analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Adobe%20Photoshop_24_242.exe

Full analysis: https://app.any.run/tasks/6137e2d6-eff1-4c29-a3c2-a6e4b7c2c1db
Verdict: Malicious activity
Analysis date: June 12, 2019, 08:50:21
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D8F704B2F289171737A56C50357CFB52

SHA1:

CC5627C8A1223E58A04363A5D14E5DF2A1364F7E

SHA256:

0B0F2C452ED06229E6F9DDB58D5F72230D140F3DB348CBB83CE85A8DDB292C23

SSDEEP:

98304:sODn6E6vnzaUbRnW4aeQ7bWWkhdVbmt4QI5zEKKJA7/fYMnkOBPde:sQn6EGzaGW7eQ7Mbbm2zEKp7dkOBQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • beb44565-3a80-4eee-b396-e6985e7e4287.exe (PID: 3604)
  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • beb44565-3a80-4eee-b396-e6985e7e4287.exe (PID: 3604)
    • Reads internet explorer settings

      • beb44565-3a80-4eee-b396-e6985e7e4287.exe (PID: 3604)
    • Creates files in the user directory

      • beb44565-3a80-4eee-b396-e6985e7e4287.exe (PID: 3604)
  • INFO

    • Reads settings of System Certificates

      • beb44565-3a80-4eee-b396-e6985e7e4287.exe (PID: 3604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

ProductVersion: 1
ProductName: downer for windows
OriginalFileName: downloader.exe
LegalCopyright: Copyright ? 2018 - 2019 xiao T
InternalName: downloader.exe
FileVersion: 1
FileDescription: downer for windows
Comments: downer for windows
CharacterSet: Windows, Chinese (Simplified)
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.2
FileVersionNumber: 1.0.0.2
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x153174
UninitializedDataSize: -
InitializedDataSize: 4364800
CodeSize: 1655808
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:05:30 03:46:35+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-May-2019 01:46:35
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • d:\work\yxbox\trunk\bin\Win32\Release\Patch\downloader2\RAR压缩_24_197.pdb
Comments: downer for windows
FileDescription: downer for windows
FileVersion: 1.0
InternalName: downloader.exe
LegalCopyright: Copyright ? 2018 - 2019 xiao T
OriginalFilename: downloader.exe
ProductName: downer for windows
ProductVersion: 1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-May-2019 01:46:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0019421F
0x00194400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.38163
.rdata
0x00196000
0x00044FA6
0x00045000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.8927
.data
0x001DB000
0x00012080
0x0000B000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.14927
.rsrc
0x001EE000
0x003C217C
0x003C2200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.8767
.reloc
0x005B1000
0x0001761C
0x00017800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.69443

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01229
633
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.24731
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
3.27183
3752
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
3.91452
2216
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
3.47417
1384
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
3.02843
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
2.22721
72
Latin 1 / Western European
Chinese - PRC
RT_STRING
8
2.44525
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
9
3.02695
308
Latin 1 / Western European
Chinese - PRC
RT_CURSOR
10
2.74274
180
Latin 1 / Western European
Chinese - PRC
RT_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
NETAPI32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
PSAPI.DLL
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start beb44565-3a80-4eee-b396-e6985e7e4287.exe no specs beb44565-3a80-4eee-b396-e6985e7e4287.exe

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe" C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
downer for windows
Exit code:
3221226540
Version:
1.0
Modules
Images
c:\users\admin\appdata\local\temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe
c:\systemroot\system32\ntdll.dll
3604"C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe" C:\Users\admin\AppData\Local\Temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
downer for windows
Version:
1.0
Modules
Images
c:\users\admin\appdata\local\temp\beb44565-3a80-4eee-b396-e6985e7e4287.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
Total events
139
Read events
106
Write events
33
Delete events
0

Modification events

(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3604) beb44565-3a80-4eee-b396-e6985e7e4287.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\beb44565-3a80-4eee-b396-e6985e7e4287_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
5
Text files
85
Unknown types
0

