analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://dl.tenorshare.net/iCareFonetrial_ts_en.exe

Full analysis: https://app.any.run/tasks/1d4aef77-935c-4735-84d3-770779d5138d
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: February 28, 2019, 04:00:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
evasion
adware
Indicators:
MD5:

6BDAD3459B1114B40AD4FF1B13167C8F

SHA1:

757BD12F059CA14C7E1208AFFF3E1A8A69314E0A

SHA256:

F11CDA6840D5479E46560DE00F90F84272F2D90038F3140848EC90F9337D804F

SSDEEP:

3:N1KaJaxLLznEXGTR6uL4A:CaJwL7BLN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Application was dropped or rewritten from another process

      • Tenorshare iCareFone.exe (PID: 2924)
      • 7z.exe (PID: 1856)
      • NetFrameCheck.exe (PID: 3816)
      • mDNSResponder.exe (PID: 3840)
      • SoftwareUpdate.exe (PID: 3960)
      • AppleMobileDeviceService.exe (PID: 2268)
      • iPodService.exe (PID: 2448)
      • iTunesHelper.exe (PID: 352)
    • Loads dropped or rewritten executable

      • Tenorshare iCareFone.exe (PID: 2924)
      • 7z.exe (PID: 1856)
      • AppleMobileDeviceService.exe (PID: 2268)
      • MsiExec.exe (PID: 2312)
      • MsiExec.exe (PID: 4056)
      • SoftwareUpdate.exe (PID: 3960)
      • MsiExec.exe (PID: 2800)
      • DllHost.exe (PID: 884)
      • svchost.exe (PID: 688)
      • iTunesHelper.exe (PID: 352)
    • Loads the Task Scheduler COM API

      • DllHost.exe (PID: 884)
      • MsiExec.exe (PID: 3020)
  • SUSPICIOUS

    • Starts Internet Explorer

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Reads the Windows organization settings

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Checks for external IP

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Adds / modifies Windows certificates

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Creates files in the user directory

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Executable content was dropped or overwritten

      • iCareFonetrial_ts_en[1].exe (PID: 3776)
      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
      • 7z.exe (PID: 1856)
      • MsiExec.exe (PID: 3172)
      • msiexec.exe (PID: 592)
    • Creates files in the program directory

      • NetFrameCheck.exe (PID: 3816)
      • Tenorshare iCareFone.exe (PID: 2924)
    • Reads Windows owner or organization settings

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Searches for installed software

      • Tenorshare iCareFone.exe (PID: 2924)
    • Creates a software uninstall entry

      • Tenorshare iCareFone.exe (PID: 2924)
    • Removes files from Windows directory

      • msiexec.exe (PID: 592)
      • DrvInst.exe (PID: 3904)
      • DrvInst.exe (PID: 2488)
    • Creates files in the Windows directory

      • msiexec.exe (PID: 592)
      • DrvInst.exe (PID: 3904)
      • DrvInst.exe (PID: 2488)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 3904)
      • DrvInst.exe (PID: 2488)
    • Creates COM task schedule object

      • msiexec.exe (PID: 592)
      • MsiExec.exe (PID: 2800)
    • Changes the autorun value in the registry

      • msiexec.exe (PID: 592)
    • Modifies the open verb of a shell class

      • msiexec.exe (PID: 592)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2956)
      • msiexec.exe (PID: 592)
    • Creates a software uninstall entry

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
      • msiexec.exe (PID: 592)
    • Application was dropped or rewritten from another process

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
    • Changes internet zones settings

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 2832)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 1712)
    • Loads dropped or rewritten executable

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
      • MsiExec.exe (PID: 2148)
      • MsiExec.exe (PID: 3172)
    • Creates files in the program directory

      • iCareFonetrial_ts_en[1].tmp (PID: 2964)
      • msiexec.exe (PID: 592)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1712)
    • Creates files in the user directory

      • iexplore.exe (PID: 1712)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1712)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
33
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe icarefonetrial_ts_en[1].exe no specs icarefonetrial_ts_en[1].exe icarefonetrial_ts_en[1].tmp netframecheck.exe no specs iexplore.exe tenorshare icarefone.exe iexplore.exe 7z.exe msiexec.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe drvinst.exe no specs drvinst.exe no specs applemobiledeviceservice.exe msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs softwareupdate.exe no specs AppleSoftwareUpdateAdmin no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs msiexec.exe no specs mdnsresponder.exe msiexec.exe no specs svchost.exe no specs msiexec.exe no specs ipodservice.exe no specs ituneshelper.exe

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3204"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2772"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exeiexplore.exe
User:
admin
Company:
Tenorshare, Inc.
Integrity Level:
MEDIUM
Description:
Tenorshare iCareFone Setup
Exit code:
3221226540
Version:
3776"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exe
iexplore.exe
User:
admin
Company:
Tenorshare, Inc.
Integrity Level:
HIGH
Description:
Tenorshare iCareFone Setup
Exit code:
0
Version:
2964"C:\Users\admin\AppData\Local\Temp\is-0PGFG.tmp\iCareFonetrial_ts_en[1].tmp" /SL5="$5018C,85535845,289280,C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exe" C:\Users\admin\AppData\Local\Temp\is-0PGFG.tmp\iCareFonetrial_ts_en[1].tmp
iCareFonetrial_ts_en[1].exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3816"C:\Program Files\Tenorshare iCareFone\NetFrameCheck.exe"C:\Program Files\Tenorshare iCareFone\NetFrameCheck.exeiCareFonetrial_ts_en[1].tmp
User:
admin
Company:
Tenorshare Co.Ltd
Integrity Level:
HIGH
Description:
Tenorshare iCarefone
Exit code:
0
Version:
2.0.0.0
2832"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
iCareFonetrial_ts_en[1].tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2924"C:\Program Files\Tenorshare iCareFone\Tenorshare iCareFone.exe" C:\Program Files\Tenorshare iCareFone\Tenorshare iCareFone.exe
NetFrameCheck.exe
User:
admin
Company:
Tenorshare
Integrity Level:
HIGH
Description:
iCareFone
Version:
5.3.2.8
1712"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1856"C:\Program Files\Tenorshare iCareFone\7z\7z.exe" x "C:\Users\admin\AppData\Local\Temp\iTunes.exe" -y -o"C:\Users\admin\AppData\Local\Temp\iTunes"C:\Program Files\Tenorshare iCareFone\7z\7z.exe
Tenorshare iCareFone.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Console
Exit code:
0
Version:
18.05
Total events
12 426
Read events
2 089
Write events
0
Delete events
0

Modification events

No data
Executable files
612
Suspicious files
696
Text files
5 024
Unknown types
74

Dropped files

PID
Process
Filename
Type
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD27972D57E9BD8B3.TMP
MD5:
SHA256:
3204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\iCareFonetrial_ts_en[1].exe
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exe
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4E4CFAA4699CD2D3.TMP
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7AAF589D-3B0D-11E9-BEEC-5254004A04AF}.dat
MD5:
SHA256:
2964iCareFonetrial_ts_en[1].tmpC:\Program Files\Tenorshare iCareFone\is-7U396.tmp
MD5:
SHA256:
2964iCareFonetrial_ts_en[1].tmpC:\Program Files\Tenorshare iCareFone\is-M3E1M.tmp
MD5:
SHA256:
2964iCareFonetrial_ts_en[1].tmpC:\Program Files\Tenorshare iCareFone\is-4TMJB.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3204
iexplore.exe
GET
2.16.186.51:80
http://dl.tenorshare.net/iCareFonetrial_ts_en.exe
unknown
whitelisted
2956
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3204
iexplore.exe
2.16.186.81:80
dl.tenorshare.net
Akamai International B.V.
whitelisted
3204
iexplore.exe
2.16.186.51:80
dl.tenorshare.net
Akamai International B.V.
whitelisted
2956
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dl.tenorshare.net
  • 2.16.186.81
  • 2.16.186.51
whitelisted

Threats

PID
Process
Class
Message
3204
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2964
iCareFonetrial_ts_en[1].tmp
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
2964
iCareFonetrial_ts_en[1].tmp
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
2964
iCareFonetrial_ts_en[1].tmp
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
2964
iCareFonetrial_ts_en[1].tmp
Misc activity
ADWARE [PTsecurity] Adware.AdAnti
2924
Tenorshare iCareFone.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2924
Tenorshare iCareFone.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
4 ETPRO signatures available at the full report
Process
Message
Tenorshare iCareFone.exe
2019-2-28 4:2:23 Tenorshare iCareFone<3116>:: MainViewModel : iTunes Component Check. Unerected
Tenorshare iCareFone.exe
2019-2-28 4:2:23 Tenorshare iCareFone<3632>:: TSPackageManagerImpl::OnHandle : Download File = C:\Users\admin\AppData\Local\Temp\iTunes.exe
Tenorshare iCareFone.exe
2019-2-28 4:2:23 Tenorshare iCareFone<3632>:: iTunesService : Dwonload Started.
Tenorshare iCareFone.exe
2019-2-28 4:2:39 Tenorshare iCareFone<3632>:: TSPackageManagerImpl::OnHandle Download C:\Users\admin\AppData\Local\Temp\iTunes.exe Result = 0
Tenorshare iCareFone.exe
2019-2-28 4:2:39 Tenorshare iCareFone<3632>:: iTunesService : Dwonload Completed. Package = C:\Users\admin\AppData\Local\Temp\iTunes.exe
Tenorshare iCareFone.exe
2019-2-28 4:2:39 Tenorshare iCareFone<3632>:: iTunesService : Dwonload Ended.
Tenorshare iCareFone.exe
2019-2-28 4:2:39 Tenorshare iCareFone<2624>:: TSPackageManagerImpl::Install Command = "C:\Program Files\Tenorshare iCareFone\7z\7z.exe" x "C:\Users\admin\AppData\Local\Temp\iTunes.exe" -y -o"C:\Users\admin\AppData\Local\Temp\iTunes"
Tenorshare iCareFone.exe
2019-2-28 4:2:42 Tenorshare iCareFone<2624>:: iTunesService : Install Started.
Tenorshare iCareFone.exe
2019-2-28 4:2:42 Tenorshare iCareFone<2624>:: TSPackageManagerImpl::Install ExtractDir = C:\Users\admin\AppData\Local\Temp\iTunes
Tenorshare iCareFone.exe
2019-2-28 4:3:7 Tenorshare iCareFone<2624>:: iTunesService : Install Completed. Index = 0, Package = C:\Users\admin\AppData\Local\Temp\iTunes\AppleApplicationSupport.msi