• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Mon, 03/27/2017 - 03:00

Installer.Win32.InnoSetup.2_d2678975ff

not-a-virus:HEUR:AdWare.Win32.DealPly.gen (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, mzpefinder_pcap_file.YR (Lavasoft MAS) Behaviour: Trojan, Installer, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: d2678975ff9d74ef2e9f796e78e05f41

SHA1: 5451574d52a54e8a6f47a2b79bd35e63d161792a

SHA256: 0a81792cbc08a853a03bb882f77204c10f549d10a6b2f61c1d44abf680564beb

SSDeep: 24576:fiJCap9rx4sXIQpuZ7 lO6BBohvwrjU/5ygRs7:fwCAr2aIKTvKv U/V

Size: 985088 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: BorlandDelphi30, UPolyXv05_v6

Company: Kola

Created at: 1992-06-20 01:22:17

Analyzed on: Windows7 SP1 32-bit

Summary: Installer. An installation package.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es): No processes have been created. The Installer injects its code into the following process(es):

%original file name%.exe:3676

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:3676 makes changes in the file system.


The Installer creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE (21070 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\BG.png (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F1AE.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F2A7.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE.part (909 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button.png (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp.CIS.part (819 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\bootstrap_25231.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button_Hover.png (846 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_tb.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp\asgnd.json (6341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp.CIS (980 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_wi.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\checkbox.css (190 bytes)

The Installer deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F1AE.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F2A7.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\bootstrap_25231.html (0 bytes)

Registry activity

The process %original file name%.exe:3676 makes changes in the system registry.


The Installer creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableFileTracing" = "0"
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
"Name" = "%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\d2678975ff9d74ef2e9f796e78e05f41_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Installer deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
49bbedf6727936f028bb9082d5145581c:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Installer file.
  3. Delete or disinfect the following files created/modified by the Installer:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\sponsored.png (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\ProgressBar.png (812 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\button.css (417 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Icon_Generic.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE (21070 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\BG.png (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\locale\PL.locale (4 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Resume_Button.png (718 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\ie6_main.css (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F1AE.log (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Progress.png (104 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\form.bmp.Mask (244 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\button-bg.png (131 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\progress-bar.css (506 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\0013F2A7.log (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\61799240_stp.EXE.part (909 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Pause_Button.png (577 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Loader.gif (10 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button_Hover.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button.png (863 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\images\progress-bg2.png (978 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close.png (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Quick_Specs.png (221 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp.CIS.part (819 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\bootstrap_25231.html (156 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Color_Button_Hover.png (846 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_tb.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Close_Hover.png (207 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\main.css (8 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\browse.css (337 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in2A6C8B5A\5EAABCDD_stp\asgnd.json (6341 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\Grey_Button.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\csshover3.htc (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\images\default_wi.png (1 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH130705455742\css\sdk-ui\checkbox.css (190 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Kola
Product Name: Seroh
Product Version: 4.3.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Seroh Setup
Comments: This installation was built with Inno Setup.
Language: English (United States)

Company Name: Kola Product Name: Seroh Product Version: 4.3.0 Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Seroh Setup Comments: This installation was built with Inno Setup. Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE409637732378884.6312662cbd0a17889d3c0e8b06defac0922a5
DATA4505658810241.8986d5ea23d4ecf110fd2591314cbaa84278
BSS49152372000d41d8cd98f00b204e9800998ecf8427e
.idata53248238425603.07115bb5485bf968b970e5ea81292af2acdba
.tls57344800d41d8cd98f00b204e9800998ecf8427e
.rdata61440245120.141749ba824905bf9c7922b6fc87a38b74366
.reloc65536222800d41d8cd98f00b204e9800998ecf8427e
.rsrc6963240728409604.3513460100ca421829f675ac01e8ab2b22467

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://rp.komputerswiatplcdn.com/?v=2.0&subver=6.21&pcrc=119574246252.214.247.42
hxxp://info.komputerswiatplcdn.com/?v=1.03&c=05960c55&at=1094620407&cntr=0176.34.130.130
hxxp://rp.komputerswiatplcdn.com/?v=2.0&subver=6.21&pcrc=209763957352.214.247.42
hxxp://os.komputerswiatplcdn.com/komputerswiat.pl/?v=6.0&c=1421784318&t=130814652.213.148.235
hxxp://cdneu.komputerswiatplcdn.com/ofr/Solululadul/asgnd.cis85.159.237.103
hxxp://files-download.poradnikdogry.pl/SterownikiIPoprawki/Drukarki/HP/HPSupportSolutions/HPSupportSolutionsFramework.exe37.26.165.67
hxxp://cdnus.komputerswiatplcdn.com/ofr/Solululadul/asgnd.cis199.58.87.155

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Installer connects to the servers at the folowing location(s):

Strings from Dumps