| File name: | Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe |
| Full analysis: | https://app.any.run/tasks/1c1fd002-c559-4590-ac6f-93117c399f27 |
| Verdict: | Malicious activity |
| Analysis date: | February 26, 2024, 13:32:23 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 961795E6F576C203ACF26756248B1061 |
| SHA1: | 2A1EBF419DE2B5B5E4B7F34BFB9C4FBEB2A060F2 |
| SHA256: | FB7D9A5CF6AE1B52786827AB9357062EC5A7A9B49D1FAAAAEBC4B2E2B1C5F182 |
| SSDEEP: | 196608:BozgrggXBBj7QlBWIf+qivj62uKjMaaEusDCB3djS/YP0IAHIWyfuEZLNjdT1c/N:KgkgMMyXivjCKbavsDM3qqFAoW6uEZJ2 |
MALICIOUS
Creates a writable file in the system directory
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
Drops the executable file immediately after the start
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
SUSPICIOUS
Reads security settings of Internet Explorer
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
Starts CMD.EXE for commands execution
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
- cmd.exe (PID: 3980)
Executes as Windows Service
- VSSVC.exe (PID: 864)
- SSUService.exe (PID: 2888)
Application launched itself
- cmd.exe (PID: 3980)
Starts SC.EXE for service management
- cmd.exe (PID: 3980)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 3980)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 3980)
Executable content was dropped or overwritten
- rundll32.exe (PID: 2560)
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
Drops a system driver (possible attempt to evade defenses)
- rundll32.exe (PID: 2560)
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
Creates files in the driver directory
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
Checks Windows Trust Settings
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
Reads the Internet Settings
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
Executing commands from a ".bat" file
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
The executable file from the user directory is run by the CMD process
- PreVerCheck.exe (PID: 1492)
INFO
Create files in a temporary directory
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
- PreVerCheck.exe (PID: 1492)
- msiexec.exe (PID: 3460)
- rundll32.exe (PID: 2560)
Reads the computer name
- PreVerCheck.exe (PID: 1492)
- SSUService.exe (PID: 2888)
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
- wmpnscfg.exe (PID: 3420)
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
Checks supported languages
- PreVerCheck.exe (PID: 1492)
- Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe (PID: 1776)
- SSUService.exe (PID: 2888)
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
- SWXDAgent.exe (PID: 3380)
- wmpnscfg.exe (PID: 3420)
Checks operating system version
- cmd.exe (PID: 3980)
Reads the machine GUID from the registry
- SSUService.exe (PID: 2888)
- drvinst.exe (PID: 2480)
- drvinst.exe (PID: 3808)
Reads the software policy settings
- rundll32.exe (PID: 2560)
- drvinst.exe (PID: 2480)
- rundll32.exe (PID: 2108)
- drvinst.exe (PID: 3808)
- SSUService.exe (PID: 2888)
Creates files in the program directory
- SSUService.exe (PID: 2888)
Drops the executable file immediately after the start
- rundll32.exe (PID: 2560)
Manual execution by a user
- SWXDAgent.exe (PID: 3380)
- wmpnscfg.exe (PID: 3420)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | NSIS - Nullsoft Scriptable Install System (61.2) |
|---|---|---|
| .ax | | | DirectShow filter (14.5) |
| .exe | | | Win32 EXE PECompact compressed (v2.x) (4.2) |
| .exe | | | InstallShield setup (3.1) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2020:12:14 15:13:03+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, 32-bit |
| PEType: | PE32 |
| LinkerVersion: | 9 |
| CodeSize: | 158720 |
| InitializedDataSize: | 219136 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x105b2 |
| OSVersion: | 5 |
| ImageVersion: | - |
| SubsystemVersion: | 5 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.58.9.6924 |
| ProductVersionNumber: | 1.5.8.3 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Splashtop Inc. |
| FileDescription: | Splashtop® Wired XDisplay Agent |
| FileVersion: | 1.58.9.6924 |
| LegalCopyright: | Copyright © Splashtop Inc. All Rights Reserved. |
| ProductName: | Splashtop® Wired XDisplay - Extend & Mirror |
| ProductVersion: | 1.5.8.3 |
Total processes
71
Monitored processes
19
