| File name: | siinst.exe |
| Full analysis: | https://app.any.run/tasks/d8b07ed8-a9e3-4b67-b55b-2a2504b38bef |
| Verdict: | Malicious activity |
| Analysis date: | November 03, 2023, 22:37:26 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 18BC238BF7CA4F9DAD610604B857180A |
| SHA1: | C4A46C5883762368C24D3E944F409AAD54C3BF31 |
| SHA256: | E7C2536EFB15B2137C4F4C07A94EBE37D396CEE2FFF0DFFE14BDBE4F8254E9DB |
| SSDEEP: | 98304:6Yh+e+XdXD7IJkTi6PP4At/bgc50dPV5qnY:6Yke+NvIkz9/brOdPVcY |
MALICIOUS
Drops the executable file immediately after the start
- siinst.exe (PID: 3128)
- siinst.exe (PID: 3512)
- siinst.tmp (PID: 3500)
Uses Task Scheduler to autorun other applications
- siinst.tmp (PID: 3500)
Actions looks like stealing of personal data
- softinfo.exe (PID: 3728)
SUSPICIOUS
Reads the Internet Settings
- softinfo.exe (PID: 3664)
- softinfo.exe (PID: 3728)
The process drops C-runtime libraries
- siinst.tmp (PID: 3500)
Searches for installed software
- softinfo.exe (PID: 3728)
Reads Microsoft Outlook installation path
- softinfo.exe (PID: 3728)
Reads Internet Explorer settings
- softinfo.exe (PID: 3728)
Reads security settings of Internet Explorer
- softinfo.exe (PID: 3728)
Reads settings of System Certificates
- softinfo.exe (PID: 3728)
Checks Windows Trust Settings
- softinfo.exe (PID: 3728)
Reads the Windows owner or organization settings
- siinst.tmp (PID: 3500)
Process drops legitimate windows executable
- siinst.tmp (PID: 3500)
INFO
Create files in a temporary directory
- siinst.exe (PID: 3512)
- siinst.exe (PID: 3128)
- softinfo.exe (PID: 3728)
- siinst.tmp (PID: 3500)
Checks supported languages
- siinst.exe (PID: 3512)
- wmpnscfg.exe (PID: 3612)
- siinst.exe (PID: 3128)
- siinst.tmp (PID: 3432)
- softinfo.exe (PID: 3728)
- softinfo.exe (PID: 3664)
- siinst.tmp (PID: 3500)
Reads the machine GUID from the registry
- wmpnscfg.exe (PID: 3612)
- softinfo.exe (PID: 3664)
- softinfo.exe (PID: 3728)
Reads the computer name
- siinst.tmp (PID: 3500)
- wmpnscfg.exe (PID: 3612)
- siinst.tmp (PID: 3432)
- softinfo.exe (PID: 3728)
- softinfo.exe (PID: 3664)
Manual execution by a user
- wmpnscfg.exe (PID: 3612)
Creates files in the program directory
- siinst.tmp (PID: 3500)
- softinfo.exe (PID: 3728)
Creates files or folders in the user directory
- siinst.tmp (PID: 3500)
- softinfo.exe (PID: 3728)
Checks proxy server information
- softinfo.exe (PID: 3664)
- softinfo.exe (PID: 3728)
Reads the time zone
- softinfo.exe (PID: 3664)
Reads CPU info
- softinfo.exe (PID: 3664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable Delphi generic (45.2) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (20.9) |
| .exe | | | Win32 Executable (generic) (14.3) |
| .exe | | | Win16/32 Executable Delphi generic (6.6) |
| .exe | | | Generic Win/DOS Executable (6.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2016:01:15 09:22:50+01:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 65024 |
| InitializedDataSize: | 53248 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x113bc |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Informer Technologies, Inc. |
| FileDescription: | Software Informer Setup |
| FileVersion: | |
| LegalCopyright: | |
| ProductName: | Software Informer |
| ProductVersion: |
Total processes
48
Monitored processes
8
Malicious processes
5
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3128 | "C:\Users\admin\AppData\Local\Temp\siinst.exe" | C:\Users\admin\AppData\Local\Temp\siinst.exe | — | explorer.exe | |||||||||||
