File name:

cloudwerx-setup.exe

Full analysis: https://app.any.run/tasks/233f5718-8d43-4534-9efd-5b7b6b083819
Verdict: Malicious activity
Analysis date: March 26, 2024, 17:33:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

28D2111F929084DFC71FB1DAD014EAB1

SHA1:

825965EBC6D94A0E4F5171EA859A3B9D9C6D556A

SHA256:

E079883BCFB3E2994C1F34241B58B4C8E28202E4337D99A6FD47CCA3C6B70D86

SSDEEP:

3072:aJd68xc9pT+M7VVvtEYg3v6xQIStJuMjIctyfQD1:o68GT+yVvtvnS6kyID1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • cloudwerx-setup.exe (PID: 2292)

    • Accesses environment variables (SCRIPT)

      • wscript.exe (PID: 3540)
      • wscript.exe (PID: 2244)

    • Reads the value of a key from the registry (SCRIPT)

      • wscript.exe (PID: 2244)
      • wscript.exe (PID: 3540)

    • Changes the autorun value in the registry

      • reg.exe (PID: 1556)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 3540)

    • Gets %windir% folder path (SCRIPT)

      • wscript.exe (PID: 3540)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • cloudwerx-setup.exe (PID: 2292)

    • Starts CMD.EXE for commands execution

      • cloudwerx-setup.exe (PID: 2292)
      • cmd.exe (PID: 956)

    • Executing commands from a ".bat" file

      • cloudwerx-setup.exe (PID: 2292)
      • cmd.exe (PID: 956)

    • Application launched itself

      • cmd.exe (PID: 956)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 956)

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3540)
      • wscript.exe (PID: 2244)

    • Reads the Internet Settings

      • wscript.exe (PID: 3540)

    • The process executes VB scripts

      • cmd.exe (PID: 956)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 3540)

    • Creates a software uninstall entry

      • cloudwerx-setup.exe (PID: 2292)

  • INFO

    • Reads the computer name

      • cloudwerx-setup.exe (PID: 2292)

    • Checks supported languages

      • cloudwerx-setup.exe (PID: 2292)
      • CertMgr.Exe (PID: 2728)

    • Create files in a temporary directory

      • cloudwerx-setup.exe (PID: 2292)

    • Creates files in the program directory

      • cloudwerx-setup.exe (PID: 2292)

    • Reads the machine GUID from the registry

      • CertMgr.Exe (PID: 2728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (67.4)
.dll | Win32 Dynamic Link Library (generic) (14.2)
.exe | Win32 Executable (generic) (9.7)
.exe | Generic Win/DOS Executable (4.3)
.exe | DOS Executable Generic (4.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2017:08:01 00:34:02+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 25600
InitializedDataSize: 162816
UninitializedDataSize: 1024
EntryPoint: 0x31f1
OSVersion: 4
ImageVersion: 6
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 6.0.0.0
ProductVersionNumber: 6.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Windows, Latin1
Comments: Cloudwerx Plugin 6.0 (2020060101)
CompanyName: QHR Technologies Inc.
FileDescription: Cloudwerx Plugin 6.0 (2020060101)
FileVersion: 6.0 (2020060101)
LegalCopyright: Copyright (C) 2011-2017 QHR Technologies Inc.
LegalTrademarks: -
ProductName: Cloudwerx Plugin
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
34
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start cloudwerx-setup.exe cmd.exe no specs cmd.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs certmgr.exe no specs reg.exe no specs reg.exe no specs wscript.exe no specs reg.exe wscript.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs cloudwerx-setup.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Windows\system32\cmd.exe" /c install.bat >"C:\Windows\Temp\CloudwerxPlugin-install.log" 2>&1C:\Windows\System32\cmd.execloudwerx-setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1556REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v "CloudwerxRegUpdater" /t REG_SZ /d "\"C:\Windows\System32\wscript.exe\" \"C:\Program Files\Cloudwerx\CloudwerxPlugin\CloudwerxRegUpdater.vbs\"" /fC:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1644REG DELETE "HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList" /v "citrix-ca3.cloudwerx.com" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1768REG DELETE "HKLM\Software\Wow6432Node\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList" /v "cag.cloudwerx.com" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1928REG DELETE "HKCU\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList" /v "citrix.cloudwerx.com" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1972REG DELETE "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cloudwerx.com" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2000REG DELETE "HKLM\Software\Policies\Microsoft\Internet Explorer\BrowserEmulation\PolicyList" /v "cloudwerx.com" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2064"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Cloudwerx\CloudwerxPlugin\uninstall.bat"C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2072REG DELETE "HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run" /v "CitrixSiteCompatibility" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2096REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Citrix\ICA Client\AutoUpdate\Commandline Policy" /v "Auto-Update-LTSR-Only" /t REG_SZ /d "false" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
3 318
Read events
3 261
Write events
55
Delete events
2

Modification events

(PID) Process:(2168) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:CitrixSiteCompatibility
Value:
(PID) Process:(3684) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:CloudwerxRegUpdater
Value:
(PID) Process:(2592) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files\Citrix\ICA Client\wfica32.exe
Value:
~ HIGHDPIAWARE
(PID) Process:(2240) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Operation:writeName:C:\Program Files (x86)\Citrix\ICA Client\wfica32.exe
Value:
~ HIGHDPIAWARE
(PID) Process:(1556) reg.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:CloudwerxRegUpdater
Value:
"C:\Windows\System32\wscript.exe" "C:\Program Files\Cloudwerx\CloudwerxPlugin\CloudwerxRegUpdater.vbs"
(PID) Process:(3540) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cloudwerx.com\citrix
Operation:writeName:https
Value:
2
(PID) Process:(3540) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cloudwerx.com\citrix-ca
Operation:writeName:https
Value:
2
(PID) Process:(3540) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cloudwerx.com\citrix-ca-legacy
Operation:writeName:https
Value:
2
(PID) Process:(3540) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cloudwerx.com\citrix-sdm
Operation:writeName:https
Value:
2
(PID) Process:(3540) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\cloudwerx.com\citrix-ca1
Operation:writeName:https
Value:
2
Executable files
6
Suspicious files
0
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
2292cloudwerx-setup.exeC:\Users\admin\AppData\Local\Temp\nsx216E.tmp\ioB.initext
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Users\admin\AppData\Local\Temp\nsx216E.tmp\UserInfo.dllexecutable
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Users\admin\AppData\Local\Temp\nsx216E.tmp\ioSpecial.initext
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Users\admin\AppData\Local\Temp\nsx216E.tmp\modern-wizard.bmpimage
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Users\admin\AppData\Local\Temp\nsx216E.tmp\InstallOptions.dllexecutable
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Program Files\Cloudwerx\CloudwerxPlugin\CertMgr.Exeexecutable
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Program Files\Cloudwerx\CloudwerxPlugin\CloudwerxRegUpdater.vbstext
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Program Files\Cloudwerx\CloudwerxPlugin\Digi-Root-CA.certext
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Program Files\Cloudwerx\CloudwerxPlugin\HKLM_KB3140245.vbstext
MD5:
SHA256:
2292cloudwerx-setup.exeC:\Program Files\Cloudwerx\CloudwerxPlugin\install.battext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
cloudwerx-setup.exe