Strange file

  • Thread starter ForgottenSeer 69673
  • Start date
F

ForgottenSeer 69673

Thread author
I was trying to install an intel user file. V T says it is clean but when trying to install the file Voodoo says 16 engines say a spawned exe is bad along with malwarebytes.
 

Attachments

  • huh.txt
    110 bytes · Views: 244
  • ScreenHunter_146 Oct. 01 15.33.jpg
    ScreenHunter_146 Oct. 01 15.33.jpg
    43.2 KB · Views: 210
  • Like
Reactions: Venustus, [correlate], Dave Russo and 1 other person
bjm_

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
668
ticklemefeet said:
I was trying to install an intel user file. V T says it is clean [...]
Click to expand...
VirusTotal makes use of the
mceclip0.png
checkmark symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
-
https://support.virustotal.com/hc/en-us/articles/115002093769-The-antivirus-result-displays-a-green-circle-with-a-white-tick-mark-what-does-this-mean-
-
FWIW ~
Um, is this your Intel file?

Intel Common User Interface for Windows 10 (64-bit) - Legion Y740-15ICHg, Legion Y740-17ICHg - Lenovo Support US

support.lenovo.com support.lenovo.com
Hybrid-Analysis
https://www.hybrid-analysis.com/sample/d1e0ed64ae16358390389070cec88e493afea7faa86dff884366b6efb86b1b28
-
VoodooShield dialog points to driver package installer?
 
Last edited:
  • Like
  • +Reputation
Reactions: roger_m, Venustus, [correlate] and 3 others
bjm_

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
668
Well, nmly01af09en.exe < #4 > has Signers.
IDK re driver package installer.
-
FWIW ~
Edit: here's dpinst.exe
png_1690.png

Hybrid-Analysis
https://www.hybrid-analysis.com/sample/b6323db4d3829487b5fd72807652848dc083fcb34e922ef6d0523b68e5192227
 
Last edited:
  • Like
Reactions: roger_m, Venustus and [correlate]
9

93803123

Thread author
ticklemefeet said:
I was trying to install an intel user file. V T says it is clean but when trying to install the file Voodoo says 16 engines say a spawned exe is bad along with malwarebytes.
Click to expand...

huh.txt provides a link to a file other than the one blocked, which is dpinst.exe.

darko999 said:
You could use Hybrid-Analysis to check if file does some dangerous stuff.
Click to expand...

oldschool said:
Have you run it in the Cuckoo Sandbox?
Click to expand...

They're essentially the same and the user won't be able to interpret the results anyway.

bjm_ said:
VirusTotal makes use of the
mceclip0.png
checkmark symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
-
https://support.virustotal.com/hc/en-us/articles/115002093769-The-antivirus-result-displays-a-green-circle-with-a-white-tick-mark-what-does-this-mean-
-
FWIW ~
Um, is this your Intel file?

Intel Common User Interface for Windows 10 (64-bit) - Legion Y740-15ICHg, Legion Y740-17ICHg - Lenovo Support US

support.lenovo.com support.lenovo.com
Hybrid-Analysis
https://www.hybrid-analysis.com/sample/d1e0ed64ae16358390389070cec88e493afea7faa86dff884366b6efb86b1b28
-
VoodooShield dialog points to driver package installer?
Click to expand...

oldschool said:
Big companies like M$, etc. are famous for employing un-signed files and Lenovo probably isn't an exception.
Click to expand...

dpinst.exe is digitally signed by Intel and ships with Intel Extreme Tuning Utility.
 
  • Like
Reactions: roger_m
F

ForgottenSeer 69673

Thread author
bjm_ said:
Well, nmly01af09en.exe < #4 > has Signers.
IDK re driver package installer.
-
FWIW ~
Edit: here's dpinst.exe
View attachment 226277
Hybrid-Analysis
https://www.hybrid-analysis.com/sample/b6323db4d3829487b5fd72807652848dc083fcb34e922ef6d0523b68e5192227
Click to expand...

Yes that is correct. VT does not say nmly01af09en.exe is bad nor does hybrid analysis but the spawned file from the install dpinst.exe is found bad.
 
  • Like
Reactions: harlan4096
bjm_

bjm_

Level 14
Verified
Top Poster
Well-known
May 17, 2015
668
zhuzhangspankspank said:
huh.txt provides a link to a file other than the one blocked, which is dpinst.exe.

dpinst.exe is digitally signed by Intel and ships with Intel Extreme Tuning Utility.
Click to expand...
FWIW ~
Yes, the VirusTotal link in "huh.txt" points to nmly01af09en.exe
d1e0ed64ae16358390389070cec88e493afea7faa86dff884366b6efb86b1b28
nmly01af09en.exe
Click to expand...
With the VirusTotal info. I made post #4 n' #6.
dpinst.exe Properties did not show Digital Signatures.
 
Last edited:

Similar threads

Sandbox Breaker
    • Like
Malware Analysis Possible Supply Chain on Ooma
Replies
5
Views
759
Malware Analysis
Sandbox Breaker
Sandbox Breaker
K
    • Like
Malicious or safe .dll
Replies
10
Views
1,179
Malware Analysis
Kathandra
K
L
  • Locked
Waiting for reply I have my first virus
Replies
1
Views
151
Windows Malware Removal Help & Support
nasdaq
nasdaq

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top