| File name: | Dc1.exe |
| Full analysis: | https://app.any.run/tasks/dd383e63-14d4-401f-b430-064011a23c74 |
| Verdict: | Malicious activity |
| Analysis date: | May 26, 2024, 08:45:46 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 61AC5FFF02B15BD483DE5A89D5847557 |
| SHA1: | 30A698802EAD82DB9ED6B15E89E4B15BE18D1232 |
| SHA256: | EFDAE18351FD7AF72E4050A3592A59C3B8AAA4B424431DBD4949CDC6F59D7DAF |
| SSDEEP: | 98304:7lxOVr7Qw9gHBOkxbD9myNII+EF5iHTiru5UENYm/q7sLMSekG7rJ3sRM/hJJ26I:pLjho |
MALICIOUS
Drops the executable file immediately after the start
- Dc1.exe (PID: 4088)
- irsetup.exe (PID: 1200)
SUSPICIOUS
Executable content was dropped or overwritten
- Dc1.exe (PID: 4088)
- irsetup.exe (PID: 1200)
Reads the Windows owner or organization settings
- irsetup.exe (PID: 1200)
INFO
Checks supported languages
- Dc1.exe (PID: 4088)
- irsetup.exe (PID: 1200)
Create files in a temporary directory
- Dc1.exe (PID: 4088)
Reads the computer name
- irsetup.exe (PID: 1200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (22.1) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (19.6) |
| .exe | | | UPX compressed Win32 Executable (19.2) |
| .exe | | | Win32 EXE Yoda's Crypter (18.8) |
| .scr | | | Windows screen saver (9.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2002:02:06 20:53:53+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 20480 |
| InitializedDataSize: | 53248 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x27e1 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 6.0.0.3 |
| ProductVersionNumber: | 6.0.0.3 |
| FileFlagsMask: | 0x003f |
| FileFlags: | Private build |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | This setup code is the property of Indigo Rose Corporation |
| CompanyName: | Indigo Rose Corporation http://www.indigorose.com |
| FileDescription: | Setup Factory 6.0 Setup Launcher |
| FileVersion: | 6.0.0.3 |
| InternalName: | setup |
| LegalCopyright: | Copyright © 2001 Indigo Rose Corporation |
| LegalTrademarks: | Setup Factory is a trademark of Indigo Rose Corporation. |
| OriginalFileName: | setup.exe |
| PrivateBuild: | - |
| ProductName: | setup |
| ProductVersion: | 6.0.0.3 |
| SpecialBuild: | - |
Total processes
42
Monitored processes
5
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 660 | "C:\Program Files\Look@LAN\LookAtLan.exe" | C:\Program Files\Look@LAN\LookAtLan.exe | — | irsetup.exe | |||||||||||
User: admin Company: Carlo Medas Integrity Level: HIGH Description: Look@LAN Version: 2.5.0.0 | |||||||||||||||
| 728 | "C:\Program Files\Look@LAN\LookAtHost.exe" | C:\Program Files\Look@LAN\LookAtHost.exe | — | irsetup.exe | |||||||||||
User: admin Company: Carlo Medas Integrity Level: HIGH Description: Look@HOST Version: 1.0.1.0 | |||||||||||||||
| 1200 | "C:\Users\admin\AppData\Local\Temp\irsetup.exe" | C:\Users\admin\AppData\Local\Temp\irsetup.exe | Dc1.exe | ||||||||||||
User: admin Company: Indigo Rose Corporation Integrity Level: HIGH Description: SUF60Runtime Exit code: 0 Version: 6.0.0.3 Modules
| |||||||||||||||
| 3980 | "C:\Users\admin\AppData\Local\Temp\Dc1.exe" | C:\Users\admin\AppData\Local\Temp\Dc1.exe | — | explorer.exe | |||||||||||
User: admin Company: Indigo Rose Corporation http://www.indigorose.com Integrity Level: MEDIUM Description: Setup Factory 6.0 Setup Launcher Exit code: 3221226540 Version: 6.0.0.3 Modules
| |||||||||||||||
| 4088 | "C:\Users\admin\AppData\Local\Temp\Dc1.exe" | C:\Users\admin\AppData\Local\Temp\Dc1.exe | explorer.exe | ||||||||||||
User: admin Company: Indigo Rose Corporation http://www.indigorose.com Integrity Level: HIGH Description: Setup Factory 6.0 Setup Launcher Exit code: 0 Version: 6.0.0.3 Modules
| |||||||||||||||
Total events
811
Read events
809
Write events
2
Delete events
0
Modification events
| (PID) Process: | (1200) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Look@LAN |
| Operation: | write | Name: | Company |
Value: hello | |||
| (PID) Process: | (1200) irsetup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Look@LAN |
| Operation: | write | Name: | Nome |
Value: admin | |||
Executable files
9
Suspicious files
26
Text files
22
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\irsetup.exe | executable | |
MD5:65577EF62A45AA9A29639BEC2649FB72 | SHA256:FF0B872A6B7DCDAB47E13B3DC6CAD51934D1923F0E70A84E595FB7DCF300DC7A | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\suf6lng.16 | text | |
MD5:0A7E05BC7E538015D7B55399E8AFF230 | SHA256:4FAA52BA8416881E266994495BD728F5FC740F32CA3C31EDB3E5670AAB9B28E5 | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\IRIMG1.BMP | binary | |
MD5:FF439D8A48231281A5B95D703C168FE7 | SHA256:403B2C886BF9895534A5EBE14894D64F80EC1F10D01C04480BA68A4B10870067 | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\IRIMG4.BMP | binary | |
MD5:EF0F83B8F590EEF4CDA9809B9D5873F6 | SHA256:3CEF434F2584FD81120E4C48B2442C0E649F340C29E42D4C8C68569091576036 | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\suf6lng.9 | text | |
MD5:65A07854A4AC46C7FCDFAFCE978A032D | SHA256:DE4BAA540B128B303C3BD6F33E1F7EE7B840143FBDAA3F931519A36D6E9063BC | |||
| 1200 | irsetup.exe | C:\Windows\Look@LAN Setup Log.txt | text | |
MD5:BEC34E417B6298EFCFB9C1EC0E6C0DDC | SHA256:A460ED0E5B0ACD216665B61E54D382F80AE7DDA753177D2DDFE017E151A1938C | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\IRIMG3.BMP | binary | |
MD5:95145F4CEAD2C4BD2EC219BC87D83F1D | SHA256:0542CB1D3E6B50F78DC63EA1ABEC6C518CFD4EA203649DF3EF3834309EA66CAD | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\IRIMG5.BMP | binary | |
MD5:E29A24E189E95681BB41F73C16747FD8 | SHA256:3973D354045BE781EABF9114772FE2E5E96D1E557793DE10C914D901B16E8C09 | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\irsetup.ini | text | |
MD5:FC3F8B43908DDD87E075DFA78FB318E2 | SHA256:04D7FC4B362DB4BF9886EE4556BEB8414B956EC6C8CB5B364AA5A6384F21E148 | |||
| 4088 | Dc1.exe | C:\Users\admin\AppData\Local\Temp\irsetup.dat | binary | |
MD5:B273FCC4665F1F33C64788CCD0901C10 | SHA256:6E1A69B96D9171075863E475AC5BB4D348297E2EF0EBF0BB8982D37ACDD819F3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
9
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
4.0.41.198.in-addr.arpa |
| unknown |
www.lookatlan.com |
| unknown |