analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

ContaCam-9.9.9-Setup.exe

Full analysis: https://app.any.run/tasks/c46fb877-f2c5-4b6a-bb41-031d9f867f0f
Verdict: Malicious activity
Analysis date: May 29, 2020, 22:33:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

5585110AD4F6B35B8C7A2856C0CBF7DC

SHA1:

E84D52B752FA826B4E82EB20299E7FCD7DE66BA4

SHA256:

F113DA51F6E6CC391186BD0CFE97BAF8D220718D378CE0876B737F8F6CE43D6E

SSDEEP:

393216:ZaPqfg+D+/ldNRNfvniGCok7koZFasx/qXiLXJ0pozC:Z7fhUR6ok7BF7QXQZLC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • ContaCam-9.9.9-Setup.exe (PID: 1848)
      • ContaCam-9.9.9-Setup.exe (PID: 524)
      • vcredist_x86.exe (PID: 3388)
      • mapache.exe (PID: 1952)
      • mapache.exe (PID: 3340)
    • Application was dropped or rewritten from another process

      • nsD95F.tmp (PID: 2716)
      • vcredist_x86.exe (PID: 3388)
      • vcredist_x86.exe (PID: 2724)
      • ns5816.tmp (PID: 2136)
      • ContaCamService.exe (PID: 3072)
      • ContaCam.exe (PID: 2692)
      • mapache.exe (PID: 1952)
      • mapache.exe (PID: 3340)
    • Changes the autorun value in the registry

      • vcredist_x86.exe (PID: 2724)
      • ContaCam.exe (PID: 2692)
    • Changes settings of System certificates

      • vcredist_x86.exe (PID: 2724)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • ContaCam-9.9.9-Setup.exe (PID: 1848)
      • ContaCam-9.9.9-Setup.exe (PID: 524)
      • vcredist_x86.exe (PID: 3388)
      • vcredist_x86.exe (PID: 2724)
      • msiexec.exe (PID: 3828)
    • Application launched itself

      • ContaCam-9.9.9-Setup.exe (PID: 1848)
      • mapache.exe (PID: 1952)
    • Starts application with an unusual extension

      • ContaCam-9.9.9-Setup.exe (PID: 524)
    • Searches for installed software

      • vcredist_x86.exe (PID: 3388)
      • vcredist_x86.exe (PID: 2724)
    • Executed as Windows Service

      • vssvc.exe (PID: 2832)
    • Creates files in the program directory

      • ContaCam-9.9.9-Setup.exe (PID: 524)
      • vcredist_x86.exe (PID: 2724)
    • Creates a software uninstall entry

      • vcredist_x86.exe (PID: 2724)
      • ContaCam-9.9.9-Setup.exe (PID: 524)
    • Modifies the open verb of a shell class

      • ContaCam-9.9.9-Setup.exe (PID: 524)
    • Creates files in the user directory

      • ContaCam-9.9.9-Setup.exe (PID: 524)
      • ContaCam.exe (PID: 2692)
      • mapache.exe (PID: 1952)
    • Creates files in the Windows directory

      • msiexec.exe (PID: 3828)
    • Reads Internet Cache Settings

      • ContaCam.exe (PID: 2692)
    • Adds / modifies Windows certificates

      • vcredist_x86.exe (PID: 2724)
  • INFO

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 2832)
    • Reads settings of System Certificates

      • vcredist_x86.exe (PID: 2724)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 3828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 9.9.9.0
ProductName: ContaCam Application
LegalTrademarks: -
LegalCopyright: Contaware.com
FileVersion: 9.9.9.0
FileDescription: Installation Routine of ContaCam
CompanyName: Contaware.com
Comments: Surveillance Application
CharacterSet: Windows, Latin1
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 9.9.9.0
FileVersionNumber: 9.9.9.0
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x350d
UninitializedDataSize: 2048
InitializedDataSize: 141824
CodeSize: 26112
LinkerVersion: 6
PEType: PE32
TimeStamp: 2019:12:16 01:50:53+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 16-Dec-2019 00:50:53
Detected languages:
  • English - United States
Comments: Surveillance Application
CompanyName: Contaware.com
FileDescription: Installation Routine of ContaCam
FileVersion: 9.9.9.0
LegalCopyright: Contaware.com
LegalTrademarks: -
ProductName: ContaCam Application
ProductVersion: 9.9.9.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 16-Dec-2019 00:50:53
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000647B
0x00006600
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.42652
.rdata
0x00008000
0x00001384
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.13635
.data
0x0000A000
0x00020358
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.00585
.ndata
0x0002B000
0x00034000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x0005F000
0x00005040
0x00005200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.69731

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.28666
1249
UNKNOWN
English - United States
RT_MANIFEST
2
5.9993
3752
UNKNOWN
English - United States
RT_ICON
3
6.24459
2216
UNKNOWN
English - United States
RT_ICON
4
5.01502
1384
UNKNOWN
English - United States
RT_ICON
5
6.16057
1128
UNKNOWN
English - United States
RT_ICON
6
3.34146
744
UNKNOWN
English - United States
RT_ICON
7
3.04232
296
UNKNOWN
English - United States
RT_ICON
102
2.71813
180
UNKNOWN
English - United States
RT_DIALOG
103
2.6691
104
UNKNOWN
English - United States
RT_GROUP_ICON
104
2.70411
344
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
12
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start contacam-9.9.9-setup.exe contacam-9.9.9-setup.exe nsd95f.tmp no specs vcredist_x86.exe vcredist_x86.exe vssvc.exe no specs msiexec.exe ns5816.tmp no specs contacamservice.exe no specs contacam.exe mapache.exe no specs mapache.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1848"C:\Users\admin\AppData\Local\Temp\ContaCam-9.9.9-Setup.exe" C:\Users\admin\AppData\Local\Temp\ContaCam-9.9.9-Setup.exe
explorer.exe
User:
admin
Company:
Contaware.com
Integrity Level:
MEDIUM
Description:
Installation Routine of ContaCam
Exit code:
0
Version:
9.9.9.0
524"C:\Users\admin\AppData\Local\Temp\ContaCam-9.9.9-Setup.exe" /UAC:2012C /NCRC C:\Users\admin\AppData\Local\Temp\ContaCam-9.9.9-Setup.exe
ContaCam-9.9.9-Setup.exe
User:
admin
Company:
Contaware.com
Integrity Level:
HIGH
Description:
Installation Routine of ContaCam
Exit code:
0
Version:
9.9.9.0
2716"C:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\nsD95F.tmp" "C:\Program Files\ContaCam\ContaCamService.exe" -kC:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\nsD95F.tmpContaCam-9.9.9-Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225501
2724"C:\Program Files\ContaCam\vcredist_x86.exe" /passive /norestartC:\Program Files\ContaCam\vcredist_x86.exe
ContaCam-9.9.9-Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
Exit code:
0
Version:
11.0.61030.0
3388"C:\Program Files\ContaCam\vcredist_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{4312A082-D4C7-46DE-AFC9-29B2A86E7C42} {296D140A-08B0-480A-B73D-07511F0822A6} 2724C:\Program Files\ContaCam\vcredist_x86.exe
vcredist_x86.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030
Exit code:
0
Version:
11.0.61030.0
2832C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3828C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2136"C:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\ns5816.tmp" "C:\Program Files\ContaCam\ContaCamService.exe" -rC:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\ns5816.tmpContaCam-9.9.9-Setup.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
3072"C:\Program Files\ContaCam\ContaCamService.exe" -rC:\Program Files\ContaCam\ContaCamService.exens5816.tmp
User:
admin
Integrity Level:
HIGH
Exit code:
0
2692"C:\Program Files\ContaCam\ContaCam.exe"C:\Program Files\ContaCam\ContaCam.exe
ContaCam-9.9.9-Setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ContaCam
Version:
9.9.9.0
Total events
3 267
Read events
1 472
Write events
0
Delete events
0

Modification events

No data
Executable files
66
Suspicious files
18
Text files
83
Unknown types
8

Dropped files

PID
Process
Filename
Type
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\ContaCamDump.battext
MD5:CD190956342A7EBA29A52581800FE5B8
SHA256:B38D05334E6BDCEB2BC11037A03BD5A67E2D354433C7CF4A5365648994935613
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\MasterConfig.initext
MD5:E970456A23D9E81A31657BB449734A4A
SHA256:7274D336B83931B0A1AE405297AD1BECE025629248AEFAF1E72E72A82DBB8F1B
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\https.keytext
MD5:0262E2180AEFEC2ED362D5D7D45544A9
SHA256:6CFBC2B84E3E2A22E9B584689EECDD2967114D1B8A60C7359DD2CD67CF1D8686
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\ContaCamService.exeexecutable
MD5:FC113B4896FF0BA58D6C8DF5ED010D46
SHA256:9EFE4F5EA8986D46FDEB2EA2220670604FD938E588CF69A9DFF5A2637CD2D270
524ContaCam-9.9.9-Setup.exeC:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\nsD95F.tmpexecutable
MD5:8109E69435DCE8797C25F3AA46BA70C9
SHA256:A679C863230E3BD51D2C553C735F63063C65520CED8A68FF64B96C163582DE37
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\ContaCam.exeexecutable
MD5:1ADD89449000CAE5543994AF8E652B27
SHA256:AB40E84047E9FB077089215B984A98599466B047F6646B4282431B02FA57419E
524ContaCam-9.9.9-Setup.exeC:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\SysCompImg.dllexecutable
MD5:2CDBDDDD9C89472F1C7134F133FB55B2
SHA256:E1775D36745B9973B7E495D64F4CA4B0C63CD10606960F888FD731A60FBA1408
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\License.txttext
MD5:660D035CC23225C953F7C86BA7FC9718
SHA256:DDAE9C7BE94624C7B62BBF74759D3DE5A0608DA07D386C2D6F2FF84FE4A724FC
524ContaCam-9.9.9-Setup.exeC:\Program Files\ContaCam\microapache\htpasswd.exeexecutable
MD5:C35D08B148C8F163A0A984F5CC02EF96
SHA256:0C6A5E60B28A8ACD6E2FD092F2BAF81DAA2F5AB6606D58269F146E9FED08B2D2
524ContaCam-9.9.9-Setup.exeC:\Users\admin\AppData\Local\Temp\nsvBCED.tmp\modern-wizard.bmpimage
MD5:CBE40FD2B1EC96DAEDC65DA172D90022
SHA256:3AD2DC318056D0A2024AF1804EA741146CFC18CC404649A44610CBF8B2056CF2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
4
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2724
vcredist_x86.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
2692
ContaCam.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2692
ContaCam.exe
GET
200
2.16.186.27:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRxiDT1BDnRVwtcoC%2BpASOhGg%3D%3D
unknown
der
527 b
whitelisted
2724
vcredist_x86.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
der
550 b
whitelisted
2724
vcredist_x86.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
der
555 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2692
ContaCam.exe
185.101.158.25:443
www.contaware.com
hosttech GmbH
CH
unknown
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
2724
vcredist_x86.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted
2.16.186.27:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.186.120
  • 2.16.186.74
whitelisted
www.contaware.com
  • 185.101.158.25
unknown
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.35
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted

Threats

No threats detected
No debug info