| File name: | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE |
| Full analysis: | https://app.any.run/tasks/01a7d2c2-d2fa-4f3d-bf38-e2c917a6689b |
| Verdict: | Malicious activity |
| Analysis date: | November 20, 2024, 12:54:32 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 11 sections |
| MD5: | 081E657C619BAFF7A269659E3A67FD9B |
| SHA1: | C9B36D971F728EE631F161515442ADA0C8043424 |
| SHA256: | FF6AEA9E95DDA092DBE389D30547920DF1D7D8D4405F63CEC8C0668AB3AF5314 |
| SSDEEP: | 98304:PKuJ+SXPzYM01So99RlX5QaAwfQq66KWNFaXBi9VX3pSY/GbacIVP1BIM7nEb3ky:5TMt79QJWDS4u |
MALICIOUS
No malicious indicators.SUSPICIOUS
Reads security settings of Internet Explorer
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Reads Microsoft Outlook installation path
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Reads Internet Explorer settings
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Executable content was dropped or overwritten
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
- miniunz.exe (PID: 4060)
Reads the date of Windows installation
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
INFO
Creates files in the program directory
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
- DELL_SKhynix_BC511_11004101.exe (PID: 5868)
- miniunz.exe (PID: 4060)
Checks supported languages
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
- miniunz.exe (PID: 4060)
- DELL_SKhynix_BC511_11004101.exe (PID: 5868)
Reads the computer name
- DELL_SKhynix_BC511_11004101.exe (PID: 5868)
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Checks proxy server information
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Creates files or folders in the user directory
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
The process uses the downloaded file
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Process checks computer location settings
- SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe (PID: 4528)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (52.9) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (23.5) |
| .exe | | | DOS Executable Generic (23.5) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2023:12:29 07:54:21+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.34 |
| CodeSize: | 7109632 |
| InitializedDataSize: | 5448192 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xce28 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 5.1.0.13 |
| ProductVersionNumber: | 5.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| CompanyName: | Dell Inc. |
| FileDescription: | Dell Update Package: SK Hynix BC511 Solid-State Drive Firmware Update, 1100.4101, A00 |
| FileVersion: | 005.000.000.000 |
| InternalName: | DUPFramework.exe |
| LegalCopyright: | Copyright (C) 2009 - 2023 Dell Inc.or its subsidiaries. All rights reserved. |
| OriginalFileName: | DUPFramework.exe |
| ProductName: | SK Hynix BC511 Solid-State Drive Firmware Update, 1100.4101, A00 |
| ProductVersion: | 1100.4101 |
Total processes
114
Monitored processes
5
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2956 | "C:\Users\admin\Desktop\SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe" | C:\Users\admin\Desktop\SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | — | explorer.exe | |||||||||||
User: admin Company: Dell Inc. Integrity Level: MEDIUM Description: Dell Update Package: SK Hynix BC511 Solid-State Drive Firmware Update, 1100.4101, A00 Exit code: 3221226540 Version: 005.000.000.000 Modules
| |||||||||||||||
| 4060 | -x C:\Users\admin\Desktop\SK-HYN~1.EXE -o -d c:\PROGRA~3\dell\drivers\010171~1 | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\miniunz.exe | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 4528 | "C:\Users\admin\Desktop\SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe" | C:\Users\admin\Desktop\SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | explorer.exe | ||||||||||||
User: admin Company: Dell Inc. Integrity Level: HIGH Description: Dell Update Package: SK Hynix BC511 Solid-State Drive Firmware Update, 1100.4101, A00 Version: 005.000.000.000 Modules
| |||||||||||||||
| 5868 | "C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\DELL_SKhynix_BC511_11004101.exe" /log=C:\ProgramData\dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\DUP5892.tmp | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\DELL_SKhynix_BC511_11004101.exe | — | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | |||||||||||
User: admin Company: TODO: <Company name> Integrity Level: HIGH Description: NVMeToolbox Version: 1.0.0.1 Modules
| |||||||||||||||
| 6120 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | miniunz.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
956
Read events
953
Write events
3
Delete events
0
Modification events
| (PID) Process: | (4528) SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (4528) SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (4528) SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
Executable files
3
Suspicious files
1
Text files
4
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4060 | miniunz.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\DELL_SKhynix_BC511_11004101.exe | executable | |
MD5:0F53D02B992D78E5B0231C130297A563 | SHA256:BF173D32F791346C04318B3FDEDA6054B05E90FD823EEDDEB0781B7B40937B91 | |||
| 4060 | miniunz.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\package.xml | binary | |
MD5:2D0BD31FB404C0750D63CBAEF9766122 | SHA256:55C8BC9BF8F466C9F406E3D281C21A54025ED7BCBA42C5637C49F7EC227C4D7A | |||
| 4528 | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\AppPackageInstaller.ps1 | text | |
MD5:7C9D32D69C3D9F86B2FE9C9C68B16642 | SHA256:4D653E9AECEEE9EC68F5224C6556B729E612062891A9F105A8B35ACDFB7B4FA2 | |||
| 5868 | DELL_SKhynix_BC511_11004101.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\SNT.INI | text | |
MD5:B56186AD8B5005D281CF6712E05329E1 | SHA256:A32E51BF94530F56DD9DB3C8B509C607D89232CC2450055899B4D1EAAB75BC33 | |||
| 4060 | miniunz.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\MUP.xml | xml | |
MD5:AD09C5C404132BE4C769160EBFB8A9DF | SHA256:8CBEE5E061AB535D850B23692C317736F5B7EEC0B94D121F01F781AE5711176A | |||
| 4528 | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\zlibwapi.dll | executable | |
MD5:9B77ED3E55BAB3BEDD8CD53972309F20 | SHA256:8A2EA21948EB8229AF42081DB8B643152ABE51DDBBAE1DF32234CCD389965420 | |||
| 4528 | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\miniunz.exe | executable | |
MD5:A947E8405EE7CCDF01AE0AD71349D3C5 | SHA256:740EE3B6AE85C801E0AD6F32A398CD4F9456DC4DC7F0DA3341EA8AFCB67BDB9D | |||
| 4528 | SK-Hynix-BC511-Solid-State-Drive-Firmware-Update_467K0_WIN64_1100.4101_A00_01.EXE.exe | C:\ProgramData\Dell\drivers\01017133-73f8-44af-a493-7dfe93a4a985\AppPackageRollBack.ps1 | text | |
MD5:01D6C0329E7A9FDD2579D1C33D241C78 | SHA256:4795F3FAB970C05993DC4DB7CBD4CAEA1041F74CA647A593CA37C2E150E94A3B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
23
DNS requests
6
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4932 | svchost.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.178:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
4712 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
4932 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 4.231.128.59:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 104.126.37.171:443 | www.bing.com | Akamai International B.V. | DE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4932 | svchost.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
— | — | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 23.53.40.178:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
4932 | svchost.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
— | — | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
4712 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |