File name:

eecd9bb65cbcd06804d16c0cacc020ba5e321067dc670d2ed6661bbd1903ed4a

Full analysis: https://app.any.run/tasks/67c5cc92-bbff-48aa-b743-075bebfc598f
Verdict: Malicious activity
Analysis date: February 24, 2019, 15:12:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

A85A3C56B1B9BF5F16E2786B4A2ACF74

SHA1:

9F2B46F7C2429495576B1BD06352ACEF40AD470C

SHA256:

EECD9BB65CBCD06804D16C0CACC020BA5E321067DC670D2ED6661BBD1903ED4A

SSDEEP:

393216:sN6pidn58JyNJnbR4WyjHPzKHyth/eczN6KqXKIiv:scun5nhqWQP2HyDWcp6nK/v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • devsetup32.exe (PID: 2280)
      • driversetup.exe (PID: 3320)
      • RIconTool.exe (PID: 2612)
      • DCService.exe (PID: 504)
      • HWDeviceService.exe (PID: 3232)
      • AutoRunSetup.exe (PID: 2772)
      • HWDeviceService.exe (PID: 3668)
      • subinacl.exe (PID: 3136)
      • DCSHelper.exe (PID: 3344)
      • subinacl.exe (PID: 3620)
      • AddPbk.exe (PID: 2372)
      • NtSetP.exe (PID: 3864)
      • subinacl.exe (PID: 2500)
      • subinacl.exe (PID: 3644)
      • subinacl.exe (PID: 2392)
      • RunOuc.exe (PID: 2764)
      • ouc.exe (PID: 3748)
      • ouc.exe (PID: 3196)
      • nsE081.tmp (PID: 3552)
      • Setup.exe (PID: 3860)
      • Setup.exe (PID: 3260)
      • Photon 3G.exe (PID: 4092)
      • XStartScreen.exe (PID: 4060)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 3260)
      • DrvInst.exe (PID: 3604)
      • devsetup32.exe (PID: 2280)
      • AutoRunSetup.exe (PID: 2772)
      • driversetup.exe (PID: 3320)
      • subinacl.exe (PID: 3620)
      • subinacl.exe (PID: 3136)
      • subinacl.exe (PID: 3644)
      • subinacl.exe (PID: 2500)
      • subinacl.exe (PID: 2392)
      • RunOuc.exe (PID: 2764)
      • ouc.exe (PID: 3748)
      • ouc.exe (PID: 3196)
      • Photon 3G.exe (PID: 4092)
      • XStartScreen.exe (PID: 4060)

  • SUSPICIOUS

    • Creates a software uninstall entry

      • Setup.exe (PID: 3260)

    • Creates files in the Windows directory

      • Setup.exe (PID: 3260)
      • DrvInst.exe (PID: 2352)
      • DrvInst.exe (PID: 2252)
      • DrvInst.exe (PID: 2532)
      • DrvInst.exe (PID: 2564)
      • DrvInst.exe (PID: 2588)
      • DrvInst.exe (PID: 2568)
      • DrvInst.exe (PID: 3088)
      • DrvInst.exe (PID: 2684)
      • DrvInst.exe (PID: 3048)
      • DrvInst.exe (PID: 2924)
      • DrvInst.exe (PID: 2728)
      • DrvInst.exe (PID: 2624)
      • DrvInst.exe (PID: 3204)
      • DrvInst.exe (PID: 3292)
      • DrvInst.exe (PID: 3328)
      • devsetup32.exe (PID: 2280)
      • DrvInst.exe (PID: 3604)

