File name: | Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe |
Full analysis: | https://app.any.run/tasks/30d8235a-0973-478e-858d-f7f337f183e1 |
Verdict: | Malicious activity |
Analysis date: | October 05, 2022, 07:04:47 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | application/x-dosexec |
File info: | PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed |
MD5: | 56AC9E72644A8DAE8C1968D63A26E58A |
SHA1: | D0349D04F33400541898426438D9E036D21DECC5 |
SHA256: | 3DB0E385EB53A32D61A5A35908A99317868B571E4CF7079DB67FD68604DA662C |
SSDEEP: | 24576:mq5TfcdHj4fmbi2q+0MmV0VMXeyrtoT1GokHTQoCwsC+Y:mUTsamOx9RoBVoCwT |
.exe | | | Win64 Executable (generic) (30.7) |
---|---|---|
.exe | | | UPX compressed Win32 Executable (30.1) |
.exe | | | Win32 EXE Yoda's Crypter (29.5) |
.exe | | | Win32 Executable (generic) (5) |
.exe | | | Generic Win/DOS Executable (2.2) |
Architecture: | IMAGE_FILE_MACHINE_I386 |
---|---|
Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
Compilation Date: | 2015-Jul-22 13:51:55 |
Detected languages: |
|
FileVersion: | 1.0.7.4 |
Comments: | CHIP Secured Installer |
FileDescription: | CHIP Secured Installer |
ProductVersion: | 1.0.7.4 |
LegalCopyright: | Copyright © 2015 Chip Digital GmbH |
e_magic: | MZ |
---|---|
e_cblp: | 144 |
e_cp: | 3 |
e_crlc: | - |
e_cparhdr: | 4 |
e_minalloc: | - |
e_maxalloc: | 65535 |
e_ss: | - |
e_sp: | 184 |
e_csum: | - |
e_ip: | - |
e_cs: | - |
e_ovno: | - |
e_oemid: | - |
e_oeminfo: | - |
e_lfanew: | 264 |
Signature: | PE |
---|---|
Machine: | IMAGE_FILE_MACHINE_I386 |
NumberofSections: | 3 |
TimeDateStamp: | 2015-Jul-22 13:51:55 |
PointerToSymbolTable: | - |
NumberOfSymbols: | - |
SizeOfOptionalHeader: | 224 |
Characteristics: |
|
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
---|---|---|---|---|---|
UPX0 | 4096 | 1380352 | 0 | IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | |
UPX1 | 1384448 | 344064 | 343040 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 7.93591 |
.rsrc | 1728512 | 851968 | 850944 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 6.34589 |
Title | Entropy | Size | Codepage | Language | Type |
---|---|---|---|---|---|
1 | 3.34174 | 588 | Latin 1 / Western European | German - Germany | RT_VERSION |
4 | 3.75291 | 9640 | Latin 1 / Western European | English - United Kingdom | RT_ICON |
7 | 3.34702 | 1428 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
8 | 3.2817 | 1674 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
9 | 3.28849 | 1168 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
10 | 3.28373 | 1532 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
11 | 3.26322 | 1628 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
12 | 3.25812 | 1126 | Latin 1 / Western European | English - United Kingdom | RT_STRING |
99 | 2.0815 | 20 | Latin 1 / Western European | English - United Kingdom | RT_GROUP_ICON |
166 | 2.68292 | 80 | Latin 1 / Western European | English - United Kingdom | RT_MENU |
ADVAPI32.dll |
COMCTL32.dll |
COMDLG32.dll |
GDI32.dll |
IPHLPAPI.DLL |
KERNEL32.DLL |
MPR.dll |
OLEAUT32.dll |
PSAPI.DLL |
SHELL32.dll |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2272 | "C:\Users\admin\AppData\Local\Temp\Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe" | C:\Users\admin\AppData\Local\Temp\Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: CHIP Secured Installer Exit code: 3221226540 Version: 1.0.7.4 Modules
| |||||||||||||||
3652 | "C:\Users\admin\AppData\Local\Temp\Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe" | C:\Users\admin\AppData\Local\Temp\Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: HIGH Description: CHIP Secured Installer Exit code: 0 Version: 1.0.7.4 Modules
| |||||||||||||||
3148 | "C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe" -install -72189998 -chipde -e37278fe332e42d1af33e4480ad52248 - -BLUB2 -sliyoffjkooorudw -3652 | C:\Users\admin\AppData\Local\Temp\DMR\dmr_72.exe | Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | ||||||||||||
User: admin Company: Chip Digital GmbH Integrity Level: HIGH Description: DMR Exit code: 0 Version: 1.0.7.4 Modules
| |||||||||||||||
2240 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2076 | "C:\Program Files\Mozilla Firefox\firefox.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
300 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.0.945350448\315375849" -parentBuildID 20201112153044 -prefsHandle 988 -prefMapHandle 1008 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 1192 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 83.0 Modules
| |||||||||||||||
1180 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.6.759711757\2064147820" -childID 1 -isForBrowser -prefsHandle 2960 -prefMapHandle 2956 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 2972 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
3776 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.13.1031020715\454178639" -childID 2 -isForBrowser -prefsHandle 3148 -prefMapHandle 1816 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3160 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2568 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.20.1468574424\822854906" -childID 3 -isForBrowser -prefsHandle 3488 -prefMapHandle 3484 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3508 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 83.0 Modules
| |||||||||||||||
2208 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2076.21.976449032\869481600" -childID 4 -isForBrowser -prefsHandle 3248 -prefMapHandle 3512 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 2076 "\\.\pipe\gecko-crash-server-pipe.2076" 3560 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (3652) Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
(PID) Process: | (3652) Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | IntranetName |
Value: 1 | |||
(PID) Process: | (3652) Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
(PID) Process: | (3652) Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 0 | |||
(PID) Process: | (3148) dmr_72.exe | Key: | HKEY_CURRENT_USER\Software\OCS |
Operation: | write | Name: | CID |
Value: 081ec1bf-e0e4-40cf-96e4-0dd7d3b5eb94 | |||
(PID) Process: | (3148) dmr_72.exe | Key: | HKEY_CURRENT_USER\Software\OCS |
Operation: | write | Name: | PID |
Value: chipde | |||
(PID) Process: | (3148) dmr_72.exe | Key: | HKEY_CURRENT_USER\Software\OCS |
Operation: | write | Name: | lastPID |
Value: chipde | |||
(PID) Process: | (3148) dmr_72.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32 |
Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
(PID) Process: | (3148) dmr_72.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32 |
Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
(PID) Process: | (3148) dmr_72.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\dmr_72_RASAPI32 |
Operation: | write | Name: | FileTracingMask |
Value: |
PID | Process | Filename | Type | |
---|---|---|---|---|
2076 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:EE67A41E68FAB6BE33BB87100E1250A7 | SHA256:E4D361364B2F533AB608B4AF7CD2842650F64624311CF5221D4952A7A8E8191D | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
2076 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:994A33896BB41A278A315D0D796422B6 | SHA256:54EC50A20FFF8CC016710E49437CF6A11D3FE5EE7B28C185E4A9AAFEE2908B63 | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | jsonlz4 | |
MD5:B17F8D93B0C43D6B72DC03752C20A2D9 | SHA256:ADA0F70D374223FB63C2F19471FAB45D986A681E2485692E63F00F5071F19D76 | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3652 | Malware_3db0e385eb53a32d61a5a35908a99317868b571e4cf7079db67fd68604da662c.exe | C:\Users\admin\AppData\Local\Temp\DMR\sliyoffjkooorudw.dat | text | |
MD5:8C934B48A05955C6CC934925F4C01E7D | SHA256:51BE55DD44A7D2C782EF432971878A64040AEC99C5EC0B53AC92D72BB2645992 | |||
2076 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:299A2B747C11E4BDA194E563FEA4A699 | SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2076 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2076 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3148 | dmr_72.exe | GET | 200 | 116.203.169.158:80 | http://api.chip-secured-download.de/geoip/geoip.php?ip=322e3234342e3130302e323535 | IN | text | 2 b | unknown |
— | — | POST | 200 | 172.217.17.99:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3148 | dmr_72.exe | GET | 200 | 116.203.169.158:80 | http://api.chip-secured-download.de/dotnet/com | IN | text | 22 b | unknown |
2076 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
3148 | dmr_72.exe | GET | 200 | 116.203.169.158:80 | http://api.chip-secured-download.de/dotnet/com | IN | text | 22 b | unknown |
2076 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2076 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | EDGECAST | GB | whitelisted |
2076 | firefox.exe | 35.163.138.146:443 | location.services.mozilla.com | AMAZON-02 | US | unknown |
2076 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
2076 | firefox.exe | 172.217.169.170:443 | safebrowsing.googleapis.com | GOOGLE | US | whitelisted |
2076 | firefox.exe | 52.222.236.89:443 | firefox-settings-attachments.cdn.mozilla.net | AMAZON-02 | US | suspicious |
2076 | firefox.exe | 13.32.121.85:443 | snippets.cdn.mozilla.net | AMAZON-02 | US | suspicious |
2076 | firefox.exe | 18.66.147.5:443 | content-signature-2.cdn.mozilla.net | AMAZON-02 | US | unknown |
3148 | dmr_72.exe | 116.203.169.158:80 | api.chip-secured-download.de | Hetzner Online GmbH | DE | unknown |
3148 | dmr_72.exe | 116.203.169.152:80 | ocs1.chdi-server.de | Hetzner Online GmbH | DE | unknown |
— | — | 34.107.221.82:80 | detectportal.firefox.com | GOOGLE | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
api.chip-secured-download.de |
| unknown |
ocs1.chdi-server.de |
| unknown |
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2076 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
2076 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |