analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Adobe Photoshop_24_242.exe

Full analysis: https://app.any.run/tasks/f24dab6d-5686-4623-9744-e65de677e533
Verdict: Malicious activity
Analysis date: June 12, 2019, 08:53:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
installer
adware
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows
MD5:

D8F704B2F289171737A56C50357CFB52

SHA1:

CC5627C8A1223E58A04363A5D14E5DF2A1364F7E

SHA256:

0B0F2C452ED06229E6F9DDB58D5F72230D140F3DB348CBB83CE85A8DDB292C23

SSDEEP:

98304:sODn6E6vnzaUbRnW4aeQ7bWWkhdVbmt4QI5zEKKJA7/fYMnkOBPde:sQn6EGzaGW7eQ7Mbbm2zEKp7dkOBQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Adobe Photoshop_24_242.exe (PID: 3180)
      • MiniThunderPlatform.exe (PID: 1040)
    • Application was dropped or rewritten from another process

      • MiniThunderPlatform.exe (PID: 1040)
    • Connects to CnC server

      • MiniThunderPlatform.exe (PID: 1040)
      • Adobe Photoshop_24_242.exe (PID: 3180)
    • Changes settings of System certificates

      • Adobe Photoshop_24_242.exe (PID: 3180)
  • SUSPICIOUS

    • Reads internet explorer settings

      • Adobe Photoshop_24_242.exe (PID: 3180)
    • Executable content was dropped or overwritten

      • Adobe Photoshop_24_242.exe (PID: 3180)
    • Creates files in the program directory

      • MiniThunderPlatform.exe (PID: 1040)
    • Executed via COM

      • explorer.exe (PID: 3672)
    • Low-level read access rights to disk partition

      • MiniThunderPlatform.exe (PID: 1040)
    • Adds / modifies Windows certificates

      • Adobe Photoshop_24_242.exe (PID: 3180)
    • Creates files in the user directory

      • Adobe Photoshop_24_242.exe (PID: 3180)
  • INFO

    • Reads settings of System Certificates

      • Adobe Photoshop_24_242.exe (PID: 3180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (54.3)
.exe | Win64 Executable (generic) (34.8)
.exe | Win32 Executable (generic) (5.6)
.exe | Generic Win/DOS Executable (2.5)
.exe | DOS Executable Generic (2.5)

EXIF

EXE

ProductVersion: 1
ProductName: downer for windows
OriginalFileName: downloader.exe
LegalCopyright: Copyright ? 2018 - 2019 xiao T
InternalName: downloader.exe
FileVersion: 1
FileDescription: downer for windows
Comments: downer for windows
CharacterSet: Windows, Chinese (Simplified)
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.2
FileVersionNumber: 1.0.0.2
Subsystem: Windows GUI
SubsystemVersion: 5
ImageVersion: -
OSVersion: 5
EntryPoint: 0x153174
UninitializedDataSize: -
InitializedDataSize: 4364800
CodeSize: 1655808
LinkerVersion: 9
PEType: PE32
TimeStamp: 2019:05:30 03:46:35+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 30-May-2019 01:46:35
Detected languages:
  • Chinese - PRC
  • English - United States
Debug artifacts:
  • d:\work\yxbox\trunk\bin\Win32\Release\Patch\downloader2\RAR压缩_24_197.pdb
Comments: downer for windows
FileDescription: downer for windows
FileVersion: 1.0
InternalName: downloader.exe
LegalCopyright: Copyright ? 2018 - 2019 xiao T
OriginalFilename: downloader.exe
ProductName: downer for windows
ProductVersion: 1.0

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 30-May-2019 01:46:35
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0019421F
0x00194400
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.38163
.rdata
0x00196000
0x00044FA6
0x00045000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
4.8927
.data
0x001DB000
0x00012080
0x0000B000
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
5.14927
.rsrc
0x001EE000
0x003C217C
0x003C2200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
7.8767
.reloc
0x005B1000
0x0001761C
0x00017800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
4.69443

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.01229
633
Latin 1 / Western European
English - United States
RT_MANIFEST
2
3.24731
296
Latin 1 / Western European
Chinese - PRC
RT_ICON
3
3.27183
3752
Latin 1 / Western European
Chinese - PRC
RT_ICON
4
3.91452
2216
Latin 1 / Western European
Chinese - PRC
RT_ICON
5
3.47417
1384
Latin 1 / Western European
Chinese - PRC
RT_ICON
6
3.02843
9640
Latin 1 / Western European
Chinese - PRC
RT_ICON
7
2.22721
72
Latin 1 / Western European
Chinese - PRC
RT_STRING
8
2.44525
1128
Latin 1 / Western European
Chinese - PRC
RT_ICON
9
3.02695
308
Latin 1 / Western European
Chinese - PRC
RT_CURSOR
10
2.74274
180
Latin 1 / Western European
Chinese - PRC
RT_CURSOR

Imports

ADVAPI32.dll
COMCTL32.dll
COMDLG32.dll
GDI32.dll
IPHLPAPI.DLL
KERNEL32.dll
NETAPI32.dll
OLEACC.dll (delay-loaded)
OLEAUT32.dll
PSAPI.DLL
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start adobe photoshop_24_242.exe no specs adobe photoshop_24_242.exe minithunderplatform.exe explorer.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe" C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
downer for windows
Exit code:
3221226540
Version:
1.0
3180"C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe" C:\Users\admin\AppData\Local\Temp\Adobe Photoshop_24_242.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
downer for windows
Version:
1.0
1040"C:\Users\admin\AppData\Local\Temp\yxMiniTp\EyZ3w\download\MiniThunderPlatform.exe" -StartTPC:\Users\admin\AppData\Local\Temp\yxMiniTp\EyZ3w\download\MiniThunderPlatform.exe
Adobe Photoshop_24_242.exe
User:
admin
Company:
深圳市迅雷网络技术有限公司
Integrity Level:
HIGH
Description:
迅雷云加速开放平台
Exit code:
0
Version:
3.2.1.20
3572"C:\Windows\explorer.exe" /select, C:\Users\admin\AppData\Local\Temp\.txtC:\Windows\explorer.exeAdobe Photoshop_24_242.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3672C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -EmbeddingC:\Windows\explorer.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
837
Read events
755
Write events
0
Delete events
0

Modification events

No data
Executable files
11
Suspicious files
7
Text files
36
Unknown types
0

Dropped files

PID
Process
Filename
Type
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\main.7z
MD5:
SHA256:
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\aitb.icoimage
MD5:0B495875ABCF45ABF90385AD888CFC5C
SHA256:7C92CD859E4DEB5880418767277302F2AD9012D66008BF7A764A4CA5D1874BEB
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\cqsf.icoimage
MD5:436FCDAC987DD49BD5E664C5C283A209
SHA256:2A85783774E2F7CFA6F480D4C3F437D934876D20FB46B42482297E000296E46D
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\lsqy_tb.icoimage
MD5:2A03E678288929731A710D4A19D3FD1B
SHA256:8973F18F0D4678F96049FA3E4C3D31BCEDC4736DCA127E471F97ADB578CDFC5C
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\新建文件夹\down.zipcompressed
MD5:B107AE30ECBAF944DDAB4540667D90E9
SHA256:A2AF856323F94AD48B5308CC3A46D0C4DD87BB1299EFA8E82D7D0817A2266A28
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\caipiao.icoimage
MD5:A3B545261150433E5673F571EB5319EB
SHA256:29A7E0BE47F90497C44624591AEA444EEA5411595899543C2659AC2C76F58DE0
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\wangzdh.icoimage
MD5:D88C1D43FC223677A1E6019998A531B3
SHA256:CB843CA33DC0FC3F6503E0C270487DFC7F9CC61B91983A1D736F47EE81BA5B9A
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\tmmarket.icoimage
MD5:5F8B47DC7A085E0A0D379A505310E23B
SHA256:B0D150D2C69A8F09B060CE9EAF19EC8C94D2FD5703A5F11CDE6E48EA11CB9E27
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\baidu.icoimage
MD5:861F227D99793BAF229A5ADF29A2E7DD
SHA256:1441505511BFFF6EF63584A3D3B6CE7086E427A16503818F1CA536617C856D9A
3180Adobe Photoshop_24_242.exeC:\Users\admin\AppData\Roaming\youxunbox\temai.icoimage
MD5:6ED6686C133BA3159D89AAD6B6A4EE10
SHA256:63403102BA0C06B6CB9918D66DD8A888BF2716AC4DA49E1F84A4655B28A8E2F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
20
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3180
Adobe Photoshop_24_242.exe
GET
163.171.128.148:80
http://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3DFUQmS3ck6XanRkNgSXZwync4AHaA13cza3ZnRXZwync4AHaA13czanKxFUQ16XewOnKnGXM1BUMiSUMxBUM1VUMzVUQkGXcnFUQlm3d
US
whitelisted
3180
Adobe Photoshop_24_242.exe
GET
200
163.171.128.148:80
http://api.pcsoft.jshhdian.com/cgi/PCSoftInfo.ashx/pcsoft/getentity?id=242
US
text
1.01 Kb
malicious
3180
Adobe Photoshop_24_242.exe
GET
200
163.171.132.119:80
http://dw.jshhdian.com/post/index_az_22.html
US
html
566 b
malicious
3180
Adobe Photoshop_24_242.exe
GET
200
163.171.132.119:80
http://dw.jshhdian.com/xiazaiqi/box_520x240.html
US
html
528 b
malicious
3180
Adobe Photoshop_24_242.exe
GET
200
119.28.47.147:80
http://api.pcsoft.70gj.cn/cgi/PCSoftInfo.ashx/pcsoft/countdo?sc=5lkO6J0NxZUOy1UaumHenRkNgSXZwync4AHaARXbuAndnajN1JUQlmnKAl2WaSYVF2FeGelU1GFSOSYVV6FeKSmUA53d
CN
text
79 b
malicious
1040
MiniThunderPlatform.exe
GET
122.143.23.180:80
http://down10.zol.com.cn/it/Adobe0PhotoshopCS6.zip
CN
malicious
3180
Adobe Photoshop_24_242.exe
GET
200
163.171.128.148:80
http://ggstats.yb.jshhdian.com/pinforesults.do?sc=%3D%3DRNAVHawOncmajfiOnfg63ewSHf62UcwKoakaTauG3a5mYQuAndnaDNy1EevW4ckajai2DOx1TZ11DNx1DO21jN210Zi2nK1FUQlm3d
US
text
24.5 Kb
whitelisted
3180
Adobe Photoshop_24_242.exe
GET
200
182.118.46.58:80
http://sdmv.wxyxch.cn/Install/0105-4.gif
CN
image
139 Kb
malicious
3180
Adobe Photoshop_24_242.exe
GET
200
163.171.128.148:80
http://ggstats.yb.jshhdian.com/noencrypt_count.do?from=download&cfrom=download_24&type_show=&type_selected=&type_down_succ=&type_install_succ=&sn=52-54-00-4a-04-af&&time=1560329711
US
text
152 b
whitelisted
1040
MiniThunderPlatform.exe
POST
200
121.9.209.165:80
http://121.9.209.165:80/
CN
binary
28 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3180
Adobe Photoshop_24_242.exe
163.171.128.148:80
api.pcsoft.jshhdian.com
US
malicious
1040
MiniThunderPlatform.exe
119.188.108.12:8000
hub5pnc.hz.sandai.net
CHINA UNICOM China169 Backbone
CN
malicious
3180
Adobe Photoshop_24_242.exe
163.171.132.119:80
dw.jshhdian.com
US
malicious
119.28.47.147:80
api.pcsoft.70gj.cn
Tencent Cloud Computing (Beijing) Co., Ltd
CN
unknown
1040
MiniThunderPlatform.exe
112.80.23.156:80
pmap.hz.sandai.net
CHINA UNICOM China169 Backbone
CN
malicious
3180
Adobe Photoshop_24_242.exe
182.118.46.58:80
sdmv.wxyxch.cn
CHINA UNICOM China169 Backbone
CN
malicious
1040
MiniThunderPlatform.exe
153.37.209.8:80
hub5c.hz.sandai.net
CHINA UNICOM China169 Backbone
CN
malicious
3180
Adobe Photoshop_24_242.exe
203.119.206.97:443
z7.cnzz.com
CN
unknown
1040
MiniThunderPlatform.exe
47.92.195.246:80
hub5pr.hz.sandai.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
malicious
3180
Adobe Photoshop_24_242.exe
222.85.26.209:443
s13.cnzz.com
No.31,Jin-rong Street
CN
unknown

DNS requests

Domain
IP
Reputation
api.pcsoft.jshhdian.com
  • 163.171.128.148
malicious
ggstats.yb.jshhdian.com
  • 163.171.128.148
whitelisted
dw.jshhdian.com
  • 163.171.132.119
malicious
api.pcsoft.70gj.cn
  • 119.28.47.147
malicious
sdmv.wxyxch.cn
  • 182.118.46.58
  • 171.11.231.39
  • 171.11.231.37
malicious
hub5pn.hz.sandai.net
  • 157.255.225.53
  • 118.212.146.20
  • 211.91.242.38
  • 157.255.225.49
  • 61.135.179.35
  • 211.91.242.37
  • 61.135.179.34
  • 58.144.251.1
  • 153.3.232.174
  • 118.212.146.21
  • 58.144.251.2
  • 153.3.232.175
unknown
hub5pnc.hz.sandai.net
  • 119.188.108.12
  • 119.188.108.56
malicious
hub5u.hz.sandai.net
  • 47.92.34.184
  • 47.92.75.245
unknown
relay.phub.hz.sandai.net
  • 121.9.209.192
whitelisted
s13.cnzz.com
  • 222.85.26.209
  • 222.85.26.208
suspicious

Threats

PID
Process
Class
Message
1040
MiniThunderPlatform.exe
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
1040
MiniThunderPlatform.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
3180
Adobe Photoshop_24_242.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
1040
MiniThunderPlatform.exe
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
1040
MiniThunderPlatform.exe
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
1040
MiniThunderPlatform.exe
Misc activity
ADWARE [PTsecurity] Win32.Downloader (Sogou/Chindo)
1040
MiniThunderPlatform.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
1040
MiniThunderPlatform.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
1040
MiniThunderPlatform.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
1040
MiniThunderPlatform.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
1 ETPRO signatures available at the full report
No debug info