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 712 | C:\Windows\system32\cmd.exe /c ver | C:\Windows\System32\cmd.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 864 | C:\Windows\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1492 | PreVerCheck.exe | C:\Users\admin\AppData\Local\Temp\unpack\PreVerCheck.exe | cmd.exe | ||||||||||||
User: admin Company: Splashtop Inc. Integrity Level: HIGH Description: Splashtop® Wired XDisplay Agent Installer Exit code: 0 Version: 1.58.9.6924 Modules
| |||||||||||||||
| 1624 | sc query ddmgr | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1776 | "C:\Users\admin\Downloads\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe" | C:\Users\admin\Downloads\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | explorer.exe | ||||||||||||
User: admin Company: Splashtop Inc. Integrity Level: HIGH Description: Splashtop® Wired XDisplay Agent Exit code: 0 Version: 1.58.9.6924 Modules
| |||||||||||||||
| 1792 | timeout /t 2 /nobreak | C:\Windows\System32\timeout.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2040 | sc query lci_proxywddm | C:\Windows\System32\sc.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: A tool to aid in developing services for WindowsNT Exit code: 1060 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2108 | rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{58cc549c-53ad-3f10-7fd5-d41420f46522} Global\{683bd266-2fd3-7c2f-f857-01617df66074} C:\Windows\System32\DriverStore\Temp\{2c78f9d4-a7c1-249e-ff27-6f0ec26e2a76}\lci_proxywddm.inf C:\Windows\System32\DriverStore\Temp\{2c78f9d4-a7c1-249e-ff27-6f0ec26e2a76}\lci_proxywddm.cat | C:\Windows\System32\rundll32.exe | — | drvinst.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2480 | DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{2af46000-235d-7e4a-8e8d-71476c814d1d}\lci_proxywddm.inf" "0" "6a8a251e7" "000005C8" "WinSta0\Default" "000005E8" "208" "c:\program files\splashtop\splashtop wired xdisplay\agent\driver\win7" | C:\Windows\System32\drvinst.exe | svchost.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2560 | rundll32 x86\my_setup.dll do_install_lci_proxywddm | C:\Windows\System32\rundll32.exe | cmd.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
22 673
Read events
22 283
Write events
381
Delete events
9
Modification events
| (PID) Process: | (1776) Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (1776) Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (1776) Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (1776) Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (864) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\ASR Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000001A14C942B868DA01600300008C0C0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (864) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000001A14C942B868DA0160030000140A0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (864) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Shadow Copy Optimization Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000001A14C942B868DA0160030000DC0F0000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (864) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Enter) |
Value: 40000000000000001A14C942B868DA0160030000B8080000E8030000010000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (864) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\COM+ REGDB Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 40000000000000007476CB42B868DA0160030000140A0000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (864) VSSVC.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\Registry Writer |
| Operation: | write | Name: | IDENTIFY (Leave) |
Value: 4000000000000000CED8CD42B868DA0160030000B8080000E8030000000000000100000000000000000000000000000000000000000000000000000000000000 | |||
Executable files
18
Suspicious files
14
Text files
7
Unknown types
10
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1776 | Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | C:\Users\admin\AppData\Local\Temp\unpack\setup.msi | — | |
MD5:— | SHA256:— | |||
| 1776 | Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | C:\Users\admin\AppData\Local\Temp\unpack.log | text | |
MD5:A331B342BF68264606A3C9311AFAF1D0 | SHA256:0520A0BA4C2B1FA590B4235F8384AD2B8C751E8A7ABF87D2266A8BA735375026 | |||
