PUA_INSTALLIQ.GA
Gen:Application.Bundler.InstallIQ.1 (BITDEFENDER), PUA/InstallIQ.Gen5 (ANTIVIR), a variant of Win32/InstallIQ potentially unwanted application (NOD32)
Windows
Threat Type: Potentially Unwanted Application
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Dropped by other malware
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It may create registry entries under a certain registry key.
TECHNICAL DETAILS
1,607,248 bytes
EXE
23 Feb 2018
Connects to URLs/IPs, Drops files
Arrival Details
This Potentially Unwanted Application arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Other System Modifications
This Potentially Unwanted Application may create registry entries under the following registry key:
HKEY_LOCAL_MACHINE\Software\InstallIQ
{no value} = {no data}
Dropping Routine
This Potentially Unwanted Application drops the following files:
- %AppDataLocalLow%\cookieman.exe
- %User Temp%\pkg_{random string}\stub.log
- %User Temp%\pkg_{random string}\wrapper.xml
- %User Temp%\pkg_{random string}\autorun.txt
- %User Temp%\pkg_{random string}\{PUA file name}.log
- %User Temp%\pkg_{random string}\timings.txt
- %User Temp%\pkg_{random string}\detectionrules.dat
(Note: %AppDataLocalLow% is the protected mode folder of Internet Explorer, where it usually is C:\Users\{user name}\AppData\LocalLow on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)
Other Details
This Potentially Unwanted Application connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}liq.com/api/detectionrequest.aspx?keyid=1&shortname=finalmediaplayer&langid=0x0409
- http://{BLOCKED}.{BLOCKED}liq.com/?sub1=18ef2af0-1dcb-11e8-8ce3-6044c2017a25
- http://{BLOCKED}.{BLOCKED}liq.com/postback/V1/landing.aspx
- http://{BLOCKED}-{BLOCKED}.com/