Malware analysis http://download.drp.su/17-online/DriverPack-17-Online_41382478.1550477446.exe Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

URL:	http://download.drp.su/17-online/DriverPack-17-Online_41382478.1550477446.exe
Full analysis:	https://app.any.run/tasks/127ca77e-3f7c-47b0-9b83-f6dceacfeabd
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	February 19, 2019, 10:28:16
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware trojan opendir loader
Indicators:
MD5:	C04A77DD2747130921AD153A4E8E6283
SHA1:	FCEFECA4383ADF489C732E3A1A189DE6EFDF42FD
SHA256:	4382F634F704C26645E18AC793402D0F5C205EC9FFC50F75B4C52B2E194E8605
SSDEEP:	3:N1KaKElHPSIWQbURSs0iBAC:Ca5vSH6uN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - DriverPack-17-Online_41382478.1550477446[1].exe (PID: 2668)
  - DriverPack-17-Online_41382478.1550477446[1].exe (PID: 3692)
  - aria2c.exe (PID: 688)
  - aria2c.exe (PID: 3680)
  - aria2c.exe (PID: 2716)
  - aria2c.exe (PID: 3492)
  - aria2c.exe (PID: 3972)
  - aria2c.exe (PID: 2712)
  - aria2c.exe (PID: 3548)
  - driverpack-7za.exe (PID: 3620)
  - devcon.exe (PID: 3532)
  - driverpack-7za.exe (PID: 3836)
  - AvastAntivirusWorldwideA.exe (PID: 2572)
  - instup.exe (PID: 3528)
  - avast_free_antivirus_setup_online.exe (PID: 3804)
  - instup.exe (PID: 3500)
  - sbr.exe (PID: 3740)
  - AvEmUpdate.exe (PID: 2796)
  - AvEmUpdate.exe (PID: 2260)
- Executes PowerShell scripts
  - cmd.exe (PID: 2620)
- Downloads executable files from the Internet
  - wscript.exe (PID: 2456)
  - aria2c.exe (PID: 2712)
  - aria2c.exe (PID: 3548)
  - aria2c.exe (PID: 3972)
  - AvastAntivirusWorldwideA.exe (PID: 2572)
- Changes internet zones settings
  - mshta.exe (PID: 3368)
- Loads dropped or rewritten executable
  - instup.exe (PID: 3528)
  - instup.exe (PID: 3500)
  - engsup.exe (PID: 2216)
  - AvEmUpdate.exe (PID: 2260)
  - AvEmUpdate.exe (PID: 2796)
- Changes the autorun value in the registry
  - instup.exe (PID: 3500)
- Loads the Task Scheduler COM API
  - AvEmUpdate.exe (PID: 2796)
  - AvEmUpdate.exe (PID: 2260)
SUSPICIOUS
- Executable content was dropped or overwritten
  - iexplore.exe (PID: 2988)
  - iexplore.exe (PID: 3284)
  - wscript.exe (PID: 2456)
  - aria2c.exe (PID: 3548)
  - aria2c.exe (PID: 2712)
  - aria2c.exe (PID: 3972)
  - driverpack-7za.exe (PID: 3620)
  - DrvInst.exe (PID: 1932)
  - devcon.exe (PID: 3532)
  - AvastAntivirusWorldwideA.exe (PID: 2572)
  - avast_free_antivirus_setup_online.exe (PID: 3804)
  - instup.exe (PID: 3528)
  - AvEmUpdate.exe (PID: 2260)
  - instup.exe (PID: 3500)
- Uses REG.EXE to modify Windows registry
  - DriverPack-17-Online_41382478.1550477446[1].exe (PID: 3692)
- Starts MSHTA.EXE for opening HTA or HTMLS files
  - DriverPack-17-Online_41382478.1550477446[1].exe (PID: 3692)
- Executes scripts
  - mshta.exe (PID: 3368)
- Creates files in the user directory
  - cmd.exe (PID: 3516)
  - powershell.exe (PID: 3428)
  - cmd.exe (PID: 2620)
  - mshta.exe (PID: 3368)
  - wscript.exe (PID: 3604)
  - cmd.exe (PID: 3320)
  - wscript.exe (PID: 2460)
  - wscript.exe (PID: 3056)
  - wscript.exe (PID: 1204)
  - cmd.exe (PID: 3020)
  - cmd.exe (PID: 3500)
  - cmd.exe (PID: 3384)
  - aria2c.exe (PID: 3972)
  - aria2c.exe (PID: 2716)
  - aria2c.exe (PID: 3492)
  - cmd.exe (PID: 4084)
  - aria2c.exe (PID: 3680)
  - aria2c.exe (PID: 2712)
  - cmd.exe (PID: 3280)
  - cmd.exe (PID: 2056)
  - cmd.exe (PID: 2220)
  - aria2c.exe (PID: 3548)
  - cmd.exe (PID: 3956)
  - cmd.exe (PID: 2856)
  - cmd.exe (PID: 4088)
  - cmd.exe (PID: 3444)
  - cmd.exe (PID: 2896)
  - cmd.exe (PID: 792)
  - cmd.exe (PID: 1848)
- Uses NETSH.EXE for network configuration
  - cmd.exe (PID: 3516)
  - cmd.exe (PID: 3320)
  - cmd.exe (PID: 3020)
- Starts CMD.EXE for commands execution
  - mshta.exe (PID: 3368)
  - cmd.exe (PID: 792)
- Reads Internet Cache Settings
  - mshta.exe (PID: 3368)
- Starts SC.EXE for service management
  - cmd.exe (PID: 3500)
- Uses RUNDLL32.EXE to load library
  - mshta.exe (PID: 3368)
  - DrvInst.exe (PID: 1932)
- Starts application with an unusual extension
  - cmd.exe (PID: 3020)
  - cmd.exe (PID: 792)
- Searches for installed software
  - DllHost.exe (PID: 3792)
- Creates files in the driver directory
  - DrvInst.exe (PID: 1932)
  - instup.exe (PID: 3500)
  - AvEmUpdate.exe (PID: 2260)
- Removes files from Windows directory
  - DrvInst.exe (PID: 1932)
  - instup.exe (PID: 3528)
  - instup.exe (PID: 3500)
  - AvEmUpdate.exe (PID: 2260)
- Uses TASKLIST.EXE to query information about running processes
  - cmd.exe (PID: 792)
- Creates files in the Windows directory
  - DrvInst.exe (PID: 1868)
  - AvastAntivirusWorldwideA.exe (PID: 2572)
  - DrvInst.exe (PID: 1932)
  - avast_free_antivirus_setup_online.exe (PID: 3804)
  - instup.exe (PID: 3528)
  - AvEmUpdate.exe (PID: 2260)
  - instup.exe (PID: 3500)
- Low-level read access rights to disk partition
  - AvastAntivirusWorldwideA.exe (PID: 2572)
  - instup.exe (PID: 3528)
  - avast_free_antivirus_setup_online.exe (PID: 3804)
  - instup.exe (PID: 3500)
  - AvEmUpdate.exe (PID: 2260)
- Application launched itself
  - cmd.exe (PID: 792)
- Creates files in the program directory
  - avast_free_antivirus_setup_online.exe (PID: 3804)
  - instup.exe (PID: 3528)
  - engsup.exe (PID: 2216)
  - AvEmUpdate.exe (PID: 2260)
  - instup.exe (PID: 3500)
- Starts itself from another location
  - instup.exe (PID: 3528)
- Creates or modifies windows services
  - instup.exe (PID: 3500)
- Creates COM task schedule object
  - instup.exe (PID: 3500)
- Modifies the open verb of a shell class
  - instup.exe (PID: 3500)
- Creates a software uninstall entry
  - instup.exe (PID: 3500)
INFO
- Application launched itself
  - iexplore.exe (PID: 2988)
- Creates files in the user directory
  - iexplore.exe (PID: 3284)
  - iexplore.exe (PID: 2988)
- Changes internet zones settings
  - iexplore.exe (PID: 2988)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3284)
- Reads internet explorer settings
  - mshta.exe (PID: 3368)
- Reads settings of System Certificates
  - mshta.exe (PID: 3368)
- Low-level read access rights to disk partition
  - vssvc.exe (PID: 2164)
- Dropped object may contain Bitcoin addresses
  - instup.exe (PID: 3500)
  - AvEmUpdate.exe (PID: 2260)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2988	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3284	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2988 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2668	"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_41382478.1550477446[1].exe"	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_41382478.1550477446[1].exe	—	iexplore.exe
User: admin Company: DriverPack Solution Integrity Level: MEDIUM Description: DriverPack Exit code: 3221226540 Version: 17.10.0
3692	"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_41382478.1550477446[1].exe"	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_41382478.1550477446[1].exe		iexplore.exe
User: admin Company: DriverPack Solution Integrity Level: HIGH Description: DriverPack Version: 17.10.0
2516	"C:\Windows\System32\reg.exe" import "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg"	C:\Windows\System32\reg.exe	—	DriverPack-17-Online_41382478.1550477446[1].exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255)
3368	"C:\Windows\System32\mshta.exe" "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\run.hta" --sfx "DriverPack-17-Online_41382478.1550477446[1].exe"	C:\Windows\System32\mshta.exe		DriverPack-17-Online_41382478.1550477446[1].exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft (R) HTML Application host Version: 8.00.7600.16385 (win7_rtm.090713-1255)
1204	"C:\Windows\System32\wscript.exe" //B prepare.js localdiagnostics	C:\Windows\System32\wscript.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
2460	"C:\Windows\System32\wscript.exe" //B prepare.js drivers	C:\Windows\System32\wscript.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
3056	"C:\Windows\System32\wscript.exe" //B prepare.js newsoft	C:\Windows\System32\wscript.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385
3604	"C:\Windows\System32\wscript.exe" //B prepare.js hardware	C:\Windows\System32\wscript.exe	—	mshta.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385

