analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

video_36953.bz

Full analysis: https://app.any.run/tasks/2f301ccf-e54f-4a63-8cf7-b9b43cee2799
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: April 20, 2019, 13:56:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
autoit
loader
xmrig
miner
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.4
MD5:

3D214C792C869444EC289BFE0B6B6599

SHA1:

458AF991FFE4D2B85D5D7D69DD23F7E2F9013AA7

SHA256:

365167731ED69D11C2DB17310E5015FC07B9D44325BF797779CFF36563D9F84C

SSDEEP:

12288:ea2ml+l5myFnsQB2WyKWN5WWKZ9MWBXzxp0qz:/G5my5B2mWNOZ9MmX9mqz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • play_23438900.mp4.com (PID: 3152)
      • 7za.exe (PID: 3652)
      • play_23438900.mp4.com (PID: 2736)

    • Connects to CnC server

      • play_23438900.mp4.com (PID: 3152)

    • UAC/LUA settings modification

      • play_23438900.mp4.com (PID: 3152)

    • Changes the autorun value in the registry

      • chrome.exe (PID: 2748)
      • play_23438900.mp4.com (PID: 3152)

    • Downloads executable files from the Internet

      • play_23438900.mp4.com (PID: 3152)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2936)
      • play_23438900.mp4.com (PID: 3152)
      • 7za.exe (PID: 3652)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 2536)
      • rundll32.exe (PID: 3840)

    • Starts application with an unusual extension

      • WinRAR.exe (PID: 2936)

    • Creates files in the user directory

      • rundll32.exe (PID: 3840)
      • play_23438900.mp4.com (PID: 3152)
      • 7za.exe (PID: 3652)

    • Uses RUNDLL32.EXE to load library

      • play_23438900.mp4.com (PID: 3152)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2748)

  • INFO

    • Drop XMRig executable file

      • 7za.exe (PID: 3652)

    • Application launched itself

      • chrome.exe (PID: 2748)

    • Adds / modifies Windows certificates

      • chrome.exe (PID: 2748)

    • Changes settings of System certificates

      • chrome.exe (PID: 2748)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (v0.4) (57.1)
.7z | 7-Zip compressed archive (gen) (42.8)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
26
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe play_23438900.mp4.com no specs play_23438900.mp4.com rundll32.exe no specs rundll32.exe no specs 7za.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs taskmgr.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\video_36953.bz.7z"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2736"C:\Users\admin\AppData\Local\Temp\Rar$DIa2936.12787\play_23438900.mp4.com" C:\Users\admin\AppData\Local\Temp\Rar$DIa2936.12787\play_23438900.mp4.comWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3152"C:\Users\admin\AppData\Local\Temp\Rar$DIa2936.12787\play_23438900.mp4.com" C:\Users\admin\AppData\Local\Temp\Rar$DIa2936.12787\play_23438900.mp4.com
WinRAR.exe
User:
admin
Integrity Level:
HIGH
3840"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeplay_23438900.mp4.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2536"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\WININET.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.exeplay_23438900.mp4.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3652C:\Users\admin\AppData\Roaming\admin\7za.exe e files.7z -aoa -pKEQZmgbrmDnTpa2b4DHVMXC:\Users\admin\AppData\Roaming\admin\7za.exe
play_23438900.mp4.com
User:
admin
Company:
Igor Pavlov
Integrity Level:
HIGH
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
2748"C:\Program Files\Google\Chrome\Application\chrome.exe" --enable-automation --restore-last-session --disable-infobars --load-extension=C:\Users\admin\AppData\Roaming\adminC:\Program Files\Google\Chrome\Application\chrome.exe
play_23438900.mp4.com
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Version:
73.0.3683.75
3612"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d7c0f18,0x6d7c0f28,0x6d7c0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Version:
73.0.3683.75
4012"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2752 --on-initialized-event-handle=300 --parent-handle=304 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
HIGH
Description:
Google Chrome
Version:
73.0.3683.75
3028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=964,10202016266461333583,16626570766222255197,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15171918285324450438 --mojo-platform-channel-handle=952 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
Total events
943
Read events
782
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
44
Text files
139
Unknown types
9

Dropped files

PID
Process
Filename
Type
3152play_23438900.mp4.comC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@susu[1].txttext
MD5:48BD6B19A5F836FE3C3E771D4BE7A548
SHA256:141765093F22C24CACE2053FCFB70548C20CA7DC4425547C1FA8E8E9D0F87245
3152play_23438900.mp4.comC:\Users\admin\AppData\Roaming\admin\files.7zcompressed
MD5:07ACF94F8CFD81A666A9EE9B8EF90867
SHA256:5321F7B102B93E3434FF2643C9093D8F1B31A0F4CF06F79490CB8F950410FA15
2936WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2936.12787\play_23438900.mp4.comexecutable
MD5:9ED093EB4BB48F1020B318A9100A4071
SHA256:8B68940459C9D22EE049E77C8ED5DB77EF799AB3DEDD0E7B6F75E93C49E8EED1
36527za.exeC:\Users\admin\AppData\Roaming\admin\config.jsontext
MD5:F2984CE645BB50566101B47501A6FE31
SHA256:97A1DF07B539B17763D0E67FBDFD7730E0F5DEE5C4C2169E01DDD00FCAF85634
36527za.exeC:\Users\admin\AppData\Roaming\admin\update-x64.exeexecutable
MD5:FFC62F389808581C65053EC05073FF3D
SHA256:672FEAC7A3C5B0410E9889ED07420ECA89F0E33F200563C7CE209618EB0D1C69
36527za.exeC:\Users\admin\AppData\Roaming\admin\update-x86.exeexecutable
MD5:E275383EE09EA45A27C61CC8DB60F87C
SHA256:A0C6A35297988ECE4B83C2D46AF8C2F94DAE2EFD929D94AABDCE67FFB3936388
3840rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7BEKFNQO\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
36527za.exeC:\Users\admin\AppData\Roaming\admin\background.jstext
MD5:2B439B4641B9A68A38BADED10BA8276D
SHA256:9691C7B1DCA39AD276520E2DD43A0E4621D76CFE675EA5057A0C62FC38D9D010
36527za.exeC:\Users\admin\AppData\Roaming\admin\manifest.jsontext
MD5:6957984543C2E8CD0F72E377634359C0
SHA256:29232F95509C7CF773A8ECA1619A6220EBC19D15AD02E4590FCCAB803F57A7E7
3840rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:B1776004852C424408263880CA6967FD
SHA256:39EF9BC19764A4AB9AAD8D80DF45EEB7AAFDC91AA0C442B8B4CAFBDDE17C08BE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
25
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3152
play_23438900.mp4.com
HEAD
200
104.18.45.49:80
http://susu.icu/app/login.php
US
malicious
2748
chrome.exe
GET
200
104.24.127.230:80
http://luru.icu/js/filters.php
US
text
357 b
malicious
2748
chrome.exe
GET
200
104.24.127.230:80
http://luru.icu/bgxvrjfk
US
text
1.94 Kb
malicious
2748
chrome.exe
GET
200
104.24.127.230:80
http://luru.icu/check
US
text
103 b
malicious
3152
play_23438900.mp4.com
GET
200
104.18.45.49:80
http://susu.icu/app/files.7z?id=4353
US
compressed
1.08 Mb
malicious
2748
chrome.exe
GET
302
172.217.16.142:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
506 b
whitelisted
2748
chrome.exe
GET
200
104.24.127.230:80
http://luru.icu/config
US
text
343 b
malicious
2748
chrome.exe
GET
200
84.15.64.237:80
http://r2---sn-cpux-8ovl.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=85.206.166.82&mm=28&mn=sn-cpux-8ovl&ms=nvh&mt=1555767754&mv=u&pl=23&shardbypass=yes
LT
crx
842 Kb
whitelisted
2748
chrome.exe
GET
200
104.24.127.230:80
http://luru.icu/settings.png
US
image
313 b
malicious
3152
play_23438900.mp4.com
GET
200
104.18.45.49:80
http://susu.icu/app/7za.exe?id=8308
US
executable
716 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2748
chrome.exe
172.217.23.141:443
accounts.google.com
Google Inc.
US
whitelisted
2748
chrome.exe
172.217.21.234:443
www.googleapis.com
Google Inc.
US
whitelisted
2748
chrome.exe
172.217.16.195:443
ssl.gstatic.com
Google Inc.
US
whitelisted
2748
chrome.exe
172.217.23.174:443
apis.google.com
Google Inc.
US
whitelisted
2748
chrome.exe
31.13.90.36:443
www.facebook.com
Facebook, Inc.
IE
whitelisted
3152
play_23438900.mp4.com
104.18.45.49:80
susu.icu
Cloudflare Inc
US
shared
2748
chrome.exe
216.58.205.238:443
clients1.google.com
Google Inc.
US
whitelisted
2748
chrome.exe
172.217.21.206:443
www.google-analytics.com
Google Inc.
US
whitelisted
2748
chrome.exe
172.217.21.202:443
fonts.googleapis.com
Google Inc.
US
whitelisted
104.18.45.49:80
susu.icu
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
www.google.com
  • 172.217.18.100
  • 172.217.22.100
whitelisted
susu.icu
  • 104.18.45.49
  • 104.18.44.49
malicious
clientservices.googleapis.com
  • 216.58.207.35
whitelisted
www.googleapis.com
  • 172.217.21.234
  • 172.217.22.10
  • 172.217.18.10
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.42
  • 172.217.22.74
  • 172.217.22.106
  • 216.58.210.10
  • 172.217.16.202
whitelisted
accounts.google.com
  • 172.217.23.141
shared
www.google.com.ua
  • 172.217.18.99
whitelisted
luru.icu
  • 104.24.127.230
  • 104.24.126.230
malicious
clients1.google.com
  • 216.58.205.238
whitelisted
ssl.gstatic.com
  • 172.217.16.195
whitelisted
www.google-analytics.com
  • 172.217.21.206
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3152
play_23438900.mp4.com
Generic Protocol Command Decode
SURICATA HTTP response header invalid
3152
play_23438900.mp4.com
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
3152
play_23438900.mp4.com
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3152
play_23438900.mp4.com
Misc activity
ET INFO Possible EXE Download From Suspicious TLD
3152
play_23438900.mp4.com
Potential Corporate Privacy Violation
ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile
2748
chrome.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
video_36953.bz