File name:

install-interception.exe

Full analysis: https://app.any.run/tasks/1789e46f-dae3-425a-bf9a-52dc7465d7ba
Verdict: Malicious activity
Analysis date: July 04, 2024, 15:39:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows
MD5:

0F0B50D92E030B8965CE669C8058FA6E

SHA1:

257B3F0402285A29F4618B32958C208B3E9D4C4D

SHA256:

E137863A79DA797F08E7A137280FF2A123809044A888FD75CE9C973198915ABE

SSDEEP:

6144:+sglhAWORQG8O1dMDmJPjQy4xZWLUKc2y:+s4LjGvMk74+B4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • install-interception.exe (PID: 3192)
      • install-interception.exe (PID: 1788)

    • Creates a writable file in the system directory

      • install-interception.exe (PID: 1788)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 740)

    • Creates files in the driver directory

      • install-interception.exe (PID: 1788)

    • Drops a system driver (possible attempt to evade defenses)

      • install-interception.exe (PID: 1788)

    • Executable content was dropped or overwritten

      • install-interception.exe (PID: 1788)

    • Creates or modifies Windows services

      • install-interception.exe (PID: 1788)

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 2980)
      • install-interception.exe (PID: 3192)
      • install-interception.exe (PID: 1788)

    • Reads the computer name

      • wmpnscfg.exe (PID: 2980)

    • Manual execution by a user

      • powershell.exe (PID: 740)
      • wmpnscfg.exe (PID: 2980)
      • explorer.exe (PID: 3096)

    • Checks current location (POWERSHELL)

      • powershell.exe (PID: 740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:03:24 23:52:36+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 29696
InitializedDataSize: 441344
UninitializedDataSize: -
EntryPoint: 0x614c
OSVersion: 6.1
ImageVersion: 6.1
SubsystemVersion: 5.1
Subsystem: Windows command line
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Francisco Lopes
FileDescription: Interception command line installation tool
FileVersion: 1.00 built by: WinDDK
InternalName: install-interception.exe
LegalCopyright: Copyright (C) 2008-2018 Francisco Lopes da Silva
OriginalFileName: install-interception.exe
ProductName: Interception
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
54
Monitored processes
9
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start install-interception.exe explorer.exe no specs powershell.exe no specs wmpnscfg.exe no specs install-interception.exe no specs install-interception.exe no specs install-interception.exe no specs install-interception.exe install-interception.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
740"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
1788"C:\Users\admin\AppData\Local\Temp\install-interception.exe" /installC:\Users\admin\AppData\Local\Temp\install-interception.exe
powershell.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
HIGH
Description:
Interception command line installation tool
Exit code:
0
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
2524"C:\Users\admin\AppData\Local\Temp\install-interception.exe" /installC:\Users\admin\AppData\Local\Temp\install-interception.exepowershell.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
MEDIUM
Description:
Interception command line installation tool
Exit code:
3221226540
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
2980"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3084"C:\Users\admin\AppData\Local\Temp\INSTAL~1.EXE" "C:\Users\admin\AppData\Local\Temp\install-interception.exe" /installC:\Users\admin\AppData\Local\Temp\install-interception.exepowershell.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
MEDIUM
Description:
Interception command line installation tool
Exit code:
3221226540
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
3088"C:\Users\admin\AppData\Local\Temp\install-interception.exe" /installC:\Users\admin\AppData\Local\Temp\install-interception.exepowershell.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
MEDIUM
Description:
Interception command line installation tool
Exit code:
3221226540
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
3096"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3192"C:\Users\admin\AppData\Local\Temp\install-interception.exe" C:\Users\admin\AppData\Local\Temp\install-interception.exe
explorer.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
HIGH
Description:
Interception command line installation tool
Exit code:
1
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\apphelp.dll
c:\windows\apppatch\acgenral.dll
3700"C:\Users\admin\AppData\Local\Temp\install-interception.exe" C:\Users\admin\AppData\Local\Temp\install-interception.exeexplorer.exe
User:
admin
Company:
Francisco Lopes
Integrity Level:
MEDIUM
Description:
Interception command line installation tool
Exit code:
3221226540
Version:
1.00 built by: WinDDK
Modules
Images
c:\users\admin\appdata\local\temp\install-interception.exe
c:\windows\system32\ntdll.dll
Total events
4 654
Read events
4 584
Write events
70
Delete events
0

Modification events

(PID) Process:(740) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(740) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(740) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(740) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(740) powershell.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1788) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\keyboard
Operation:writeName:DisplayName
Value:
Keyboard Upper Filter Driver
(PID) Process:(1788) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\keyboard
Operation:writeName:Type
Value:
1
(PID) Process:(1788) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\keyboard
Operation:writeName:ErrorControl
Value:
1
(PID) Process:(1788) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\keyboard
Operation:writeName:Start
Value:
3
(PID) Process:(1788) install-interception.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mouse
Operation:writeName:DisplayName
Value:
Mouse Upper Filter Driver
Executable files
2
Suspicious files
5
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
740powershell.exeC:\Users\admin\AppData\Local\Temp\htkucjtn.pq3.ps1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
1788install-interception.exeC:\Windows\system32\drivers\mouse.sysexecutable
MD5:63CD86F720B000CF7CC75BB78CECBDC3
SHA256:548C86A06FDACC093E7A3B9A5484FFAE6F66D9676A05B7B7E8D666DA52DEFDC6
1788install-interception.exeC:\Windows\system32\drivers\keyboard.sysexecutable
MD5:08D1211820889F97D8A8796584D38EB9
SHA256:979F790B75860FC713C159740F00ED4A11E7BC785E417B3442F765FFEC4DDC36
740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:8F53FC52AD45A1893E74613827DE0052
SHA256:3674C90C63B00076DEB5318DB20EB927C9FB24F00B2C31171784DD0F9B2A9800
740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\95KO9CQM1L2BTGLYRR1T.tempbinary
MD5:8F53FC52AD45A1893E74613827DE0052
SHA256:3674C90C63B00076DEB5318DB20EB927C9FB24F00B2C31171784DD0F9B2A9800
740powershell.exeC:\Users\admin\AppData\Local\Temp\tsgctmte.ahr.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
740powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF57fd6.TMPbinary
MD5:0268C3470C936E6FBAC2945B9E1C2099
SHA256:DF2AF58E8879B48826D8A418ED3B02CC8D484BCFC231C5B7A11BD153ED3998E9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1372
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?33775f6043c93e33
unknown
1372
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
1372
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
1060
svchost.exe
GET
304
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?60bcd71e49d094b3
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1060
svchost.exe
224.0.0.252:5355
unknown
1372
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
1372
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1372
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
unknown
1372
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1060
svchost.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
dns.msftncsi.com
  • 131.107.255.255
unknown
settings-win.data.microsoft.com
  • 40.127.240.158
unknown
ctldl.windowsupdate.com
  • 93.184.221.240
unknown
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
unknown
www.microsoft.com
  • 23.35.229.160
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
install-interception.exe