| File name: | obs-plugin-countdown-1.3.3-windows-x64-Installer.exe |
| Full analysis: | https://app.any.run/tasks/cbf5d49a-6c21-42d7-83f6-c21b716394e6 |
| Verdict: | Malicious activity |
| Analysis date: | June 06, 2024, 16:11:55 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 7A0A721EC7A47C97BC7D543F1BCBF9E0 |
| SHA1: | 021D70822BE4918D454D86980F904347C5BEF59B |
| SHA256: | E975556005ECBA20C3C66BF07A9E81B9EF3AD5C184687C7F115F69E71FE8F8BC |
| SSDEEP: | 98304:m+cD4dnhlw4KBFL8n8JHzhIkWnXFopLQ3iUrex4vkY7mZNmijVPiZQO:kWYA |
MALICIOUS
Drops the executable file immediately after the start
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 3972)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 2204)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
SUSPICIOUS
Executable content was dropped or overwritten
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 3972)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 2204)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
Reads the Windows owner or organization settings
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
INFO
Reads the computer name
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 3988)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
Checks supported languages
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 3988)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 3972)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 2204)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
Create files in a temporary directory
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 3972)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.exe (PID: 2204)
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
Creates files in the program directory
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
Creates a software uninstall entry
- obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp (PID: 2316)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (53.5) |
|---|---|---|
| .exe | | | InstallShield setup (21) |
| .exe | | | Win32 EXE PECompact compressed (generic) (20.2) |
| .exe | | | Win32 Executable (generic) (2.1) |
| .exe | | | Win16/32 Executable Delphi generic (1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2023:02:15 14:54:16+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 741888 |
| InitializedDataSize: | 89600 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xb5eec |
| OSVersion: | 6.1 |
| ImageVersion: | 6 |
| SubsystemVersion: | 6.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | Ashmanix |
| FileDescription: | obs-plugin-countdown Setup |
| FileVersion: | |
| LegalCopyright: | |
| OriginalFileName: | |
| ProductName: | obs-plugin-countdown |
| ProductVersion: | 1.3.3 |
Total processes
39
Monitored processes
4
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2204 | "C:\Users\admin\AppData\Local\Temp\obs-plugin-countdown-1.3.3-windows-x64-Installer.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\obs-plugin-countdown-1.3.3-windows-x64-Installer.exe | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | ||||||||||||
User: admin Company: Ashmanix Integrity Level: HIGH Description: obs-plugin-countdown Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 2316 | "C:\Users\admin\AppData\Local\Temp\is-RG3LF.tmp\obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp" /SL5="$2013A,1280888,832512,C:\Users\admin\AppData\Local\Temp\obs-plugin-countdown-1.3.3-windows-x64-Installer.exe" /SPAWNWND=$20130 /NOTIFYWND=$20138 | C:\Users\admin\AppData\Local\Temp\is-RG3LF.tmp\obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | obs-plugin-countdown-1.3.3-windows-x64-Installer.exe | ||||||||||||
User: admin Company: Ashmanix Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3972 | "C:\Users\admin\AppData\Local\Temp\obs-plugin-countdown-1.3.3-windows-x64-Installer.exe" | C:\Users\admin\AppData\Local\Temp\obs-plugin-countdown-1.3.3-windows-x64-Installer.exe | explorer.exe | ||||||||||||
User: admin Company: Ashmanix Integrity Level: MEDIUM Description: obs-plugin-countdown Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3988 | "C:\Users\admin\AppData\Local\Temp\is-9ST4E.tmp\obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp" /SL5="$20138,1280888,832512,C:\Users\admin\AppData\Local\Temp\obs-plugin-countdown-1.3.3-windows-x64-Installer.exe" | C:\Users\admin\AppData\Local\Temp\is-9ST4E.tmp\obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | — | obs-plugin-countdown-1.3.3-windows-x64-Installer.exe | |||||||||||
User: admin Company: Ashmanix Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
4 987
Read events
4 954
Write events
27
Delete events
6
Modification events
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: 0C090000FA12C34C2CB8DA01 | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: EA97653A085F85492F33C8361332134D494F062DEE7B909927FD3396554F22E7 | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFiles0000 |
Value: C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\obs-plugins\64bit\obs-plugin-countdown.dll | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | RegFilesHash |
Value: 6E3DA36FE4384F354448ADBADB4F89E56C72C33917FB30DDB30A575B2EE3E9E7 | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD703FE5-1F2C-4837-BD3D-DD840D83C3E3}_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 6.2.2 | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD703FE5-1F2C-4837-BD3D-DD840D83C3E3}_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD703FE5-1F2C-4837-BD3D-DD840D83C3E3}_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\ | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD703FE5-1F2C-4837-BD3D-DD840D83C3E3}_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: obs-plugin-countdown | |||
| (PID) Process: | (2316) obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD703FE5-1F2C-4837-BD3D-DD840D83C3E3}_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
Executable files
6
Suspicious files
4
Text files
10
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\data\obs-plugins\obs-plugin-countdown\locale\da-DK.ini | text | |
MD5:781CF684B154E17476F5360D3D92DDA6 | SHA256:C8F802ABCC25CC266A96C48D98E8CFD3205A5A10762DCE04545B5F6A31BBD4EA | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\obs-plugins\64bit\obs-plugin-countdown.dll | executable | |
MD5:A33892ADA1AFA86D44ABE8320EE2507C | SHA256:90CCEF6FA5B47650984BFB1DB19BA7D72311DD49ADE2384BA7723C29B6BD8BD2 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\is-BKLC8.tmp\LICENSE | text | |
MD5:779D39320AC30AD5F1BC12E6A99C6ECF | SHA256:892D0A23E7C96C84FC1445ED792CBA6687413861B6D16D6A9A2E0480EBB52092 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\obs-plugins\64bit\is-SIE5Q.tmp | executable | |
MD5:A33892ADA1AFA86D44ABE8320EE2507C | SHA256:90CCEF6FA5B47650984BFB1DB19BA7D72311DD49ADE2384BA7723C29B6BD8BD2 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\data\obs-plugins\obs-plugin-countdown\locale\en-GB.ini | text | |
MD5:CBC3448CF967E49B21761B6778E044DE | SHA256:DFF17F4C498582B505050DD7B443B8123AD91D0259B091DC26A9C9F0FDB336C9 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\data\obs-plugins\obs-plugin-countdown\locale\is-SEMA7.tmp | text | |
MD5:CBC3448CF967E49B21761B6778E044DE | SHA256:DFF17F4C498582B505050DD7B443B8123AD91D0259B091DC26A9C9F0FDB336C9 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\data\obs-plugins\obs-plugin-countdown\locale\en-US.ini | text | |
MD5:CBC3448CF967E49B21761B6778E044DE | SHA256:DFF17F4C498582B505050DD7B443B8123AD91D0259B091DC26A9C9F0FDB336C9 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\data\obs-plugins\obs-plugin-countdown\locale\pt-BR.ini | text | |
MD5:D217CE6AC6A449E1C8232668C89AD5B2 | SHA256:055ACFF6A9EA0A6205E8B90C54B63806EEC22AFD5E5B3B11DEE9A4ED329F3840 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\data\obs-plugins\obs-plugin-countdown\locale\is-51RFQ.tmp | text | |
MD5:D217CE6AC6A449E1C8232668C89AD5B2 | SHA256:055ACFF6A9EA0A6205E8B90C54B63806EEC22AFD5E5B3B11DEE9A4ED329F3840 | |||
| 2316 | obs-plugin-countdown-1.3.3-windows-x64-Installer.tmp | C:\Users\admin\AppData\Local\Temp\{autopf}\obs-studio\obs-plugins\64bit\is-7OQN2.tmp | binary | |
MD5:DAC130B8C5838BC9465CFA10C4A9C931 | SHA256:4F45B3C26F0583252E333B1301A79B6697BF2447BE63FAFDB9799067765F184D | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
3
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |