| File name: | S1ESP-Install [-n].exe |
| Full analysis: | https://app.any.run/tasks/f59fcc92-eed2-4f58-bdeb-a8707680241d |
| Verdict: | Malicious activity |
| Analysis date: | May 13, 2024, 00:49:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 54F9B2CFC0D5A7BC60C4E3C86A918F57 |
| SHA1: | F05218A60DB23966B98AF86B5CC13A8DD55F43F9 |
| SHA256: | F6A0A94E06F5ADCA32CA26E54373E8662DB9B57E0582BA9ACE31C5B1044B657E |
| SSDEEP: | 98304:0XnM2QmCsYOCCCTPodyw9bLoDtb1UQ6egssvh2Rq4bZjgcNwNS9UvvNfP81C5AZ3:yD6Fx03g/2Q8ewu |
MALICIOUS
Drops the executable file immediately after the start
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Creates a writable file in the system directory
- S1ESP.exe (PID: 2512)
SUSPICIOUS
The process drops C-runtime libraries
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Process drops legitimate windows executable
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Reads security settings of Internet Explorer
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Reads the Internet Settings
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Executable content was dropped or overwritten
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Drops a system driver (possible attempt to evade defenses)
- S1ESPInstall.exe (PID: 820)
Starts SC.EXE for service management
- S1ESPInstall.exe (PID: 820)
Process drops SQLite DLL files
- S1ESPInstall.exe (PID: 820)
Searches for installed software
- S1ESPSvc.exe (PID: 1548)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
- S1ESPSub.exe (PID: 992)
Creates a software uninstall entry
- S1ESPInstall.exe (PID: 820)
- S1ESP.exe (PID: 2512)
Executes as Windows Service
- S1ESPSvc.exe (PID: 1548)
INFO
Checks supported languages
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
- wmpnscfg.exe (PID: 328)
- S1ESPSvc.exe (PID: 1764)
- S1ESPSvc.exe (PID: 1548)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
- S1ESPSub.exe (PID: 992)
Creates files in the program directory
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
- S1ESPSvc.exe (PID: 1764)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
Reads the computer name
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
- wmpnscfg.exe (PID: 328)
- S1ESPSvc.exe (PID: 1764)
- S1ESPSvc.exe (PID: 1548)
- S1ESP.exe (PID: 2512)
- S1ESPUp.exe (PID: 2272)
Manual execution by a user
- wmpnscfg.exe (PID: 328)
Reads the machine GUID from the registry
- S1ESPInstall.exe (PID: 820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (16.3) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (14.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (3.4) |
| .exe | | | Win32 Executable (generic) (2.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:04:16 01:26:28+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 1542144 |
| InitializedDataSize: | 7712768 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14e062 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.9.0.0 |
| ProductVersionNumber: | 1.0.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | JiranSoft., ltd. |
| FileDescription: | S1ESP_Release |
| FileVersion: | 0.9.0.0 |
| InternalName: | S1ESPReleaser.exe |
| LegalCopyright: | Copyright (c) JiranSoft. All rights reserved. |
| OriginalFileName: | S1ESPReleaser.exe |
| ProductName: | S-1 ESP |
| ProductVersion: | S-1 ESP |
Total processes
57
Monitored processes
16
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | "C:\Windows\System32\schtasks.exe" /create /tn "s1espchk_onstart" /tr \""C:\Program Files\S1ESP\S1ESPChk.exe"\" /sc onstart /ru System | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 308 | "C:\Windows\System32\schtasks.exe" /f /delete /tn s1espchk_onstart | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 328 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 728 | "C:\Windows\System32\schtasks.exe" /f /delete /tn s1espchk_minute | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 820 | "C:\ProgramData\jirancom\InstallerPackage\32bit\S1ESPInstall.exe" -n | C:\ProgramData\jirancom\InstallerPackage\32bit\S1ESPInstall.exe | S1ESP-Install [-n].exe | ||||||||||||
User: admin Company: JiranSoft., ltd. Integrity Level: HIGH Description: S1ESP_Installer Exit code: 0 Version: 0.9.0.0 Modules
| |||||||||||||||
| 992 | "C:\Program Files\S1ESP\S1ESPSub.exe" | C:\Program Files\S1ESP\S1ESPSub.exe | — | S1ESPSvc.exe | |||||||||||
User: SYSTEM Company: JiranSoft., ltd. Integrity Level: SYSTEM Description: s1sespsub Version: 1.0.0.1 Modules
| |||||||||||||||
| 1060 | schtasks.exe | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1292 | "C:\Windows\system32\sc.exe" config PcaSvc start= disabled | C:\Windows\System32\sc.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1424 | "C:\Windows\System32\schtasks.exe" /create /tn "s1espchk_minute" /tr \""C:\Program Files\S1ESP\S1ESPChk.exe"\" /sc minute /mo 20 /ru System | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1548 | "C:\Program Files\S1ESP\S1ESPSvc.exe" | C:\Program Files\S1ESP\S1ESPSvc.exe | services.exe | ||||||||||||
User: SYSTEM Company: JiranSoft., ltd. Integrity Level: SYSTEM Description: S1SESP_Service Version: 0.9.0.0 Modules
| |||||||||||||||
Total events
3 275
Read events
3 242
Write events
32
Delete events
1
Modification events
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1764) S1ESPSvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{804114DB-BB8E-4200-B911-548669A9B371} |
| Operation: | write | Name: | ServiceName |
Value: S1ESPSvc | |||
| (PID) Process: | (1764) S1ESPSvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{804114DB-BB8E-4200-B911-548669A9B371} |
| Operation: | delete value | Name: | LocalService |
Value: | |||
Executable files
48
Suspicious files
2
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage.pkg | — | |
MD5:— | SHA256:— | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\ESPAgent32.pkg | — | |
MD5:— | SHA256:— | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\64bit\pthreadVC2.dll | executable | |
MD5:C685D4A8D45D4E471476BE7CF05B6E91 | SHA256:128F873DE381D50DCBE4B59B0B92F7EE28C50B42DD2A0ED780B9748B28F8C2C5 | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\32bit\msvcr100.dll | executable | |
MD5:0E37FBFA79D349D672456923EC5FBBE3 | SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18 | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\32bit\pthreadVC2.dll | executable | |
MD5:7874284CD831CFAE81A0C8084E4054BC | SHA256:4CD3AB8D4C3EF8253956232AFC15CAC9B55A4F3FAA516E219F98409E76E029F1 | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\mosquitto.dll | executable | |
MD5:0699936119341BB2DDE128646FF0C422 | SHA256:7DD6535415161DDF4A52E4E4D0924D194693C6BF784F7E3BF3A485C46F8D9414 | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\esphookdriver32.sys | executable | |
MD5:81C7AAAA44DB540A7C82DA12EA9C5182 | SHA256:069E08C033EA5ACAC84DB3DC64BB8742070F302F5B20C304CE5662A15CD7E881 | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\64bit\mosquitto.dll | executable | |
MD5:1F43CF2C5E7C9DFBA56FE80721465CE3 | SHA256:92BF717BB1FAE60CE4B164A0EE4ECC7577448B3E9D1EEA2FBD8796B68DA54884 | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\64bit\msvcr100.dll | executable | |
MD5:366FD6F3A451351B5DF2D7C4ECF4C73A | SHA256:AE3CB6C6AFBA9A4AA5C85F66023C35338CA579B30326DD02918F9D55259503D5 | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\msvcr100.dll | executable | |
MD5:0E37FBFA79D349D672456923EC5FBBE3 | SHA256:8793353461826FBD48F25EA8B835BE204B758CE7510DB2AF631B28850355BD18 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
820 | S1ESPInstall.exe | GET | 200 | 110.10.125.110:80 | http://api.s1esp.com/v1/utm/agent/update/S1ESP/InstallFiles/Release/ESPAgent32.pkg?20240513014931 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
820 | S1ESPInstall.exe | 110.10.125.110:80 | api.s1esp.com | SK Broadband Co Ltd | KR | unknown |
2512 | S1ESP.exe | 110.10.125.110:80 | api.s1esp.com | SK Broadband Co Ltd | KR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.s1esp.com |
| unknown |
Threats
Process | Message |
|---|---|
S1ESP-Install [-n].exe | [S1PlatformAgent] Releaser : Find FileName - -n |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 346] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 334] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 352] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 345] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 332] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 338] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 353] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 331] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 351] |