analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.openlca.org/wp-content/uploads/2020/01/openLCA_win64_1.10.2_2020-01-10.exe

Full analysis: https://app.any.run/tasks/fb4ca9ae-bff6-4cf5-b9bb-b04ebcb4df6e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 31, 2020, 11:22:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
opendir
loader
Indicators:
MD5:

EBEAFE10360210DED27CD0004C091DA7

SHA1:

00C1ACCCF38D6F738DC9BC591B5D236ACB88701F

SHA256:

00F404C1083654589238C3281ADB89584837FBD4DC8B04C7965C48F7E47A1383

SSDEEP:

3:N1KJS4TgXBGEAQyX/uI+s6nhX6ti+IUVkAn:Cc4T6AZPuI+9qtzIMJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3432)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3700)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3228)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2248)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2308)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 1684)
    • Loads dropped or rewritten executable

      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3700)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 1684)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2308)
    • Downloads executable files from the Internet

      • chrome.exe (PID: 1692)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3796)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3700)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 1684)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2308)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3796)
    • Creates files in the user directory

      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3700)
    • Creates a software uninstall entry

      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3700)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2308)
  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 1692)
      • chrome.exe (PID: 3796)
    • Reads Internet Cache Settings

      • chrome.exe (PID: 3796)
    • Application launched itself

      • chrome.exe (PID: 3796)
    • Manual execution by user

      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3228)
      • explorer.exe (PID: 4060)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2248)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 1684)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2308)
    • Dropped object may contain Bitcoin addresses

      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 3700)
      • openLCA_win64_1.10.2_2020-01-10.exe (PID: 2308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
33
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs openlca_win64_1.10.2_2020-01-10.exe no specs openlca_win64_1.10.2_2020-01-10.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs openlca_win64_1.10.2_2020-01-10.exe no specs openlca_win64_1.10.2_2020-01-10.exe openlca_win64_1.10.2_2020-01-10.exe no specs openlca_win64_1.10.2_2020-01-10.exe

Process information

PID
CMD
Path
Indicators
Parent process
3796"C:\Program Files\Google\Chrome\Application\chrome.exe" "http://www.openlca.org/wp-content/uploads/2020/01/openLCA_win64_1.10.2_2020-01-10.exe"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2664"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6fa8a9d0,0x6fa8a9e0,0x6fa8a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3972"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3992 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3352"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=16984781656243911603 --mojo-platform-channel-handle=1068 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1692"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11868711983005322230 --mojo-platform-channel-handle=1648 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3540"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15584279289363062586 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2284 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1488"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=11001944161572642531 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3408"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10229828791331079307 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2504 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2152"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7535339322310674560 --mojo-platform-channel-handle=3528 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3000"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1048,7846954965260069972,6969556614202953616,131072 --enable-features=PasswordImport --lang=en-US --no-sandbox --service-request-channel-token=13218664937072846686 --mojo-platform-channel-handle=2500 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 091
Read events
1 965
Write events
0
Delete events
0

Modification events

No data
Executable files
370
Suspicious files
186
Text files
845
Unknown types
2 212

Dropped files

PID
Process
Filename
Type
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5E832813-ED4.pma
MD5:
SHA256:
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\27319f97-85f0-4ceb-8602-874ca89a2de5.tmp
MD5:
SHA256:
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000028.dbtmp
MD5:
SHA256:
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.oldtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:AC43135B8C9FED46A92448C4E711F45C
SHA256:D840BA7CEBACF86DDBAD75BFB61A53449AA7AE3DE6B8ADC97FE45624626A6F09
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old
MD5:
SHA256:
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RFa66c8d.TMPtext
MD5:33B05E8AC9C178C58ED3321F496588C0
SHA256:2CDF6A09638A0B563EA2672D6926210771902E0A9203FE15D2857FC4EB954CDE
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFa66c3f.TMPtext
MD5:DA692BE42E4EF2668AE7499A7D5DA720
SHA256:EB865CAF59002C092F5FDBE22D01935866BC1277108B29E897052CB2439630ED
3796chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:702AEC53DCDCFEA33C4BE3D2F888473E
SHA256:D16286D6EE0EB33E7907EE4FCB8FDB6B5A54E5A56BFAF99A9C2451D239BC9765
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1692
chrome.exe
GET
200
51.89.19.145:80
http://www.openlca.org/wp-content/uploads/2020/01/openLCA_win64_1.10.2_2020-01-10.exe
GB
executable
195 Mb
malicious
1692
chrome.exe
GET
302
216.58.208.46:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
519 b
whitelisted
1692
chrome.exe
GET
302
216.58.208.46:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
524 b
whitelisted
1692
chrome.exe
GET
200
173.194.129.231:80
http://r2---sn-q0c7rn76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=81.17.242.238&mm=28&mn=sn-q0c7rn76&ms=nvh&mt=1585653609&mv=u&mvi=1&pl=20&shardbypass=yes
US
crx
293 Kb
whitelisted
1692
chrome.exe
GET
200
74.125.168.8:80
http://r3---sn-q0cedn7s.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=bs&mip=81.17.242.238&mm=28&mn=sn-q0cedn7s&ms=nvh&mt=1585653609&mv=u&mvi=2&pl=20&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1692
chrome.exe
172.217.22.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1692
chrome.exe
51.89.19.145:80
www.openlca.org
GB
malicious
1692
chrome.exe
172.217.23.142:443
clients1.google.com
Google Inc.
US
whitelisted
1692
chrome.exe
172.217.16.195:443
www.gstatic.com
Google Inc.
US
whitelisted
1692
chrome.exe
172.217.21.205:443
accounts.google.com
Google Inc.
US
whitelisted
1692
chrome.exe
216.58.208.46:80
redirector.gvt1.com
Google Inc.
US
whitelisted
1692
chrome.exe
172.217.23.174:443
clients2.google.com
Google Inc.
US
whitelisted
1692
chrome.exe
216.58.208.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
1692
chrome.exe
216.58.208.36:443
www.google.com
Google Inc.
US
whitelisted
1692
chrome.exe
172.217.23.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.openlca.org
  • 51.89.19.145
malicious
clientservices.googleapis.com
  • 172.217.22.99
whitelisted
accounts.google.com
  • 172.217.21.205
shared
www.google.com
  • 216.58.208.36
whitelisted
ssl.gstatic.com
  • 216.58.208.35
whitelisted
www.gstatic.com
  • 172.217.16.195
whitelisted
clients1.google.com
  • 172.217.23.142
whitelisted
safebrowsing.googleapis.com
  • 172.217.23.106
whitelisted
sb-ssl.google.com
  • 172.217.21.206
whitelisted
clients2.google.com
  • 172.217.23.174
whitelisted

Threats

PID
Process
Class
Message
1692
chrome.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
1692
chrome.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info