User: admin Company: Informer Technologies, Inc. Integrity Level: MEDIUM Description: Software Informer Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3432 | "C:\Users\admin\AppData\Local\Temp\is-M58E2.tmp\siinst.tmp" /SL5="$50194,3521793,119296,C:\Users\admin\AppData\Local\Temp\siinst.exe" | C:\Users\admin\AppData\Local\Temp\is-M58E2.tmp\siinst.tmp | — | siinst.exe | |||||||||||
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3500 | "C:\Users\admin\AppData\Local\Temp\is-2J7LK.tmp\siinst.tmp" /SL5="$601EA,3521793,119296,C:\Users\admin\AppData\Local\Temp\siinst.exe" /SPAWNWND=$60134 /NOTIFYWND=$50194 | C:\Users\admin\AppData\Local\Temp\is-2J7LK.tmp\siinst.tmp | siinst.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3512 | "C:\Users\admin\AppData\Local\Temp\siinst.exe" /SPAWNWND=$60134 /NOTIFYWND=$50194 | C:\Users\admin\AppData\Local\Temp\siinst.exe | siinst.tmp | ||||||||||||
User: admin Company: Informer Technologies, Inc. Integrity Level: HIGH Description: Software Informer Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3612 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3644 | "schtasks.exe" /create /sc onlogon /tn SoftwareInformerService /f /rl highest /tr "\"C:\Program Files\Software Informer\softinfo.exe\" -service" | C:\Windows\System32\schtasks.exe | — | siinst.tmp | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3664 | "C:\Program Files\Software Informer\softinfo.exe" -service | C:\Program Files\Software Informer\softinfo.exe | — | siinst.tmp | |||||||||||
User: admin Company: Informer Technologies, Inc. Integrity Level: HIGH Description: Software Informer Exit code: 0 Version: 1.5.1346.0 Modules
| |||||||||||||||
| 3728 | "C:\Program Files\Software Informer\softinfo.exe" | C:\Program Files\Software Informer\softinfo.exe | siinst.tmp | ||||||||||||
User: admin Company: Informer Technologies, Inc. Integrity Level: MEDIUM Description: Software Informer Exit code: 0 Version: 1.5.1346.0 Modules
| |||||||||||||||
Total events
10 949
Read events
10 902
Write events
42
Delete events
5
Modification events
| (PID) Process: | (3612) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4631E252-DBBA-4872-A190-12DE1BDDC1D1}\{09656BC1-3A13-4512-9DF8-9378937BE973} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3612) wmpnscfg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{4631E252-DBBA-4872-A190-12DE1BDDC1D1} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3612) wmpnscfg.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health\{7AF6DC3E-CFA4-476A-8AB9-707507DA58CB} |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000059010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000005A010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A8016B000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (3728) softinfo.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
Executable files
28
Suspicious files
53
Text files
404
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3128 | siinst.exe | C:\Users\admin\AppData\Local\Temp\is-M58E2.tmp\siinst.tmp | executable | |
MD5:2A478D6E4134BBA048226B1C055F70B2 | SHA256:9D11AB1BA6D95008CE302C1BA7AB6EBA6436760751F33A3E250E59CCD18486D2 | |||
| 3500 | siinst.tmp | C:\Users\admin\AppData\Local\Temp\is-IEFGE.tmp\InstallHelper.dll | executable | |
MD5:A2B2EF9F5BBB9697A3EBB01F08EF837E | SHA256:FA896DBFB2DABF64D203067B007CC8BDF379CFDA6E4BD62B5EF3B008DB598254 | |||
| 3500 | siinst.tmp | C:\Program Files\Software Informer\is-P18NL.tmp | executable | |
MD5:2A478D6E4134BBA048226B1C055F70B2 | SHA256:9D11AB1BA6D95008CE302C1BA7AB6EBA6436760751F33A3E250E59CCD18486D2 | |||
| 3512 | siinst.exe | C:\Users\admin\AppData\Local\Temp\is-2J7LK.tmp\siinst.tmp | executable | |
MD5:2A478D6E4134BBA048226B1C055F70B2 | SHA256:9D11AB1BA6D95008CE302C1BA7AB6EBA6436760751F33A3E250E59CCD18486D2 | |||