    • Executable content was dropped or overwritten

      • devsetup32.exe (PID: 2280)
      • DrvInst.exe (PID: 2252)
      • DrvInst.exe (PID: 2564)
      • DrvInst.exe (PID: 2624)
      • DrvInst.exe (PID: 3048)
      • Setup.exe (PID: 3260)
      • DrvInst.exe (PID: 2924)
      • DrvInst.exe (PID: 3292)
      • AutoRunSetup.exe (PID: 2772)
      • ouc.exe (PID: 3748)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2352)
      • DrvInst.exe (PID: 2252)
      • DrvInst.exe (PID: 2532)
      • DrvInst.exe (PID: 2568)
      • DrvInst.exe (PID: 3088)
      • DrvInst.exe (PID: 2588)
      • DrvInst.exe (PID: 3048)
      • DrvInst.exe (PID: 2684)
      • DrvInst.exe (PID: 2624)
      • DrvInst.exe (PID: 2728)
      • DrvInst.exe (PID: 2924)
      • DrvInst.exe (PID: 3204)
      • DrvInst.exe (PID: 3292)
      • DrvInst.exe (PID: 2564)
      • devsetup32.exe (PID: 2280)
      • DrvInst.exe (PID: 3604)
      • DrvInst.exe (PID: 3328)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 2532)
      • DrvInst.exe (PID: 2352)
      • DrvInst.exe (PID: 2564)
      • DrvInst.exe (PID: 2252)
      • DrvInst.exe (PID: 3088)
      • DrvInst.exe (PID: 2568)
      • DrvInst.exe (PID: 3048)
      • DrvInst.exe (PID: 2684)
      • DrvInst.exe (PID: 2728)
      • DrvInst.exe (PID: 2924)
      • DrvInst.exe (PID: 3292)
      • DrvInst.exe (PID: 2588)
      • DrvInst.exe (PID: 3204)
      • DrvInst.exe (PID: 2624)
      • DrvInst.exe (PID: 3328)

    • Creates files in the program directory

      • devsetup32.exe (PID: 2280)
      • AutoRunSetup.exe (PID: 2772)
      • DCService.exe (PID: 504)
      • DCSHelper.exe (PID: 3344)
      • HWDeviceService.exe (PID: 3668)
      • Setup.exe (PID: 3260)
      • AddPbk.exe (PID: 2372)
      • NtSetP.exe (PID: 3864)
      • HWDeviceService.exe (PID: 3232)
      • ouc.exe (PID: 3748)
      • ouc.exe (PID: 3196)
      • Photon 3G.exe (PID: 4092)

    • Creates or modifies windows services

      • devsetup32.exe (PID: 2280)

    • Starts application with an unusual extension

      • Setup.exe (PID: 3260)

    • Starts CMD.EXE for commands execution

      • NtSetP.exe (PID: 3864)

    • Starts itself from another location

      • ouc.exe (PID: 3748)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • Setup.exe (PID: 3260)

    • Reads settings of System Certificates

      • devsetup32.exe (PID: 2280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2013:07:01 09:10:14
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Photon 3G/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
84
Monitored processes
43
Malicious processes
24
Suspicious processes
6

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe no specs setup.exe no specs setup.exe ricontool.exe no specs driversetup.exe no specs devsetup32.exe drvinst.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe no specs drvinst.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe drvinst.exe no specs drvinst.exe no specs autorunsetup.exe dcservice.exe no specs hwdeviceservice.exe hwdeviceservice.exe no specs dcshelper.exe no specs addpbk.exe no specs subinacl.exe no specs subinacl.exe no specs ntsetp.exe no specs cmd.exe no specs cacls.exe no specs subinacl.exe no specs cacls.exe no specs subinacl.exe no specs subinacl.exe no specs nse081.tmp no specs runouc.exe no specs ouc.exe ouc.exe no specs photon 3g.exe xstartscreen.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
312cmd /c NtSetP.batC:\Windows\system32\cmd.exeNtSetP.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
504"C:\ProgramData\DatacardService\DCService.exe" -installC:\ProgramData\DatacardService\DCService.exeAutoRunSetup.exe
User:
admin
Integrity Level:
HIGH
Description:
RunDCSer 应用程序
Exit code:
0
Version:
2, 0, 0, 47
Modules
Images
c:\programdata\datacardservice\dcservice.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\shlwapi.dll
1824cacls "C:\Program Files\Photon 3G\Huawei\E177" /t /e /c /p Users:fC:\Windows\system32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2252DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{0f042c4b-7047-5128-727d-ca40b721381f}\ew_busfilter.inf" "0" "675f9f793" "00000574" "WinSta0\Default" "000005AC" "208" "C:\Program Files\Photon 3G\Huawei\E177\driver\Driver\X86"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2280 /install /debugC:\Program Files\Photon 3G\Huawei\E177\driver\devsetup32.exe
driversetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Huawei(R) DevSetup Version 1.0.2.3 for Windows 2K, XP, Vista, Win7.
Exit code:
0
Version:
1.0.2.3
Modules
Images
c:\program files\photon 3g\huawei\e177\driver\devsetup32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2308cacls "C:\Program Files\Photon 3G\Huawei\E177" /t /e /c /p everyone:fC:\Windows\system32\cacls.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Control ACLs Program
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\cacls.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2352DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{30d3049c-786e-6ce4-1809-e45bcf09e87c}\ew_hwusbdev.inf" "0" "6e5997267" "0000053C" "WinSta0\Default" "00000574" "208" "C:\Program Files\Photon 3G\Huawei\E177\driver\Driver\X86"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\drvinst.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\setupapi.dll
c:\windows\system32\cfgmgr32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2372"C:\Program Files\Photon 3G\Huawei\E177\AddPbk.exe"C:\Program Files\Photon 3G\Huawei\E177\AddPbk.exeSetup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225547
Modules
Images
c:\program files\photon 3g\huawei\e177\addpbk.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\shell32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2392"C:\Program Files\Photon 3G\Huawei\E177\subinacl.exe" /Subdirectories "C:\Program Files\Photon 3G\Huawei\E177\*.*" /GRANT=s-1-5-32-545=FC:\Program Files\Photon 3G\Huawei\E177\subinacl.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
SubInAcl
Exit code:
0
Version:
5.2.3790.1180
Modules
Images
c:\program files\photon 3g\huawei\e177\subinacl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2500"C:\Program Files\Photon 3G\Huawei\E177\subinacl.exe" /Subdirectories "C:\Program Files\Photon 3G\Huawei\E177" /GRANT=s-1-5-32-545=FC:\Program Files\Photon 3G\Huawei\E177\subinacl.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
SubInAcl
Exit code:
0
Version:
5.2.3790.1180
Modules
Images
c:\program files\photon 3g\huawei\e177\subinacl.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mfc42u.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
1 339
Read events
1 048
Write events
290
Delete events
1