Dropped files

PID
Process
Filename
Type
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\main.7z
MD5:
SHA256:
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\baidu.icoimage
MD5:861F227D99793BAF229A5ADF29A2E7DD
SHA256:1441505511BFFF6EF63584A3D3B6CE7086E427A16503818F1CA536617C856D9A
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\aitb.icoimage
MD5:0B495875ABCF45ABF90385AD888CFC5C
SHA256:7C92CD859E4DEB5880418767277302F2AD9012D66008BF7A764A4CA5D1874BEB
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\lsqy_tb.icoimage
MD5:2A03E678288929731A710D4A19D3FD1B
SHA256:8973F18F0D4678F96049FA3E4C3D31BCEDC4736DCA127E471F97ADB578CDFC5C
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\cqsf.icoimage
MD5:436FCDAC987DD49BD5E664C5C283A209
SHA256:2A85783774E2F7CFA6F480D4C3F437D934876D20FB46B42482297E000296E46D
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\新建文件夹\2.7zcompressed
MD5:0D5DD5003E01C58CC9B46B9CEE7998FB
SHA256:FCC0A8543C3EA878110FC71E97C627CFFA2DC217603C56D464C385579693627D
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\tmmarket.icoimage
MD5:5F8B47DC7A085E0A0D379A505310E23B
SHA256:B0D150D2C69A8F09B060CE9EAF19EC8C94D2FD5703A5F11CDE6E48EA11CB9E27
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\shipin.icoimage
MD5:56DB8FC68B28DCDC5E37FDE17957AC13
SHA256:CE1725220A36DD26D78B7CD582A31AA65F0273D741A46E3D4D88C00196463769
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\新建文件夹\down.zipcompressed
MD5:B107AE30ECBAF944DDAB4540667D90E9
SHA256:A2AF856323F94AD48B5308CC3A46D0C4DD87BB1299EFA8E82D7D0817A2266A28
3604beb44565-3a80-4eee-b396-e6985e7e4287.exeC:\Users\admin\AppData\Roaming\youxunbox\jhs.icoimage
MD5:4234A87AA111281F8AF2C28F9DFBD468
SHA256:499603368C57CBB188A3510B1E92344D02B54992B86A4906AE7E7CF061362684
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
14
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/hhts3.png
CN
image
952 b
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/baidu.png
CN
image
3.04 Kb
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
163.171.128.148:80
http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id=
US
text
61 b
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
163.171.128.148:80
http://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3DFUQmS3ck6XanBUNgSXZwync4AHaA13cza3ZnRXZwync4AHaA13czanKxFUQ16XewOnKnGXM1BUMiSUMxBUM1VUMzVUQkGXcnFUQlm3d
US
text
35.9 Kb
whitelisted
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/jd.ico
CN
image
1.12 Kb
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/hhts3.ico
CN
image
1.12 Kb
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/cqfd3.png
CN
image
645 b
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/cqfd3.ico
CN
image
1.12 Kb
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
163.171.128.148:80
http://api.yb.jshhdian.com/open/rili/ip.json?ip=10.116.0.1
US
text
38 b
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
GET
200
182.118.46.58:80
http://poik.dgygpx.com/yxh/navico/wangzdh.png
CN
image
1.49 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
182.118.46.58:80
poik.dgygpx.com
CHINA UNICOM China169 Backbone
CN
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
222.85.26.209:443
s13.cnzz.com
No.31,Jin-rong Street
CN
unknown
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
119.28.47.147:80
api.pcsoft.70gj.cn
Tencent Cloud Computing (Beijing) Co., Ltd
CN
unknown
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
163.171.132.119:80
dw.jshhdian.com
US
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
163.171.128.148:80
api.pcsoft.jshhdian.com
US
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
171.11.231.37:80
poik.dgygpx.com
No.31,Jin-rong Street
CN
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
171.11.231.39:80
poik.dgygpx.com
No.31,Jin-rong Street
CN
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
203.119.206.93:443
z7.cnzz.com
CN
malicious
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
222.85.26.208:443
s13.cnzz.com
No.31,Jin-rong Street
CN
unknown
3604
beb44565-3a80-4eee-b396-e6985e7e4287.exe
198.11.136.24:443
cnzz.mmstat.com
Alibaba (China) Technology Co., Ltd.
US
suspicious

DNS requests

Domain
IP
Reputation
api.pcsoft.jshhdian.com
  • 163.171.128.148
malicious
ggstats.yb.jshhdian.com
  • 163.171.128.148
whitelisted
www.baidu.com
  • 104.193.88.123
  • 104.193.88.77
whitelisted
api.yb.jshhdian.com
  • 163.171.128.148
malicious
poik.dgygpx.com
  • 182.118.46.58
  • 171.11.231.37
  • 171.11.231.39
malicious
ymte.sgdebao.com
  • 171.11.231.37
  • 171.11.231.39
  • 182.118.46.58
malicious
eoud.dgygpx.com
  • 171.11.231.39
  • 182.118.46.58
  • 171.11.231.37
malicious
dw.jshhdian.com
  • 163.171.132.119
malicious
api.pcsoft.70gj.cn
  • 119.28.47.147
malicious
s13.cnzz.com
  • 222.85.26.209
  • 222.85.26.208
suspicious

Threats

No threats detected
No debug info