| URL: | http://dl.tenorshare.net/iCareFonetrial_ts_en.exe |
| Full analysis: | https://app.any.run/tasks/1d4aef77-935c-4735-84d3-770779d5138d |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | February 28, 2019, 04:00:54 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 6BDAD3459B1114B40AD4FF1B13167C8F |
| SHA1: | 757BD12F059CA14C7E1208AFFF3E1A8A69314E0A |
| SHA256: | F11CDA6840D5479E46560DE00F90F84272F2D90038F3140848EC90F9337D804F |
| SSDEEP: | 3:N1KaJaxLLznEXGTR6uL4A:CaJwL7BLN |
MALICIOUS
Changes settings of System certificates
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Application was dropped or rewritten from another process
- Tenorshare iCareFone.exe (PID: 2924)
- 7z.exe (PID: 1856)
- NetFrameCheck.exe (PID: 3816)
- SoftwareUpdate.exe (PID: 3960)
- mDNSResponder.exe (PID: 3840)
- AppleMobileDeviceService.exe (PID: 2268)
- iPodService.exe (PID: 2448)
- iTunesHelper.exe (PID: 352)
Loads dropped or rewritten executable
- Tenorshare iCareFone.exe (PID: 2924)
- 7z.exe (PID: 1856)
- AppleMobileDeviceService.exe (PID: 2268)
- DllHost.exe (PID: 884)
- MsiExec.exe (PID: 2800)
- iTunesHelper.exe (PID: 352)
- MsiExec.exe (PID: 2312)
- MsiExec.exe (PID: 4056)
- SoftwareUpdate.exe (PID: 3960)
- svchost.exe (PID: 688)
Loads the Task Scheduler COM API
- MsiExec.exe (PID: 3020)
- DllHost.exe (PID: 884)
SUSPICIOUS
Executable content was dropped or overwritten
- iCareFonetrial_ts_en[1].exe (PID: 3776)
- 7z.exe (PID: 1856)
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
- MsiExec.exe (PID: 3172)
- msiexec.exe (PID: 592)
Reads the Windows organization settings
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Reads Windows owner or organization settings
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Checks for external IP
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Adds / modifies Windows certificates
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Creates files in the user directory
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Starts Internet Explorer
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Creates files in the program directory
- NetFrameCheck.exe (PID: 3816)
- Tenorshare iCareFone.exe (PID: 2924)
Searches for installed software
- Tenorshare iCareFone.exe (PID: 2924)
Creates a software uninstall entry
- Tenorshare iCareFone.exe (PID: 2924)
Removes files from Windows directory
- DrvInst.exe (PID: 3904)
- msiexec.exe (PID: 592)
- DrvInst.exe (PID: 2488)
Creates files in the Windows directory
- DrvInst.exe (PID: 3904)
- msiexec.exe (PID: 592)
- DrvInst.exe (PID: 2488)
Creates files in the driver directory
- DrvInst.exe (PID: 3904)
- DrvInst.exe (PID: 2488)
Creates COM task schedule object
- msiexec.exe (PID: 592)
- MsiExec.exe (PID: 2800)
Changes the autorun value in the registry
- msiexec.exe (PID: 592)
Modifies the open verb of a shell class
- msiexec.exe (PID: 592)
INFO
Application was dropped or rewritten from another process
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
Changes internet zones settings
- iexplore.exe (PID: 2956)
- iexplore.exe (PID: 2832)
Reads Internet Cache Settings
- iexplore.exe (PID: 3204)
- iexplore.exe (PID: 2956)
- iexplore.exe (PID: 1712)
Application launched itself
- iexplore.exe (PID: 2956)
- msiexec.exe (PID: 592)
Loads dropped or rewritten executable
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
- MsiExec.exe (PID: 2148)
- MsiExec.exe (PID: 3172)
Creates a software uninstall entry
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
- msiexec.exe (PID: 592)
Changes settings of System certificates
- iexplore.exe (PID: 1712)
Adds / modifies Windows certificates
- iexplore.exe (PID: 1712)
Creates files in the user directory
- iexplore.exe (PID: 1712)
Reads internet explorer settings
- iexplore.exe (PID: 1712)
Creates files in the program directory
- iCareFonetrial_ts_en[1].tmp (PID: 2964)
- msiexec.exe (PID: 592)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
73
Monitored processes
33
Malicious processes
11
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 352 | "C:\Program Files\iTunes\iTunesHelper.exe" | C:\Program Files\iTunes\iTunesHelper.exe | msiexec.exe | ||||||||||||
User: admin Company: Apple Inc. Integrity Level: HIGH Description: iTunesHelper Exit code: 0 Version: 12.9.3.3 Modules
| |||||||||||||||
| 592 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 688 | C:\Windows\system32\svchost.exe -k RPCSS | C:\Windows\System32\svchost.exe | — | services.exe | |||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 884 | C:\Windows\system32\DllHost.exe /Processid:{16D99191-6280-4B33-A2F5-04805A0FC582} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1624 | C:\Windows\system32\MsiExec.exe -Embedding A142F0A0C1AA2B7DC27AC08EA8A3575F | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1712 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1856 | "C:\Program Files\Tenorshare iCareFone\7z\7z.exe" x "C:\Users\admin\AppData\Local\Temp\iTunes.exe" -y -o"C:\Users\admin\AppData\Local\Temp\iTunes" | C:\Program Files\Tenorshare iCareFone\7z\7z.exe | Tenorshare iCareFone.exe | ||||||||||||
User: admin Company: Igor Pavlov Integrity Level: HIGH Description: 7-Zip Console Exit code: 0 Version: 18.05 Modules
| |||||||||||||||
| 2148 | C:\Windows\system32\MsiExec.exe -Embedding 52FC274D3C945149712481912EE18976 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2268 | "C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe" | C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe | services.exe | ||||||||||||
User: SYSTEM Company: Apple Inc. Integrity Level: SYSTEM Description: MobileDeviceService Exit code: 0 Version: 423.208.1.8 Modules
| |||||||||||||||
| 2312 | "C:\Windows\system32\MsiExec.exe" /Y "C:\Program Files\Apple Software Update\ScriptingObjectModel.dll" | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
12 426
Read events
2 089
Write events
10 268
Delete events
69
Modification events
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {7AAF589D-3B0D-11E9-BEEC-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 3 | |||
| (PID) Process: | (2956) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E307020004001C00040001000A003E02 | |||
Executable files
612
Suspicious files
696
Text files
5 024
Unknown types
74
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2956 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2956 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD27972D57E9BD8B3.TMP | — | |
MD5:— | SHA256:— | |||
| 3204 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\iCareFonetrial_ts_en[1].exe | — | |
MD5:— | SHA256:— | |||
| 2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\iCareFonetrial_ts_en[1].exe | — | |
MD5:— | SHA256:— | |||
| 2956 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF4E4CFAA4699CD2D3.TMP | — | |
MD5:— | SHA256:— | |||
| 2956 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{7AAF589D-3B0D-11E9-BEEC-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 2964 | iCareFonetrial_ts_en[1].tmp | C:\Program Files\Tenorshare iCareFone\is-7U396.tmp | — | |
MD5:— | SHA256:— | |||
| 2964 | iCareFonetrial_ts_en[1].tmp | C:\Program Files\Tenorshare iCareFone\is-M3E1M.tmp | — | |
MD5:— | SHA256:— | |||
| 2964 | iCareFonetrial_ts_en[1].tmp | C:\Program Files\Tenorshare iCareFone\is-4TMJB.tmp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
4
DNS requests
2
Threats
11
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3204 | iexplore.exe | GET | — | 2.16.186.51:80 | http://dl.tenorshare.net/iCareFonetrial_ts_en.exe | unknown | — | — | whitelisted |
2956 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2956 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3204 | iexplore.exe | 2.16.186.81:80 | dl.tenorshare.net | Akamai International B.V. | — | whitelisted |
2956 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3204 | iexplore.exe | 2.16.186.51:80 | dl.tenorshare.net | Akamai International B.V. | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
dl.tenorshare.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3204 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2964 | iCareFonetrial_ts_en[1].tmp | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
2964 | iCareFonetrial_ts_en[1].tmp | Potential Corporate Privacy Violation | ET POLICY Unsupported/Fake Windows NT Version 5.0 |
2964 | iCareFonetrial_ts_en[1].tmp | Potential Corporate Privacy Violation | ET POLICY External IP Lookup ip-api.com |
2964 | iCareFonetrial_ts_en[1].tmp | Misc activity | ADWARE [PTsecurity] Adware.AdAnti |
2924 | Tenorshare iCareFone.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
2924 | Tenorshare iCareFone.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
4 ETPRO signatures available at the full report
Process | Message |
|---|---|
Tenorshare iCareFone.exe | 2019-2-28 4:2:23 Tenorshare iCareFone<3116>:: MainViewModel : iTunes Component Check. Unerected
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:23 Tenorshare iCareFone<3632>:: TSPackageManagerImpl::OnHandle : Download File = C:\Users\admin\AppData\Local\Temp\iTunes.exe
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:23 Tenorshare iCareFone<3632>:: iTunesService : Dwonload Started.
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:39 Tenorshare iCareFone<3632>:: TSPackageManagerImpl::OnHandle Download C:\Users\admin\AppData\Local\Temp\iTunes.exe Result = 0
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:39 Tenorshare iCareFone<3632>:: iTunesService : Dwonload Completed. Package = C:\Users\admin\AppData\Local\Temp\iTunes.exe
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:39 Tenorshare iCareFone<3632>:: iTunesService : Dwonload Ended.
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:39 Tenorshare iCareFone<2624>:: TSPackageManagerImpl::Install Command = "C:\Program Files\Tenorshare iCareFone\7z\7z.exe" x "C:\Users\admin\AppData\Local\Temp\iTunes.exe" -y -o"C:\Users\admin\AppData\Local\Temp\iTunes"
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:42 Tenorshare iCareFone<2624>:: iTunesService : Install Started.
|
Tenorshare iCareFone.exe | 2019-2-28 4:2:42 Tenorshare iCareFone<2624>:: TSPackageManagerImpl::Install ExtractDir = C:\Users\admin\AppData\Local\Temp\iTunes
|
Tenorshare iCareFone.exe | 2019-2-28 4:3:7 Tenorshare iCareFone<2624>:: iTunesService : Install Completed. Index = 0, Package = C:\Users\admin\AppData\Local\Temp\iTunes\AppleApplicationSupport.msi
|