Malware analysis SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417 Malicious activity

Add for printing

File name:	SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417
Full analysis:	https://app.any.run/tasks/e27841a4-3547-46f6-a1c8-4fdfabbd08cb
Verdict:	Malicious activity
Analysis date:	August 01, 2024, 17:51:08
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	installer
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:	B7CFA25321334064893666ECC2BCF9DA
SHA1:	5829E85E9BB196A42D71B83206D777951DD7F90E
SHA256:	E6947908ECFA3F110FE380E07A2941E1B558E12F0481EA8B6075658B06661262
SSDEEP:	98304:vAyWw3S+ZxIIwKCPgB9YFHxqDom/wmUyD8wM2QrR+JobXjcVeI01Qi6eiEKLsM0N:7qYVTRY7DrwxZi/IMW09ve38

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 120 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Drops the executable file immediately after the start
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Changes the autorun value in the registry
  - EHPClientAgent.exe (PID: 6520)
SUSPICIOUS
- Executable content was dropped or overwritten
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Read disk information to detect sandboxing environments
  - EHPClientAgent.exe (PID: 6520)
- Reads the date of Windows installation
  - EHPClientAgent.exe (PID: 6520)
INFO
- Reads the computer name
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Checks supported languages
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Creates files or folders in the user directory
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Reads Environment values
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Create files in a temporary directory
  - SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe (PID: 6404)
  - EHPClientAgent.exe (PID: 6520)
- Reads CPU info
  - EHPClientAgent.exe (PID: 6520)
- Reads product name
  - EHPClientAgent.exe (PID: 6520)
- Reads security settings of Internet Explorer
  - splwow64.exe (PID: 6868)
- Reads the machine GUID from the registry
  - EHPClientAgent.exe (PID: 6520)
- Dropped object may contain TOR URL's
  - EHPClientAgent.exe (PID: 6520)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	NSIS - Nullsoft Scriptable Install System (94.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (3.4)
.dll	\|	Win32 Dynamic Link Library (generic) (0.7)
.exe	\|	Win32 Executable (generic) (0.5)
.exe	\|	Generic Win/DOS Executable (0.2)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2009:12:05 22:50:41+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	6
CodeSize:	23040
InitializedDataSize:	119808
UninitializedDataSize:	1024
EntryPoint:	0x30cb
OSVersion:	4
ImageVersion:	6
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	4.65.8.8
ProductVersionNumber:	4.65.8.8
FileFlagsMask:	0x0000
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	ASCII
Comments:	EHP
CompanyName:	EHP
FileDescription:	EHP
FileVersion:	4.65.8.8
LegalCopyright:	EHP
LegalTrademarks:	EHP
ProductName:	EHP Agent Installer

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

134

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

6352

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe

—

explorer.exe

User:

admin

Company:

EHP

Integrity Level:

MEDIUM

Description:

EHP

Exit code:

3221226540

Version:

4.65.8.8

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.heur.trojan.win32.agent.gen.21445.28417.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

6404

"C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe"

C:\Users\admin\AppData\Local\Temp\SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe

explorer.exe

User:

admin

Company:

EHP

Integrity Level:

HIGH

Description:

EHP

Exit code:

Version:

4.65.8.8

Modules

Images
c:\users\admin\appdata\local\temp\securiteinfo.com.heur.trojan.win32.agent.gen.21445.28417.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6520

"C:\Users\admin\AppData\Roaming\EHPAgent\EHPClientAgent.exe"

C:\Users\admin\AppData\Roaming\EHPAgent\EHPClientAgent.exe

SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe

User:

admin

Integrity Level:

HIGH

Version:

4.66.11.8

Modules

Images
c:\users\admin\appdata\roaming\ehpagent\ehpclientagent.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\acgenral.dll

6868

C:\WINDOWS\splwow64.exe 12288

C:\Windows\splwow64.exe

—

EHPClientAgent.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Print driver host for applications

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\splwow64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

Add for printing

Total events

12 823

Read events

12 821

Write events

Delete events

Modification events


(PID) Process:	(6520) EHPClientAgent.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	EHPAgent
Value: C:\Users\admin\AppData\Roaming\EHPAgent\EHPClientAgent.exe
(PID) Process:	(6868) splwow64.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\splwow64.exe
Operation:	write	Name:	JScriptSetScriptStateStarted
Value: 18800E0000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6520	EHPClientAgent.exe	C:\Users\admin\AppData\Roaming\EHPAgent\libcurl.dll		executable
		MD5:1DDF9C18A892A7225045900C18A4C351	SHA256:BEC0BED6B3418DF6681D4607E223CD0833E99E4EBE5BC988FD8D8EA6097D8085
6520	EHPClientAgent.exe	C:\Users\admin\AppData\Roaming\EHPAgent\curl.exe		executable
		MD5:075212860CB6E69EB5C991044FE5E29C	SHA256:E484DD4374163B32EBEF913A769324649C2E663144B4673185FC7B3E0A903A62
6520	EHPClientAgent.exe	C:\Users\admin\AppData\Local\Temp\TBMS_HOSXP_CURL_ZIP.zip		compressed
		MD5:0A1FD9B962CD528CA62755DE06F125F5	SHA256:E2AF03E37E9270A2AECB9C9B729F71A181B7A8308E2767D3894D96C3FFFB786F
6404	SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe	C:\Users\admin\Desktop\EHPClientAgent.lnk		binary
		MD5:B6C5156DF0B9FC7854820AE034C472FB	SHA256:CD32CF882187E86D7EEFF2B82F661778BF3D2203276450CE4F3416D645134160
6404	SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe	C:\Users\admin\AppData\Local\Temp\nsf6176.tmp\Processes.dll		executable
		MD5:2CFBA79D485CF441C646DD40D82490FC	SHA256:86B302FA9C85DFA0C1C03BA000864A928365DAB571F3355347DBA02DA22949B7
6404	SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe	C:\Users\admin\AppData\Roaming\EHPAgent\EHPClientAgent.exe		executable
		MD5:A12C1A66F564BBFE82A3F0021E24523D	SHA256:339141CFB67D734009258B9B96BC41CDB1FA8BBB295E5697390B3720FB72D555
6404	SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EHPClientAgent.lnk		binary
		MD5:2E9C2C4DA0B3C3F6AA679CCA9E463616	SHA256:38E72052453CAF801A56A55A8AA8AD6C5FCB19825F5DCDBCE3D6CEB4E7253F72

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5336	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2272	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
7164	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
7100	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4708	svchost.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3888	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
2088	RUXIMICS.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2120	MoUsoCoreWorker.exe	4.231.128.59:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
6520	EHPClientAgent.exe	203.151.166.226:443	cloud3.hosxp.net	Internet Thailand Company Limited	TH	unknown
5336	SearchApp.exe	104.126.37.171:443	www.bing.com	Akamai International B.V.	DE	unknown
5336	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
2272	svchost.exe	40.126.31.67:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	4.231.128.59 20.73.194.208	whitelisted
google.com	142.250.185.78	whitelisted
cloud3.hosxp.net	203.151.166.226	whitelisted
www.bing.com	104.126.37.171 104.126.37.160 104.126.37.128 104.126.37.179 104.126.37.161 104.126.37.123 104.126.37.186 104.126.37.131 104.126.37.162	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	40.126.31.67 20.190.159.75 20.190.159.4 20.190.159.71 40.126.31.73 20.190.159.0 20.190.159.2 20.190.159.73	whitelisted
client.wns.windows.com	40.113.110.67	whitelisted
th.bing.com	104.126.37.162 104.126.37.171 104.126.37.160 104.126.37.128 104.126.37.179 104.126.37.161 104.126.37.123 104.126.37.186 104.126.37.131	whitelisted
fd.api.iris.microsoft.com	20.223.35.26	whitelisted
arc.msn.com	20.199.58.43	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

SecuriteInfo.com.HEUR.Trojan.Win32.Agent.gen.21445.28417

B7CFA25321334064893666ECC2BCF9DA

5829E85E9BB196A42D71B83206D777951DD7F90E

E6947908ECFA3F110FE380E07A2941E1B558E12F0481EA8B6075658B06661262

98304:vAyWw3S+ZxIIwKCPgB9YFHxqDom/wmUyD8wM2QrR+JobXjcVeI01Qi6eiEKLsM0N:7qYVTRY7DrwxZi/IMW09ve38

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Drops the executable file immediately after the start

Changes the autorun value in the registry

SUSPICIOUS

Executable content was dropped or overwritten

Read disk information to detect sandboxing environments

Reads the date of Windows installation

INFO

Reads the computer name

Checks supported languages

Creates files or folders in the user directory

Reads Environment values

Create files in a temporary directory

Reads CPU info

Reads product name

Reads security settings of Internet Explorer

Reads the machine GUID from the registry

Dropped object may contain TOR URL's

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings