| URL: | http://rais.gov.br/sitio/rais_ftp/GDRAIS2020-1.2-Setup.exe |
| Full analysis: | https://app.any.run/tasks/03e0f95a-204a-4355-bb71-b5d5d7181b36 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 17, 2021, 18:01:28 |
| OS: | Windows 10 Professional (build: 16299, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | D30B5D54A991068C9B90701EE90A819A |
| SHA1: | 51A127239E604653BD6092EA9B208E59698C614A |
| SHA256: | 1A79F398B7EB1F38CFB5370E4575C41D21E560B1C02CC33A4A33B3D3380B775E |
| SSDEEP: | 3:N1KMKJTKMxV5h8NI20lA:CMKj1h8NLQA |
MALICIOUS
Application was dropped or rewritten from another process
- GDRAIS2020-1.2-Setup.exe (PID: 4668)
- GDRAIS2020-1.2-Setup.exe (PID: 2744)
SUSPICIOUS
Check for Java to be installed
- GDRAIS2020-1.2-Setup.exe (PID: 2744)
- javaw.exe (PID: 2120)
Executes JAVA applets
- GDRAIS2020-1.2-Setup.exe (PID: 2744)
- javaw.exe (PID: 444)
Starts CMD.EXE for commands execution
- javaw.exe (PID: 444)
Drops a file with too old compile date
- javaw.exe (PID: 444)
Executable content was dropped or overwritten
- javaw.exe (PID: 444)
Creates files in the program directory
- javaw.exe (PID: 444)
Drops a file with a compile date too recent
- IEXPLORE.EXE (PID: 4588)
INFO
Modifies the phishing filter of IE
- iexplore.exe (PID: 2512)
Changes internet zones settings
- iexplore.exe (PID: 2512)
Checks supported languages
- iexplore.exe (PID: 2512)
Manual execution by user
- cmd.exe (PID: 4896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
106
Monitored processes
16
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 224 | cmd.exe /C set | C:\WINDOWS\SYSTEM32\cmd.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 424 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 444 | "C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\GDRAIS2020-1.2-Setup.exe" | C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe | GDRAIS2020-1.2-Setup.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
| 1404 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2084 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2120 | javaw -Duser.language=pt -Duser.region=BR -DsuppressSwingDropSupport=true -Djavax.net.ssl.trustStore=./cert/gdrais-client-producao.keystore -Xmx768m -cp .;./gdrais-gui2020-1.2-prod.jar;./lib/* br.gov.serpro.gdrais.gui.gui.GuiLancador | C:\ProgramData\Oracle\Java\javapath\javaw.exe | — | cmd.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
| 2512 | "C:\Program Files\internet explorer\iexplore.exe" "http://rais.gov.br/sitio/rais_ftp/GDRAIS2020-1.2-Setup.exe" | C:\Program Files\internet explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2744 | "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\GDRAIS2020-1.2-Setup.exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\GDRAIS2020-1.2-Setup.exe | iexplore.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2764 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | java.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3816 | "C:\Program Files\Java\jre1.8.0_92\bin\java.exe" | C:\Program Files\Java\jre1.8.0_92\bin\java.exe | — | javaw.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 1 Version: 8.0.920.14 Modules
| |||||||||||||||
Total events
2 650
Read events
2 536
Write events
113
Delete events
1
Modification events
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkLowPart |
Value: 0 | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | L1WatermarkHighPart |
Value: 0 | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 0 | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 0 | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 3432928509 | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlock |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30880691 | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2512) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
Executable files
32
Suspicious files
74
Text files
20
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver987B.tmp | — | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URL982C.tmp | — | |
MD5:— | SHA256:— | |||
| 4588 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\GDRAIS2020-1.2-Setup[1].exe | — | |
MD5:— | SHA256:— | |||
| 4588 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\GDRAIS2020-1.2-Setup.exe.gwoioe8.partial | — | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF9DC380846860BA88.TMP | — | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\GDRAIS2020-1.2-Setup.exe.gwoioe8.partial:Zone.Identifier | — | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLQBH2R9\GDRAIS2020-1.2-Setup.exe | — | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\WLJYL64M\l1[1].dat | binary | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\urlblock_637542768532527437.bin | binary | |
MD5:— | SHA256:— | |||
| 2512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\IECompatData\iecompatdata.xml | xml | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
8
DNS requests
9
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4588 | IEXPLORE.EXE | GET | 200 | 161.148.172.147:80 | http://rais.gov.br/sitio/rais_ftp/GDRAIS2020-1.2-Setup.exe | BR | executable | 52.2 Mb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4588 | IEXPLORE.EXE | 161.148.172.147:80 | rais.gov.br | SERVICO FEDERAL DE PROCESSAMENTO DE DADOS - SERPRO | BR | suspicious |
2512 | iexplore.exe | 51.144.113.175:443 | urs.microsoft.com | Microsoft Corporation | NL | suspicious |
2512 | iexplore.exe | 52.178.182.73:443 | t.urs.microsoft.com | Microsoft Corporation | IE | suspicious |
2512 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2512 | iexplore.exe | 52.164.226.245:443 | c.urs.microsoft.com | Microsoft Corporation | IE | suspicious |
2512 | iexplore.exe | 23.97.153.169:443 | apprep.smartscreen.microsoft.com | Microsoft Corporation | NL | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
rais.gov.br |
| whitelisted |
urs.microsoft.com |
| whitelisted |
t.urs.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
c.urs.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
apprep.smartscreen.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
Process | Message |
|---|---|
conhost.exe | InitSideBySide failed create an activation context. Error: 1814 |