Add for printing

Total events

7 226

Read events

2 554

Write events

4 654

Delete events

Modification events


(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:	write	Name:	{1AC91681-3431-11E9-AA93-5254004A04AF}
Value: 0
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Type
Value: 4
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Count
Value: 3
(PID) Process:	(2988) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Time
Value: E3070200020013000A001C002100BE00

Add for printing

Executable files

265

Suspicious files

Text files

666

Unknown types

262

Dropped files

PID	Process	Filename		Type
2988	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico		—
		MD5:—	SHA256:—
2988	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
2988	iexplore.exe	C:\Users\admin\AppData\Local\Temp\~DF6460F6A60FC1C89F.TMP		—
		MD5:—	SHA256:—
3284	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019021920190220\index.dat		dat
		MD5:737B9B75562C4DDE1E2B4134F13E1D65	SHA256:981A6C58D89AFDAFA21DE8CF19F9E248D5ED0F055D98530EC6756A6C862F66ED
2988	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_41382478.1550477446[1].exe		executable
		MD5:322FB8FEFBA52747081B718DD9CE97CD	SHA256:D0C972191CC20E3B9747138318C74E8BCDE21DCF226590B95AD8566E3FCB6373
2988	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019021920190220\index.dat		dat
		MD5:F5FDA9F71D027F40036A3601EB7944AF	SHA256:3A50169A73A923DFBF4D95906FDADB21E58B86E8A24635FABF164241DF4A097B
3284	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\DriverPack-17-Online_41382478.1550477446[1].exe		executable
		MD5:322FB8FEFBA52747081B718DD9CE97CD	SHA256:D0C972191CC20E3B9747138318C74E8BCDE21DCF226590B95AD8566E3FCB6373
2988	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{1AC91682-3431-11E9-AA93-5254004A04AF}.dat		binary
		MD5:0D5BD7DBA6FFF419B880170E20A81B0C	SHA256:A3BCA98B191B63B35AF673B2BC9740C3C50B189CD1F6480818A6CF75E4F96FF9
2988	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_41382478.1550477446[1].exe:Zone.Identifier		text
		MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B	SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3692	DriverPack-17-Online_41382478.1550477446[1].exe	C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\img\programs\start_arrow.png		image
		MD5:E1A705761DA081FD6D6C8DAD4D991DA9	SHA256:30E7A27E1389697263579B7C2A0AE2CE026EEBFD91BC69F764D38CC0FBA37135

