| File name: | setup.exe |
| Full analysis: | https://app.any.run/tasks/c23dba30-919f-4709-a4fe-7958ecdf4874 |
| Verdict: | Malicious activity |
| Analysis date: | November 23, 2023, 17:00:05 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | EA58C12B25C48FEA01EEE390ED06C84A |
| SHA1: | DF28A8077121C74EFE33A0617F8CC030C654F3C6 |
| SHA256: | FA757528FDF828A3C372A2C12A4BACA687CED0D1F7E4C5F7A69183ADDC575A46 |
| SSDEEP: | 98304:QJyEM7ncqFIG7xn8Oy2uyCNxIHCrrHk+4kq65I+G6fs8IN1DGfma5E7vVpKYFNMV:VYv3eg |
MALICIOUS
Drops the executable file immediately after the start
- setup.exe (PID: 3508)
- unins000.exe (PID: 3624)
- _iu14D2N.tmp (PID: 3632)
- setup.tmp (PID: 3524)
SUSPICIOUS
Process drops legitimate windows executable
- setup.tmp (PID: 3524)
- _iu14D2N.tmp (PID: 3632)
Reads the Windows owner or organization settings
- setup.tmp (PID: 3524)
- _iu14D2N.tmp (PID: 3632)
Starts application with an unusual extension
- unins000.exe (PID: 3624)
Starts itself from another location
- unins000.exe (PID: 3624)
INFO
Checks supported languages
- setup.tmp (PID: 3524)
- setup.exe (PID: 3508)
- _iu14D2N.tmp (PID: 3632)
- unins000.exe (PID: 3624)
Reads the computer name
- setup.tmp (PID: 3524)
Create files in a temporary directory
- setup.exe (PID: 3508)
- setup.tmp (PID: 3524)
- unins000.exe (PID: 3624)
- _iu14D2N.tmp (PID: 3632)
Creates files in the program directory
- setup.tmp (PID: 3524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Inno Setup installer (81.5) |
|---|---|---|
| .exe | | | Win32 Executable Delphi generic (10.5) |
| .exe | | | Win32 Executable (generic) (3.3) |
| .exe | | | Win16/32 Executable Delphi generic (1.5) |
| .exe | | | Generic Win/DOS Executable (1.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2012:10:02 07:04:04+02:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 86016 |
| InitializedDataSize: | 158208 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x16478 |
| OSVersion: | 5 |
| ImageVersion: | 6 |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.0.0.5 |
| ProductVersionNumber: | 1.0.0.5 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | This installation was built with Inno Setup. |
| CompanyName: | torrent-igruha.org |
| FileDescription: | Half-Life 2 Complete Edition Setup |
| FileVersion: | 1.0.0.5 |
| LegalCopyright: | |
| ProductName: | Half-Life 2 Complete Edition |
| ProductVersion: | 1.0.0.5 |
Total processes
42
Monitored processes
5
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 3128 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | — | explorer.exe | |||||||||||
User: admin Company: torrent-igruha.org Integrity Level: MEDIUM Description: Half-Life 2 Complete Edition Setup Exit code: 3221226540 Version: 1.0.0.5 Modules
| |||||||||||||||
| 3508 | "C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\setup.exe | explorer.exe | ||||||||||||
User: admin Company: torrent-igruha.org Integrity Level: HIGH Description: Half-Life 2 Complete Edition Setup Exit code: 0 Version: 1.0.0.5 Modules
| |||||||||||||||
| 3524 | "C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmp" /SL5="$70134,1698870,245248,C:\Users\admin\AppData\Local\Temp\setup.exe" | C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmp | — | setup.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3624 | "C:\Program Files\Half-Life 2 Complete Edition\unins000.exe" /VERYSILENT | C:\Program Files\Half-Life 2 Complete Edition\unins000.exe | — | setup.tmp | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
| 3632 | "C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Program Files\Half-Life 2 Complete Edition\unins000.exe" /FIRSTPHASEWND=$501A0 /VERYSILENT | C:\Users\admin\AppData\Local\Temp\_iu14D2N.tmp | — | unins000.exe | |||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 Modules
| |||||||||||||||
Total events
771
Read events
764
Write events
0
Delete events
7
Modification events
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Half-Life 2 Complete Edition_is1 |
| Operation: | delete key | Name: | (default) |
Value: | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life 2 Episode Two.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life 2 Episode One.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life 2 Lost Coast.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\Half-Life Source.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete value | Name: | C:\Program Files\Half-Life 2 Complete Edition\hl2.exe |
Value: RUNASADMIN | |||
| (PID) Process: | (3632) _iu14D2N.tmp | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers |
| Operation: | delete key | Name: | (default) |
Value: | |||
Executable files
16
Suspicious files
2
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls.ini | — | |
MD5:— | SHA256:— | |||
| 3508 | setup.exe | C:\Users\admin\AppData\Local\Temp\is-D6JCC.tmp\setup.tmp | executable | |
MD5:A3DA0CC6F148DD70E8E8443E5C1BCF00 | SHA256:3991D7614A9EBFBE4FDF8A94F6B73AC0EEF0BA5FFA3F5071CFDEE4728BD07271 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\b2p.dll | executable | |
MD5:AB35386487B343E3E82DBD2671FF9DAB | SHA256:C3729545522FCFF70DB61046C0EFD962DF047D40E3B5CCD2272866540FC872B2 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\ISDone.dll | executable | |
MD5:4FEAFA8B5E8CDB349125C8AF0AC43974 | SHA256:BB8A0245DCC5C10A1C7181BAD509B65959855009A8105863EF14F2BB5B38AC71 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\CallbackCtrl.dll | executable | |
MD5:F07E819BA2E46A897CFABF816D7557B2 | SHA256:68F42A7823ED7EE88A5C59020AC52D4BBCADF1036611E96E470D986C8FAA172D | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\CLS-srep.dll | executable | |
MD5:E68C32297A0B144D13C0B5870CA8C8D8 | SHA256:6954112104BA041D18760DE5EB7E6825CC14CEC98FF49939A587CC6B27908BD2 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls-lolz_x64.exe | executable | |
MD5:7234C4334A7523B1AC6F51C072497071 | SHA256:D92F7C60256509F74E36D9B5AAB041FE44999B1A3910D70AA83C9D01F062EA29 | |||
| 3524 | setup.tmp | C:\Users\admin\AppData\Local\Temp\is-NLBOJ.tmp\cls-lolz_x86.exe | executable | |
MD5:7CBE7DB7FC9258B6A43551140C343BB3 | SHA256:6EA07AA4F5565AC289402ADE3B2E52BF8089AD6185E0ECF0E1F36CEA39C091A9 | |||
| 3524 | setup.tmp | C:\Users\admin\Documents\TI\is-M7L3T.tmp | image | |
MD5:516B46D8BA74C15AF629E09E05E02CDD | SHA256:EB495744A32B3D773CDC6AAD2C1570C991923CD4EB4C8A21DB8F722F37F96156 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2588 | svchost.exe | 239.255.255.250:1900 | — | — | — | whitelisted |