cmmdwriter.exe

The application cmmdwriter.exe has been detected as a potentially unwanted program by 3 anti-malware scanners. The program is a setup application that uses the NSIS (Nullsoft Scriptable Install System) installer, however the file is not signed with an authenticode signature from a trusted source. The file has been seen being downloaded from d2fpsq9kg43yka.cloudfront.net. While running, it connects to the Internet address a1plpkivs-v01.any.prod.ash1.secureserver.net on port 80 using the HTTP protocol.
MD5:
f19b6443edcc9fe84629a6ccab870d74

SHA-1:
0e2fd7c42ec34ff581efc63b089448515eb76bd4

SHA-256:
d9a754aab629c6c9afa24e30728d034b77057be20d04fb5b4dd23c24caa15836

Scanner detections:
3 / 68

Status:
Potentially unwanted

Analysis date:
12/27/2024 7:31:50 PM UTC  (today)

Scan engine
Detection
Engine version

Dr.Web
Adware.ClickMeIn.3875
9.0.1.0333

Kaspersky
UDS:DangerousObject.Multi.Generic
14.0.0.1221

Reason Heuristics
Adware.CMI (M)
16.2.19.17

File size:
43.9 KB (44,937 bytes)

File type:
Executable application (Win32 EXE)

Installer:
NSIS (Nullsoft Scriptable Install System)

Common path:
C:\users\{user}\appdata\local\microsoft\windows\inetcache\ie\{random}\cmmdwriter.exe

File PE Metadata
Compilation timestamp:
12/5/2009 3:50:41 PM

OS version:
4.0

OS bitness:
Win32

Subsystem:
Windows GUI

Linker version:
6.0

CTPH (ssdeep):
768:94wO7XBz+5Qm3W0tYdrQZHV4EWuWEUOg4jjfS3XJonxSF/Cepaq+5LxOlAT:+LXB65939tY6HBg4sXJonEqSa+AT

Entry address:
0x30CB

Entry point:
81, EC, 80, 01, 00, 00, 53, 55, 56, 33, DB, 57, 89, 5C, 24, 18, C7, 44, 24, 10, 60, 91, 40, 00, 33, F6, C6, 44, 24, 14, 20, FF, 15, 30, 70, 40, 00, 68, 01, 80, 00, 00, FF, 15, B0, 70, 40, 00, 53, FF, 15, 7C, 72, 40, 00, 6A, 08, A3, 38, 3F, 42, 00, E8, F1, 2B, 00, 00, A3, 84, 3E, 42, 00, 53, 8D, 44, 24, 34, 68, 60, 01, 00, 00, 50, 53, 68, 30, F4, 41, 00, FF, 15, 58, 71, 40, 00, 68, 54, 91, 40, 00, 68, 80, 36, 42, 00, E8, A4, 28, 00, 00, FF, 15, AC, 70, 40, 00, BF, 00, 90, 42, 00, 50, 57, E8, 92, 28, 00, 00...
 
[+]

Entropy:
6.9765

Packer / compiler:
Nullsoft install system v2.x

Code size:
22.5 KB (23,040 bytes)

The file cmmdwriter.exe has been seen being distributed by the following URL.

The executing file has been seen to make the following network communications in live environments.

TCP (HTTP SSL):
Connects to ec2-52-21-83-56.compute-1.amazonaws.com  (52.21.83.56:443)

TCP (HTTP):
Connects to a72-247-10-35.deploy.akamaitechnologies.com  (72.247.10.35:80)

TCP (HTTP):
Connects to a1plpkivs-v03.any.prod.ash1.secureserver.net  (72.167.239.239:80)

TCP (HTTP):
Connects to a1plpkivs-v01.any.prod.ash1.secureserver.net  (72.167.239.237:80)

Remove cmmdwriter.exe - Powered by Reason Core Security