| 3500 | siinst.tmp | C:\Program Files\Software Informer\core.dll | executable | |
MD5:8AD0AE6B1737AB59E704A3377BB047E0 | SHA256:37C987E7845824C4CB73734AB3864DBA439599C4A37DF6A637E30CE50971A40F | |||
| 3500 | siinst.tmp | C:\Program Files\Software Informer\unins000.exe | executable | |
MD5:2A478D6E4134BBA048226B1C055F70B2 | SHA256:9D11AB1BA6D95008CE302C1BA7AB6EBA6436760751F33A3E250E59CCD18486D2 | |||
| 3500 | siinst.tmp | C:\Users\admin\AppData\Local\Temp\is-IEFGE.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 3500 | siinst.tmp | C:\Program Files\Software Informer\is-6O7PU.tmp | executable | |
MD5:8AD0AE6B1737AB59E704A3377BB047E0 | SHA256:37C987E7845824C4CB73734AB3864DBA439599C4A37DF6A637E30CE50971A40F | |||
| 3500 | siinst.tmp | C:\Program Files\Software Informer\is-EEFSM.tmp | executable | |
MD5:1EE8D767059ED6A729AD941210D7A0CB | SHA256:3311E3BA5F6CCC3010FA925DB20D34651CACCA9F83BF15715047285515C4A9F7 | |||
| 3500 | siinst.tmp | C:\Program Files\Software Informer\sigkey.dat | binary | |
MD5:571353057FC3A44CE4B458D262A3F442 | SHA256:D63663F4253A244A553D64BDCB1B41EEB19BBCBE22681080C964C65D480DAC29 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
80
DNS requests
15
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3728 | softinfo.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6fd0ac82e946ddc5 | unknown | compressed | 4.66 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 104.18.38.233:80 | http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D | unknown | binary | 1.42 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDCjDk6BcP0YRJkTzSsQwBD | unknown | binary | 472 b | unknown |
3728 | softinfo.exe | GET | 200 | 172.64.149.23:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | unknown | binary | 2.18 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4dbeffe5ca08308e | unknown | compressed | 4.66 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | unknown | binary | 1.41 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 74.117.179.74:80 | http://si5-s0.infcdn.net/img/win_v3/background.png | unknown | image | 16.8 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 172.217.16.131:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | unknown | binary | 724 b | unknown |
3728 | softinfo.exe | GET | 200 | 74.117.179.74:80 | http://si5-s0.infcdn.net/img/win_v3/refresh_bg.png | unknown | image | 4.52 Kb | unknown |
3728 | softinfo.exe | GET | 200 | 74.117.179.74:80 | http://si5-s0.infcdn.net/img/win_v3/svg/discover.svg | unknown | binary | 9.74 Kb | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
3728 | softinfo.exe | 208.88.224.105:443 | si.informer.com | WZCOM | US | unknown |
3728 | softinfo.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | EDGECAST | GB | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3728 | softinfo.exe | 104.18.38.233:80 | ocsp.comodoca.com | CLOUDFLARENET | — | shared |
3728 | softinfo.exe | 172.64.149.23:80 | ocsp.comodoca.com | CLOUDFLARENET | US | unknown |
3728 | softinfo.exe | 74.117.179.70:443 | img.informer.com | WZCOM | US | unknown |
3728 | softinfo.exe | 142.250.186.168:443 | ssl.google-analytics.com | GOOGLE | US | unknown |
3728 | softinfo.exe | 74.117.179.74:80 | si5-s0.infcdn.net | WZCOM | US | unknown |
3728 | softinfo.exe | 172.217.16.131:80 | ocsp.pki.goog | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
si.informer.com |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
si5.informer.com |
| unknown |
img.informer.com |
| whitelisted |
ssl.google-analytics.com |
| whitelisted |
si5-s0.infcdn.net |
| unknown |
ocsp.pki.goog |
| whitelisted |