| File name: | S1ESP-Install [-n].exe |
| Full analysis: | https://app.any.run/tasks/f59fcc92-eed2-4f58-bdeb-a8707680241d |
| Verdict: | Malicious activity |
| Analysis date: | May 13, 2024, 00:49:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 54F9B2CFC0D5A7BC60C4E3C86A918F57 |
| SHA1: | F05218A60DB23966B98AF86B5CC13A8DD55F43F9 |
| SHA256: | F6A0A94E06F5ADCA32CA26E54373E8662DB9B57E0582BA9ACE31C5B1044B657E |
| SSDEEP: | 98304:0XnM2QmCsYOCCCTPodyw9bLoDtb1UQ6egssvh2Rq4bZjgcNwNS9UvvNfP81C5AZ3:yD6Fx03g/2Q8ewu |
MALICIOUS
Drops the executable file immediately after the start
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Creates a writable file in the system directory
- S1ESP.exe (PID: 2512)
SUSPICIOUS
Process drops legitimate windows executable
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Reads security settings of Internet Explorer
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
The process drops C-runtime libraries
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Reads the Internet Settings
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Executable content was dropped or overwritten
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
Starts SC.EXE for service management
- S1ESPInstall.exe (PID: 820)
Process drops SQLite DLL files
- S1ESPInstall.exe (PID: 820)
Executes as Windows Service
- S1ESPSvc.exe (PID: 1548)
Creates a software uninstall entry
- S1ESPInstall.exe (PID: 820)
- S1ESP.exe (PID: 2512)
Searches for installed software
- S1ESPSvc.exe (PID: 1548)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
- S1ESPSub.exe (PID: 992)
Drops a system driver (possible attempt to evade defenses)
- S1ESPInstall.exe (PID: 820)
INFO
Checks supported languages
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPInstall.exe (PID: 820)
- S1ESPSvc.exe (PID: 1764)
- S1ESPSvc.exe (PID: 1548)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
- S1ESPSub.exe (PID: 992)
- wmpnscfg.exe (PID: 328)
Creates files in the program directory
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPSvc.exe (PID: 1764)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
- S1ESPInstall.exe (PID: 820)
Reads the computer name
- S1ESP-Install [-n].exe (PID: 2072)
- S1ESPSvc.exe (PID: 1764)
- S1ESPSvc.exe (PID: 1548)
- S1ESPUp.exe (PID: 2272)
- S1ESP.exe (PID: 2512)
- wmpnscfg.exe (PID: 328)
- S1ESPInstall.exe (PID: 820)
Manual execution by a user
- wmpnscfg.exe (PID: 328)
Reads the machine GUID from the registry
- S1ESPInstall.exe (PID: 820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (16.3) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (14.5) |
| .dll | | | Win32 Dynamic Link Library (generic) (3.4) |
| .exe | | | Win32 Executable (generic) (2.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:04:16 01:26:28+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 14 |
| CodeSize: | 1542144 |
| InitializedDataSize: | 7712768 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x14e062 |
| OSVersion: | 5.1 |
| ImageVersion: | - |
| SubsystemVersion: | 5.1 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.9.0.0 |
| ProductVersionNumber: | 1.0.0.1 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | JiranSoft., ltd. |
| FileDescription: | S1ESP_Release |
| FileVersion: | 0.9.0.0 |
| InternalName: | S1ESPReleaser.exe |
| LegalCopyright: | Copyright (c) JiranSoft. All rights reserved. |
| OriginalFileName: | S1ESPReleaser.exe |
| ProductName: | S-1 ESP |
| ProductVersion: | S-1 ESP |
Total processes
57
Monitored processes
16
Malicious processes
2
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | "C:\Windows\System32\schtasks.exe" /create /tn "s1espchk_onstart" /tr \""C:\Program Files\S1ESP\S1ESPChk.exe"\" /sc onstart /ru System | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 308 | "C:\Windows\System32\schtasks.exe" /f /delete /tn s1espchk_onstart | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 328 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 728 | "C:\Windows\System32\schtasks.exe" /f /delete /tn s1espchk_minute | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 820 | "C:\ProgramData\jirancom\InstallerPackage\32bit\S1ESPInstall.exe" -n | C:\ProgramData\jirancom\InstallerPackage\32bit\S1ESPInstall.exe | S1ESP-Install [-n].exe | ||||||||||||
User: admin Company: JiranSoft., ltd. Integrity Level: HIGH Description: S1ESP_Installer Exit code: 0 Version: 0.9.0.0 Modules
| |||||||||||||||
| 992 | "C:\Program Files\S1ESP\S1ESPSub.exe" | C:\Program Files\S1ESP\S1ESPSub.exe | — | S1ESPSvc.exe | |||||||||||
User: SYSTEM Company: JiranSoft., ltd. Integrity Level: SYSTEM Description: s1sespsub Version: 1.0.0.1 Modules