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

325

TCP/UDP connections

205

DNS requests

102

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3284	iexplore.exe	GET	—	87.117.239.150:80	http://download.drp.su/17-online/DriverPack-17-Online_41382478.1550477446.exe	GB	—	—	whitelisted
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/css/style.css	GB	text	3.97 Kb	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/v2/	GB	text	58.6 Kb	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/css/icons-checkbox.css	GB	text	193 b	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/css/icons.css	GB	text	217 b	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/drp.css	GB	text	25.8 Kb	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/css/lte-ie9.css	GB	text	2.40 Kb	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/drp.js	GB	binary	536 Kb	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/config.js	GB	text	1005 b	malicious
3368	mshta.exe	GET	200	82.145.55.124:80	http://update.drp.su/beetle/17.10.0/DriverPackSolution.html	GB	html	1.65 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3368	mshta.exe	82.145.55.124:80	update.drp.su	iomart Cloud Services Limited.	GB	unknown
3368	mshta.exe	172.217.23.174:80	www.google-analytics.com	Google Inc.	US	whitelisted
2988	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3368	mshta.exe	77.88.21.119:443	mc.yandex.ru	YANDEX LLC	RU	whitelisted
2456	wscript.exe	87.117.239.150:80	download.drp.su	iomart Cloud Services Limited.	GB	malicious
3368	mshta.exe	178.162.204.5:80	auth.drp.su	Leaseweb Deutschland GmbH	DE	suspicious
3368	mshta.exe	104.24.123.67:80	allfont.ru	Cloudflare Inc	US	shared
3284	iexplore.exe	87.117.239.150:80	download.drp.su	iomart Cloud Services Limited.	GB	malicious
3368	mshta.exe	87.117.239.150:80	download.drp.su	iomart Cloud Services Limited.	GB	malicious
2456	wscript.exe	81.94.192.167:80	download.drp.su	iomart Cloud Services Limited.	GB	malicious

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
download.drp.su	87.117.239.150 81.94.192.167 87.117.239.151 88.150.137.207 81.94.205.66 87.117.231.157 87.117.239.148 95.154.237.19	whitelisted
update.drp.su	82.145.55.124 87.117.235.116	malicious
allfont.ru	104.24.123.67 104.24.122.67	whitelisted
auth.drp.su	178.162.204.5	suspicious
mc.yandex.ru	77.88.21.119 87.250.251.119 87.250.250.119 93.158.134.119	whitelisted
www.google-analytics.com	172.217.23.174	whitelisted
www.msftncsi.com	2.16.186.26 2.16.186.17	whitelisted
bt2.driverpacks.net	178.162.204.29	suspicious
v7event.stats.avast.com	77.234.45.53 5.62.40.204 5.62.40.203	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3284	iexplore.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3284	iexplore.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related
3368	mshta.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3368	mshta.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3368	mshta.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3368	mshta.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3368	mshta.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3368	mshta.exe	A Network Trojan was detected	ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related

2 ETPRO signatures available at the full report

Add for printing

Process	Message
csc.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe	* HR originated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe	* HR propagated: -2147024774 * Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144

General Info

http://download.drp.su/17-online/DriverPack-17-Online_41382478.1550477446.exe

C04A77DD2747130921AD153A4E8E6283

FCEFECA4383ADF489C732E3A1A189DE6EFDF42FD

4382F634F704C26645E18AC793402D0F5C205EC9FFC50F75B4C52B2E194E8605

3:N1KaKElHPSIWQbURSs0iBAC:Ca5vSH6uN

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Executes PowerShell scripts

Downloads executable files from the Internet

Changes internet zones settings

Loads dropped or rewritten executable

Changes the autorun value in the registry

Loads the Task Scheduler COM API

SUSPICIOUS

Executable content was dropped or overwritten

Uses REG.EXE to modify Windows registry

Starts MSHTA.EXE for opening HTA or HTMLS files

Executes scripts

Creates files in the user directory

Uses NETSH.EXE for network configuration

Starts CMD.EXE for commands execution

Reads Internet Cache Settings

Starts SC.EXE for service management

Uses RUNDLL32.EXE to load library

Starts application with an unusual extension

Searches for installed software

Creates files in the driver directory

Removes files from Windows directory

Uses TASKLIST.EXE to query information about running processes

Creates files in the Windows directory

Low-level read access rights to disk partition

Application launched itself

Creates files in the program directory

Starts itself from another location

Creates or modifies windows services

Creates COM task schedule object

Modifies the open verb of a shell class

Creates a software uninstall entry

INFO

Application launched itself

Creates files in the user directory

Changes internet zones settings

Reads Internet Cache Settings

Reads internet explorer settings

Reads settings of System Certificates

Low-level read access rights to disk partition

Dropped object may contain Bitcoin addresses

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings