analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Core-Temp-setup.exe

Full analysis: https://app.any.run/tasks/79854206-3a2e-43d2-a23b-7b5347ac85b3
Verdict: Malicious activity
Analysis date: October 05, 2022, 00:06:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

77448F48D66FA4565CDD962324BFD5B8

SHA1:

6B0C74040AD0FCAB182C87C3B3C3DF152646BDD2

SHA256:

E6EFC39C1F95D4E6286640A10459FE9A14AE1CB6FBC95CCEC95D063AC27F0978

SSDEEP:

24576:q86HODFbrDdsxg8MGMm8ZlfVI+z91BoQ9uZUR+zZdFr:4udDqAGaZDIcpV9u1X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • Core-Temp-setup.exe (PID: 676)
      • Core-Temp-setup.exe (PID: 2104)
      • Core-Temp-setup.tmp (PID: 1408)
      • Core Temp.exe (PID: 536)

    • Application was dropped or rewritten from another process

      • Core Temp.exe (PID: 536)

    • Loads the Task Scheduler COM API

      • Core Temp.exe (PID: 536)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Core-Temp-setup.exe (PID: 676)
      • Core-Temp-setup.exe (PID: 2104)
      • Core Temp.exe (PID: 536)
      • Core-Temp-setup.tmp (PID: 1408)

    • Checks supported languages

      • Core-Temp-setup.exe (PID: 676)
      • Core-Temp-setup.tmp (PID: 2992)
      • Core-Temp-setup.exe (PID: 2104)
      • Core-Temp-setup.tmp (PID: 1408)
      • Core Temp.exe (PID: 536)

    • Drops a file with a compile date too recent

      • Core-Temp-setup.exe (PID: 676)
      • Core-Temp-setup.exe (PID: 2104)
      • Core-Temp-setup.tmp (PID: 1408)
      • Core Temp.exe (PID: 536)

    • Reads the computer name

      • Core-Temp-setup.tmp (PID: 2992)
      • Core-Temp-setup.tmp (PID: 1408)
      • Core Temp.exe (PID: 536)

    • Reads Windows owner or organization settings

      • Core-Temp-setup.tmp (PID: 1408)

    • Reads the Windows organization settings

      • Core-Temp-setup.tmp (PID: 1408)

    • Creates files in the program directory

      • Core Temp.exe (PID: 536)

    • Creates a directory in Program Files

      • Core-Temp-setup.tmp (PID: 1408)

  • INFO

    • Application was dropped or rewritten from another process

      • Core-Temp-setup.tmp (PID: 2992)
      • Core-Temp-setup.tmp (PID: 1408)

    • Creates a software uninstall entry

      • Core-Temp-setup.tmp (PID: 1408)

    • Creates files in the program directory

      • Core-Temp-setup.tmp (PID: 1408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Delphi generic (45.2)
.dll | Win32 Dynamic Link Library (generic) (20.9)
.exe | Win32 Executable (generic) (14.3)
.exe | Win16/32 Executable Delphi generic (6.6)
.exe | Generic Win/DOS Executable (6.3)

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 2018-Jun-14 13:27:46
Detected languages:
  • Dutch - Netherlands
  • English - United States
Comments: This installation was built with Inno Setup.
CompanyName: ALCPU
FileDescription: Core Temp Setup
FileVersion: 1.17.1.0
LegalCopyright: -
ProductName: Core Temp
ProductVersion: 1.17.1

DOS Header

e_magic: MZ
e_cblp: 80
e_cp: 2
e_crlc: -
e_cparhdr: 4
e_minalloc: 15
e_maxalloc: 65535
e_ss: -
e_sp: 184
e_csum: -
e_ip: -
e_cs: -
e_ovno: 26
e_oemid: -
e_oeminfo: -
e_lfanew: 256

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
NumberofSections: 8
TimeDateStamp: 2018-Jun-14 13:27:46
PointerToSymbolTable: -
NumberOfSymbols: -
SizeOfOptionalHeader: 224
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_BYTES_REVERSED_HI
  • IMAGE_FILE_BYTES_REVERSED_LO
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
4096
62044
62464
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.37588
.itext
69632
4004
4096
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.77877
.data
73728
3212
3584
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
2.30283
.bss
77824
22204
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata
102400
3588
4096
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.59781
.tls
106496
8
0
IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata
110592
24
512
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
0.204488
.rsrc
114688
45568
45568
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.14048

Resources

Title
Entropy
Size
Codepage
Language
Type
1
3.25755
296
UNKNOWN
Dutch - Netherlands
RT_ICON
2
3.47151
1384
UNKNOWN
Dutch - Netherlands
RT_ICON
3
3.91708
744
UNKNOWN
Dutch - Netherlands
RT_ICON
4
3.91366
2216
UNKNOWN
Dutch - Netherlands
RT_ICON
4091
2.56031
104
UNKNOWN
UNKNOWN
RT_STRING
4092
3.25287
212
UNKNOWN
UNKNOWN
RT_STRING
4093
3.26919
164
UNKNOWN
UNKNOWN
RT_STRING
4094
3.33268
684
UNKNOWN
UNKNOWN
RT_STRING
4095
3.34579
844
UNKNOWN
UNKNOWN
RT_STRING
4096
3.28057
660
UNKNOWN
UNKNOWN
RT_STRING

Imports

advapi32.dll
advapi32.dll (#2)
advapi32.dll (#3)
comctl32.dll
kernel32.dll
kernel32.dll (#2)
kernel32.dll (#3)
kernel32.dll (#4)
oleaut32.dll
user32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
3
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start core-temp-setup.exe core-temp-setup.tmp no specs core-temp-setup.exe core-temp-setup.tmp core temp.exe

Process information

PID
CMD
Path
Indicators
Parent process
676"C:\Users\admin\AppData\Local\Temp\Core-Temp-setup.exe" C:\Users\admin\AppData\Local\Temp\Core-Temp-setup.exe
Explorer.EXE
User:
admin
Company:
ALCPU
Integrity Level:
MEDIUM
Description:
Core Temp Setup
Exit code:
0
Version:
1.17.1.0
Modules
Images
c:\users\admin\appdata\local\temp\core-temp-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\usp10.dll
2992"C:\Users\admin\AppData\Local\Temp\is-QG7JQ.tmp\Core-Temp-setup.tmp" /SL5="$20138,851632,121344,C:\Users\admin\AppData\Local\Temp\Core-Temp-setup.exe" C:\Users\admin\AppData\Local\Temp\is-QG7JQ.tmp\Core-Temp-setup.tmpCore-Temp-setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qg7jq.tmp\core-temp-setup.tmp
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
2104"C:\Users\admin\AppData\Local\Temp\Core-Temp-setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\Core-Temp-setup.exe
Core-Temp-setup.tmp
User:
admin
Company:
ALCPU
Integrity Level:
HIGH
Description:
Core Temp Setup
Exit code:
0
Version:
1.17.1.0
Modules
Images
c:\users\admin\appdata\local\temp\core-temp-setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
1408"C:\Users\admin\AppData\Local\Temp\is-QQ71F.tmp\Core-Temp-setup.tmp" /SL5="$2013A,851632,121344,C:\Users\admin\AppData\Local\Temp\Core-Temp-setup.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 C:\Users\admin\AppData\Local\Temp\is-QQ71F.tmp\Core-Temp-setup.tmp
Core-Temp-setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-qq71f.tmp\core-temp-setup.tmp
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
536"C:\Program Files\Core Temp\Core Temp.exe"C:\Program Files\Core Temp\Core Temp.exe
Core-Temp-setup.tmp
User:
admin
Company:
ALCPU
Integrity Level:
HIGH
Description:
CPU temperature and system information utility
Version:
1.17.1.0
Modules
Images
c:\program files\core temp\core temp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 377
Read events
1 341
Write events
30
Delete events
6

Modification events

(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Owner
Value:
80050000C010145B4ED8D801
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:SessionHash
Value:
E398C7CC76CE827A6BBD616B3D210F372CB2CC2F1006C36FBA611DCCB0BCBF1F
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:Sequence
Value:
1
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFiles0000
Value:
C:\Program Files\Core Temp\Core Temp.exe
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000
Operation:writeName:RegFilesHash
Value:
39D0A9A9A4DC6267E4AD8464180D839B94B5536D7A720C3A88E9678690BB74F9
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1
Operation:writeName:Inno Setup: Setup Version
Value:
5.6.1 (u)
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1
Operation:writeName:Inno Setup: App Path
Value:
C:\Program Files\Core Temp
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1
Operation:writeName:InstallLocation
Value:
C:\Program Files\Core Temp\
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1
Operation:writeName:Inno Setup: Icon Group
Value:
Core Temp
(PID) Process:(1408) Core-Temp-setup.tmpKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{086D343F-8E78-4AFC-81AC-D6D414AFD8AC}_is1
Operation:writeName:Inno Setup: User
Value:
admin
Executable files
7
Suspicious files
0
Text files
66
Unknown types
4

Dropped files

PID
Process
Filename
Type
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\is-OVCB7.tmptext
MD5:DDA717AA555D59EC4BA2C67E4CFF1822
SHA256:687D64106F829536A6C9C439FFBAE69F002BD0D69CA6F49A3F9CB9C64990A76B
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Languages\da-DK.lngxml
MD5:26E7D3BA8A7383C4E5807E558E719B87
SHA256:AF2D49427309DA14E5764A239F1817E605B13E13552626AEE28E1C3B9A8D8EC5
676Core-Temp-setup.exeC:\Users\admin\AppData\Local\Temp\is-QG7JQ.tmp\Core-Temp-setup.tmpexecutable
MD5:34ACC2BDB45A9C436181426828C4CB49
SHA256:9C81817ACD4982632D8C7F1DF3898FCA1477577738184265D735F49FC5480F07
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Changes.txttext
MD5:DDA717AA555D59EC4BA2C67E4CFF1822
SHA256:687D64106F829536A6C9C439FFBAE69F002BD0D69CA6F49A3F9CB9C64990A76B
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Core Temp.exeexecutable
MD5:94246356857F0E72C917A4A8CE331A03
SHA256:AA4BDF0A6D21A59822B1000EFED64E9287CE30108FE3943C6AA0139D86B5E3E7
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Languages\bg-BG.lngxml
MD5:9BF319216AF8DD8135CB9D909AC934B6
SHA256:4DC3EEB1B0FA98908B08E84A9287A0CBD67E53288A5EE9CED70F111E3C78C271
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Languages\ca.lngxml
MD5:300F2357316146584500E3DCE6AFA945
SHA256:285557B98E899D2F7463CA4FA6CAB7A8E81C2EB18A2322EEED74D4B561B322A5
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Languages\cs.lngxml
MD5:C2CC5BF4BBDD2B58819502364BA2D22A
SHA256:3401B529510FE02AAFFB803F91D7A6C883BB6537FD9BA09914E17DBF99C9DFDA
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\is-UPM5Q.tmpexecutable
MD5:94246356857F0E72C917A4A8CE331A03
SHA256:AA4BDF0A6D21A59822B1000EFED64E9287CE30108FE3943C6AA0139D86B5E3E7
1408Core-Temp-setup.tmpC:\Program Files\Core Temp\Languages\is-5H114.tmpxml
MD5:26E7D3BA8A7383C4E5807E558E719B87
SHA256:AF2D49427309DA14E5764A239F1817E605B13E13552626AEE28E1C3B9A8D8EC5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
536
Core Temp.exe
GET
200
192.185.41.230:80
http://www.alcpu.com/CoreTemp/coretempver.xml
US
xml
1.22 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
536
Core Temp.exe
192.185.41.230:80
www.alcpu.com
UNIFIEDLAYER-AS-1
US
suspicious

DNS requests

Domain
IP
Reputation
www.alcpu.com
  • 192.185.41.230
suspicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Core-Temp-setup.exe