analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | setup.exe |
| Full analysis: | https://app.any.run/tasks/c23dba30-919f-4709-a4fe-7958ecdf4874 |
| Verdict: | Malicious activity |
| Analysis date: | November 23, 2023, 17:00:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | EA58C12B25C48FEA01EEE390ED06C84A |
| SHA1: | DF28A8077121C74EFE33A0617F8CC030C654F3C6 |
| SHA256: | FA757528FDF828A3C372A2C12A4BACA687CED0D1F7E4C5F7A69183ADDC575A46 |
| SSDEEP: | 98304:QJyEM7ncqFIG7xn8Oy2uyCNxIHCrrHk+4kq65I+G6fs8IN1DGfma5E7vVpKYFNMV:VYv3eg |
MALICIOUS
Drops the executable file immediately after the start
- setup.exe (PID: 3508)
- setup.tmp (PID: 3524)
- unins000.exe (PID: 3624)
- _iu14D2N.tmp (PID: 3632)
SUSPICIOUS
Process drops legitimate windows executable
- setup.tmp (PID: 3524)
- _iu14D2N.tmp (PID: 3632)
Reads the Windows owner or organization settings
- setup.tmp (PID: 3524)
- _iu14D2N.tmp (PID: 3632)
Starts itself from another location
- unins000.exe (PID: 3624)
Starts application with an unusual extension
- unins000.exe (PID: 3624)
INFO
Checks supported languages
- setup.tmp (PID: 3524)
- setup.exe (PID: 3508)
- unins000.exe (PID: 3624)
- _iu14D2N.tmp (PID: 3632)
Create files in a temporary directory
- setup.exe (PID: 3508)
- setup.tmp (PID: 3524)
- unins000.exe (PID: 3624)
- _iu14D2N.tmp (PID: 3632)
Reads the computer name
- setup.tmp (PID: 3524)
Creates files in the program directory
- setup.tmp (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (81.5) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10.5) |
| .exe | | | Win32 Executable (generic) (3.3) |
| .exe | | | Win16/32 Executable Delphi generic (1.5) |
| .exe | | | Generic Win/DOS Executable (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:10:02 07:04:04+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 86016 |
| InitializedDataSize: | 158208 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16478 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.5 |
| ProductVersionNumber: | 1.0.0.5 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | torrent-igruha.org |
| FileDescription: | Half-Life 2 Complete Edition Setup |
| FileVersion: | 1.0.0.5 |
| LegalCopyright: | |
| ProductName: | Half-Life 2 Complete Edition |
| ProductVersion: | 1.0.0.5 |
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3128 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | — | explorer.exe | |||||||||||
User: admin Company: torrent-igruha.org Integrity Level: MEDIUM Description: Half-Life 2 Complete Edition Setup Exit code: 3221226540 Version: 1.0.0.5 Modules
| |||||||||||||||
| 3508 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | explorer.exe | ||||||||||||
User: admin Company: torrent-igruha.org Integrity Level: HIGH Description: Half-Life 2 Complete Edition Setup Version: 1.0.0.5 Modules
| |||||||||||||||
| 3524 | "C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmp" /SL5="$70134,1698870,245248,C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmp | — | setup.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3624 | "C:\Program Files\Half-Life 2 Complete Edition\unins000.exe" /VERYSILENT | C:\Program Files\Half-Life 2 Complete Edition\unins000.exe | — | setup.tmp | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3632 | "C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Half-Life 2 Complete Edition\unins000.exe" /FIRSTPHASEWND=$501A0 /VERYSILENT | C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp | — | unins000.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
771
Read events
764
Write events
0
Delete events
7
Modification events
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Half-Life 2 Complete Edition_is1 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life 2 Episode Two.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life 2 Episode One.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life 2 Lost Coast.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life Source.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\hl2.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
16
Suspicious files
2
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls.ini | — | |
MD5:— | SHA256:— | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\botva2.dll | executable | |
MD5:67965A5957A61867D661F05AE1F4773E | SHA256:450B9B0BA25BF068AFBC2B23D252585A19E282939BF38326384EA9112DFD0105 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\ISDone.dll | executable | |
MD5:4FEAFA8B5E8CDB349125C8AF0AC43974 | SHA256:BB8A0245DCC5C10A1C7181BAD509B65959855009A8105863EF14F2BB5B38AC71 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\b2p.dll | executable | |
MD5:AB35386487B343E3E82DBD2671FF9DAB | SHA256:C3729545522FCFF70DB61046C0EFD962DF047D40E3B5CCD2272866540FC872B2 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\WinTB.dll | executable | |
MD5:A2EEE508E6A51C6335650532E05AC550 | SHA256:75FB2984E1B06F4278FB7B3C77E9FEC84E02A3B4BF82D35120F8CBE7BDBC76BF | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\English.ini | text | |
MD5:B031BEE9106D82782B43BDF5D4AD79B0 | SHA256:E1B6F4DC9BA12E110B33D370E8F06F176228059C42754BE5DA7B92AB939FF38E | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\arc.ini | text | |
MD5:377AED8F1AD08D80DCBD1A631A128EEB | SHA256:0AB838CA04CDF7052CA730F8375B46A8C1785FA8F9383F04A7024C40C4CA8DD6 | |||
| 3524 | setup.tmp | C:\Users\admin\Documents\TI\is-3MPQP.tmp | text | |
MD5:629E551E2783B532ABBDBFC0789D51C5 | SHA256:3761A0B75C68BCA3C1D8717A41F01094C5DA6999C945B35A852D4A844076E42D | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\CallbackCtrl.dll | executable | |
MD5:F07E819BA2E46A897CFABF816D7557B2 | SHA256:68F42A7823ED7EE88A5C59020AC52D4BBCADF1036611E96E470D986C8FAA172D | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls-lolz_x86.exe | executable | |
MD5:7CBE7DB7FC9258B6A43551140C343BB3 | SHA256:6EA07AA4F5565AC289402ADE3B2E52BF8089AD6185E0ECF0E1F36CEA39C091A9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | unknown |