| 2560 | rundll32.exe | C:\Windows\INF\setupapi.dev.log | text | |
MD5:FC9B7ADC17A5DE079DC60F886F2AE00D | SHA256:CFDFD4D5B35F8FBEEE836A6C6467C2B06DF96ED37D53999EC2C77ADE23DA6EFD | |||
| 2560 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\{2af46000-235d-7e4a-8e8d-71476c814d1d}\x86\lci_proxyumd.dll | executable | |
MD5:F67D8A541D407C6886D6358248014B8E | SHA256:919ACBEDDCBFE27D12EE44ECD38044D880A68622D7BC412FF81B089746C79E5F | |||
| 2888 | SSUService.exe | C:\Windows\TEMP\{F35480C2-1F17-4147-8CE8-8D347A07C76C} | text | |
MD5:698BD9FFE5EDF9B4F2DA7E9A44A80D72 | SHA256:DA8CA6C9DA73A63803804D3303022E55EEFBD5BA42C39F01B5752776CDAA8B9B | |||
| 2560 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\{2af46000-235d-7e4a-8e8d-71476c814d1d}\x86\SET537A.tmp | executable | |
MD5:F67D8A541D407C6886D6358248014B8E | SHA256:919ACBEDDCBFE27D12EE44ECD38044D880A68622D7BC412FF81B089746C79E5F | |||
| 2560 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\{2af46000-235d-7e4a-8e8d-71476c814d1d}\x86\SET538B.tmp | executable | |
MD5:B36B39A2AA5C15D0167A7D8454AE71A6 | SHA256:01871A132386F81DFD4894E9DAEB9433C4BE2A99EBE8FEC954E5182A43E96AF0 | |||
| 1776 | Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | C:\Users\admin\AppData\Local\Temp\unpack\run.bat | text | |
MD5:56884732C1B8ABCBA0A31746DF533D97 | SHA256:A6212DAAA9A377B202A9436D80AB97BC9B0050DC7E174FCD35F255B34500CFAB | |||
| 2560 | rundll32.exe | C:\Users\admin\AppData\Local\Temp\{2af46000-235d-7e4a-8e8d-71476c814d1d}\lci_proxywddm.cat | cat | |
MD5:186504237027590F25BEA0EC539256C8 | SHA256:4CBD88D04F9C3B3DE3625B25049EA6B7C1614FFEA8730667BFF01DD210415ED1 | |||
| 2480 | drvinst.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
8
DNS requests
5
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2888 | SSUService.exe | GET | — | 44.212.145.221:80 | http://sn.splashtop.com/file_system/apt_repository/dists/ProtoSSU01/released/binary-i386/Packages.gz | unknown | — | — | unknown |
2888 | SSUService.exe | GET | 301 | 3.234.56.11:80 | http://sn.splashtop.com/file_system/apt_repository/dists/ProtoSSU01/released/binary-i386/Packages.gz | unknown | html | 134 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
2888 | SSUService.exe | 44.212.145.221:80 | sn.splashtop.com | AMAZON-AES | US | unknown |
2888 | SSUService.exe | 3.234.56.11:80 | sn.splashtop.com | AMAZON-AES | US | unknown |
2888 | SSUService.exe | 3.234.56.11:443 | sn.splashtop.com | AMAZON-AES | US | unknown |
2888 | SSUService.exe | 107.22.247.100:80 | ds1.devicevm.com | AMAZON-AES | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
sn.splashtop.com |
| unknown |
ds1.devicevm.com |
| unknown |
dns.msftncsi.com |
| shared |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1080 | svchost.exe | Misc activity | ET INFO Splashtop Domain in DNS Lookup (splashtop .com) |
1080 | svchost.exe | Misc activity | ET INFO Splashtop Domain in DNS Lookup (splashtop .com) |
2888 | SSUService.exe | Misc activity | ET INFO Splashtop Domain (splashtop .com) in TLS SNI |
Process | Message |
|---|---|
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:35 [CUtility::OSInfo] OS 6.1(7601) Service Pack 1 x64:0 Err:0 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:35 [CUnPack::FindHeader] Name:C:\Users\admin\Downloads\Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe Err:0 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:35 [CUnPack::FindHeader] Sign Size:6096 Err:0 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:35 [CUnPack::FindHeader] Header offset:378880 Err:183 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:35 [CUnPack::UnPackFiles] FreeSpace:232989528064 FileSize:11297280 Err:0 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:35 [CUnPack::UnPackFiles] (1/4)UnPack file name:C:\Users\admin\AppData\Local\Temp\unpack\setup.msi (11297280) Err:2 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:36 [CUnPack::UnPackFiles] FreeSpace:232978227200 FileSize:259 Err:183 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:36 [CUnPack::UnPackFiles] (3/4)UnPack file name:C:\Users\admin\AppData\Local\Temp\unpack\setup.ini (259) Err:122 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:36 [CUnPack::UnPackFiles] UnPack count:3 len:259 File:(null) Err:0 |
Splashtop_Wired_XDisplay_Agent_v1.5.8.3.exe | [1776]2024-02-26 13:32:36 [CUnPack::UnPackFiles] FreeSpace:232978227200 FileSize:309200 Err:183 |