Modification events

(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3300) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\eecd9bb65cbcd06804d16c0cacc020ba5e321067dc670d2ed6661bbd1903ed4a.zip
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3300) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(3260) Setup.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted
Operation:writeName:C:\Users\admin\Desktop\Photon 3G\Setup.exe
Value:
1
(PID) Process:(3260) Setup.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Huawei Photon 3G
Operation:writeName:NSIS:Language
Value:
1033
Executable files
333
Suspicious files
195
Text files
1 158
Unknown types
146

Dropped files

PID
Process
Filename
Type
3300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3300.21519\Photon 3G\data.bin
MD5:
SHA256:
3300WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3300.21519\Photon 3G\Setup.exe
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\nsz2E47.tmp\lib7zEx.dllexecutable
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\common\plugins\Language\1031.initext
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\SysConfig.dattext
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\common\plugins\Language\1043.initext
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\common\plugins\Language\1038.initext
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\common\plugins\Language\1030.initext
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\common\plugins\Language\1037.initext
MD5:
SHA256:
3260Setup.exeC:\Users\admin\AppData\Local\Temp\UTPS\common\plugins\Language\1026.initext
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
HWDeviceService.exe
InstallService Start
Photon 3G.exe
15:14:31:446: ..\..\src\mobilepartner\MobilePartner.cpp: MobilePartnerMain: app path = C:/Program Files/Photon 3G/Huawei/E177
Photon 3G.exe
15:14:31:446 : ..\..\src\sdk\UTPS_SDK.cpp : UTPS_SDK_INIT : Entered
Photon 3G.exe
..\..\src\sdk\UTPS_SDK.cpp: UTPS_SDK_INIT: loading proxy lib...
Photon 3G.exe
..\..\src\sdk\UTPS_SDK.cpp: UTPS_SDK_INIT: setting load hints...
Photon 3G.exe
..\..\src\sdk\UTPS_CALL.cpp: UTPS_CALL_INIT: enter
Photon 3G.exe
..\..\src\sdk\UTPS_CALL.cpp: UTPS_CALL_INIT: enter
Photon 3G.exe
..\..\src\sdk\UTPS_CALLLOG.cpp: UTPS_CALLLOG_INIT: enter
Photon 3G.exe
..\..\src\sdk\UTPS_COMMON.cpp: UTPS_COMMON_INIT: enter
Photon 3G.exe
..\..\src\sdk\UTPS_DEVICE.cpp: UTPS_DEVICE_INIT: enter
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
eecd9bb65cbcd06804d16c0cacc020ba5e321067dc670d2ed6661bbd1903ed4a