| |||||||||||||||
| 1060 | schtasks.exe | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1292 | "C:\Windows\system32\sc.exe" config PcaSvc start= disabled | C:\Windows\System32\sc.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1424 | "C:\Windows\System32\schtasks.exe" /create /tn "s1espchk_minute" /tr \""C:\Program Files\S1ESP\S1ESPChk.exe"\" /sc minute /mo 20 /ru System | C:\Windows\System32\schtasks.exe | — | S1ESPInstall.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1548 | "C:\Program Files\S1ESP\S1ESPSvc.exe" | C:\Program Files\S1ESP\S1ESPSvc.exe | services.exe | ||||||||||||
User: SYSTEM Company: JiranSoft., ltd. Integrity Level: SYSTEM Description: S1SESP_Service Version: 0.9.0.0 Modules
| |||||||||||||||
Total events
3 275
Read events
3 242
Write events
32
Delete events
1
Modification events
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (2072) S1ESP-Install [-n].exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (820) S1ESPInstall.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (1764) S1ESPSvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{804114DB-BB8E-4200-B911-548669A9B371} |
| Operation: | write | Name: | ServiceName |
Value: S1ESPSvc | |||
| (PID) Process: | (1764) S1ESPSvc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\{804114DB-BB8E-4200-B911-548669A9B371} |
| Operation: | delete value | Name: | LocalService |
Value: | |||
Executable files
48
Suspicious files
2
Text files
5
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage.pkg | — | |
MD5:— | SHA256:— | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\ESPAgent32.pkg | — | |
MD5:— | SHA256:— | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\32bit\mosquitto.dll | executable | |
MD5:A2370A61AA5B5D6E3FA861A9A231A68F | SHA256:40BE91FBA78BD0A3520E3A68D836413729353130DA8D3C5F66F4405C1D1177CA | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\esphookdriver32.sys | executable | |
MD5:81C7AAAA44DB540A7C82DA12EA9C5182 | SHA256:069E08C033EA5ACAC84DB3DC64BB8742070F302F5B20C304CE5662A15CD7E881 | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\pthreadVC2.dll | executable | |
MD5:E361CAC515F5FC9578B306F6C6A72DF7 | SHA256:01D6294F8453FE205D6ACDF0D184EA32CABDB7696D69FECD28343E29B4FBD79C | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\64bit\mosquitto.dll | executable | |
MD5:1F43CF2C5E7C9DFBA56FE80721465CE3 | SHA256:92BF717BB1FAE60CE4B164A0EE4ECC7577448B3E9D1EEA2FBD8796B68DA54884 | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\64bit\S1ESPLib.dll | executable | |
MD5:B67EA52F7DDF46C077FEA9B5874DCFB9 | SHA256:4451145700647D634F86D7E9BD803E749E6A7B16ED21AA910E3BF0974C0AFD07 | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\S1ESPAuth_x86.dll | executable | |
MD5:D8F5B2B7161EBE8A5CB02867F00BC16A | SHA256:3994C9A94DBD77B53FCF4501A162B96ED3EEFB89407193130BE43B8F3AF4848E | |||
| 2072 | S1ESP-Install [-n].exe | C:\ProgramData\jirancom\InstallerPackage\32bit\S1ESPLib.dll | executable | |
MD5:7D909D30EC7E9AEC99B961902738907F | SHA256:2E9649F101F335BFBBC754D0784208BE6544ACD46C63A95819E5F9CD415D6571 | |||
| 820 | S1ESPInstall.exe | C:\ProgramData\jirancom\S1ESP\tmpdownloadfiles\32bit\common\mosquittopp_x86.dll | executable | |
MD5:39A35E605516902D45B4E7ECAD6FFEA8 | SHA256:F79F4580A558BB9C9B0D9189A2001383CD63E3C4E0D81D35BC1625C808FDD496 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
2
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
820 | S1ESPInstall.exe | GET | 200 | 110.10.125.110:80 | http://api.s1esp.com/v1/utm/agent/update/S1ESP/InstallFiles/Release/ESPAgent32.pkg?20240513014931 | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
820 | S1ESPInstall.exe | 110.10.125.110:80 | api.s1esp.com | SK Broadband Co Ltd | KR | unknown |
2512 | S1ESP.exe | 110.10.125.110:80 | api.s1esp.com | SK Broadband Co Ltd | KR | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
api.s1esp.com |
| unknown |
Threats
Process | Message |
|---|---|
S1ESP-Install [-n].exe | [S1PlatformAgent] Releaser : Find FileName - -n |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 346] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 334] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 352] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 345] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 332] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 338] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 353] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 331] |
S1ESPInstall.exe | [OfficeKeeper] RESBOX : Load String Resource Fail [ID: 351] |