstaller Integrity Level: HIGH Description: pinstaller Exit code: 0 Version: 3.1.10.30 Modules
| |||||||||||||||
| 6632 | "C:\Users\admin\AppData\Local\Temp\n1036\s1036.exe" ins.exe /e 12385296 /u 52fe2c91-49dc-40b7-b209-1f140a000013 /v "C:\Users\admin\Desktop\dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe" | C:\Users\admin\AppData\Local\Temp\n1036\s1036.exe | dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe | ||||||||||||
User: admin Company: Installer Integrity Level: HIGH Description: InstallApps Exit code: 23 Version: 3.1.10 Modules
| |||||||||||||||
Total events
1 273
Read events
1 273
Write events
0
Delete events
0
Modification events
Executable files
1
Suspicious files
1
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6632 | s1036.exe | C:\Windows\assembly\Desktop.ini | binary | |
MD5:F7F759A5CD40BC52172E83486B6DE404 | SHA256:A709C2551B8818D7849D31A65446DC2F8C4CCA2DCBBC5385604286F49CFDAF1C | |||
| 6588 | dd1235b8d2d04e02070cc1d7083af1bacddde6bb071678e0c16ff5e40a3b74d5.exe | C:\Users\admin\AppData\Local\Temp\n1036\s1036.exe | executable | |
MD5:A5F96448B94C4CBDB67CAB9144084305 | SHA256:3EE1A236436E1BB2D84BC1D586560E7450444828A9C86AF7F3C09654A54061B4 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
20
DNS requests
7
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6068 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6068 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6632 | s1036.exe | POST | 200 | 13.248.148.254:80 | http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12385296/event | unknown | — | — | malicious |
6632 | s1036.exe | GET | 200 | 13.248.148.254:80 | http://api.socdn.com/installer/52fe2c91-49dc-40b7-b209-1f140a000013/12385296/config | unknown | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 192.168.100.255:137 | — | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6068 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
6068 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 2.16.164.120:80 | crl.microsoft.com | Akamai International B.V. | NL | whitelisted |
6068 | svchost.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
4712 | MoUsoCoreWorker.exe | 95.101.149.131:80 | www.microsoft.com | Akamai International B.V. | NL | whitelisted |
6068 | svchost.exe | 13.71.55.58:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IN | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
api.socdn.com |
| malicious |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6632 | s1036.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (DownloadMR) |
6632 | s1036.exe | A Network Trojan was detected | ET USER_AGENTS Suspicious User-Agent (DownloadMR) |
6632 | s1036.exe | Generic Protocol Command Decode | SURICATA HTTP status 100-Continue already seen |
2 ETPRO signatures available at the full report