URL: | http://getapp.deepteep.com/up/dl/1513072204351284/pupdate.exe?e=BFEBFBFF000506E3%20%20%20%20%20%20%20%20%20%20%20%20W772NMLN1866DA021942&a=1513072204351284&bn=deepteep&s=MEME_VIDEO_LTD_SIGNATURE |
Full analysis: | https://app.any.run/tasks/8ef60a50-c4bb-4ec0-a2b4-b7a13521aa1a |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 17, 2020, 17:39:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | A0B0338160C41D7BC27A699A8923C9D7 |
SHA1: | EA67F59E954E7CD3D7710EEF1334E46F8F7B7C29 |
SHA256: | 45AB9949149F24F7ABAD65F20EB233487F9A989C927ACE847A4BD01EE941D97B |
SSDEEP: | 3:N1KZARjwRqGZEUBSkFRXUDKVAyRRAKuxcViXPmUcx34XFRXUDDlA2LAL2tQ:C+SRlZEaSkNR22iGIXklAVCa |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2240 | "C:\Program Files\Mozilla Firefox\firefox.exe" "http://getapp.deepteep.com/up/dl/1513072204351284/pupdate.exe?e=BFEBFBFF000506E3%20%20%20%20%20%20%20%20%20%20%20%20W772NMLN1866DA021942&a=1513072204351284&bn=deepteep&s=MEME_VIDEO_LTD_SIGNATURE" | C:\Program Files\Mozilla Firefox\firefox.exe | — | explorer.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 68.0.1 | ||||
2428 | "C:\Program Files\Mozilla Firefox\firefox.exe" http://getapp.deepteep.com/up/dl/1513072204351284/pupdate.exe?e=BFEBFBFF000506E3%20%20%20%20%20%20%20%20%20%20%20%20W772NMLN1866DA021942&a=1513072204351284&bn=deepteep&s=MEME_VIDEO_LTD_SIGNATURE | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
1188 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.0.1348532725\1417389431" -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1184 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 68.0.1 | ||||
2064 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.3.607649938\1905336218" -childID 1 -isForBrowser -prefsHandle 1336 -prefMapHandle 1348 -prefsLen 1 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 1676 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
3604 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.13.281601877\606206909" -childID 2 -isForBrowser -prefsHandle 2708 -prefMapHandle 2712 -prefsLen 5996 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 2724 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
1216 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2428.20.422665339\869913683" -childID 3 -isForBrowser -prefsHandle 4068 -prefMapHandle 4072 -prefsLen 7195 -prefMapSize 191824 -parentBuildID 20190717172542 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2428 "\\.\pipe\gecko-crash-server-pipe.2428" 4084 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 68.0.1 | ||||
1776 | "C:\Users\admin\Downloads\pupdate.exe" | C:\Users\admin\Downloads\pupdate.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Win32 Cabinet Self-Extractor Exit code: 0 Version: 11.00.17763.1 (WinBuild.160101.0800) | ||||
2676 | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ZUpdater.exe | C:\Users\admin\AppData\Local\Temp\IXP000.TMP\ZUpdater.exe | pupdate.exe | |
User: admin Integrity Level: MEDIUM Description: ZUpdater Exit code: 0 Version: 1.0.0.0 | ||||
2528 | "schtasks.exe" /create /SC DAILY /TN ZUpdater /TR "\"C:\Users\admin\AppData\Roaming\ZUpdater\ZUpdater.exe\" do://zupdater | C:\Windows\system32\schtasks.exe | — | ZUpdater.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2240) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: 40E97F0D03000000 | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 3ABF830D03000000 | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 1 | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @%SystemRoot%\system32\p2pcollab.dll,-8042 |
Value: Peer to Peer Trust | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @%SystemRoot%\system32\qagentrt.dll,-10 |
Value: System Health Authentication | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @%SystemRoot%\system32\dnsapi.dll,-103 |
Value: Domain Name System (DNS) Server Trust | |||
(PID) Process: | (2428) firefox.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
Operation: | write | Name: | @%SystemRoot%\System32\fveui.dll,-843 |
Value: BitLocker Drive Encryption |
PID | Process | Filename | Type | |
---|---|---|---|---|
2428 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2428 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2428 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2428 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp | — | |
MD5:— | SHA256:— | |||
2428 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:DE9496ACA551ADE408EF6466A11833A1 | SHA256:8F9C7FDB3E0BC01024E43A8E242468FC4DD4F74C725E32A883571635203DC10A | |||
2428 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstore | binary | |
MD5:4A1220FC03E11726F09E9981834345DB | SHA256:6AE7FC0FDBE217104F4034BF6A580A461106B50309ABCCFF6E309124DCA5EF39 | |||
2428 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.js | text | |
MD5:354459382F30B8994109C88659DFA1F3 | SHA256:E3E8E2B7E7EECA231620D83C70FA5A926E8B9CE74C51F595F71191DC0B50527E | |||
2428 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstore | binary | |
MD5:04824A1F92353F43EBB9E7F74B7476FD | SHA256:B48E58EBAB82E4C376F16150A3FFF850C1111FF1F5985D68819CFD6F0DB159D2 | |||
2428 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4 | jsonlz4 | |
MD5:6D378E0D40B6EACA22C8BCE899A1C5C1 | SHA256:ADA2467B2477ACEFF837AC7820C435AD1EBBE844B2DA31C7AB9AE8D010C7A639 | |||
2428 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.bin | binary | |
MD5:5027177F513CDAE07DB2330E1DED5934 | SHA256:0C53F16051E738287A4612F68E296238087627E594CFD6DDFA1FECC2E998328B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2428 | firefox.exe | GET | 200 | 62.76.74.244:80 | http://getapp.deepteep.com/up/dl/1513072204351284/pupdate.exe?e=BFEBFBFF000506E3%20%20%20%20%20%20%20%20%20%20%20%20W772NMLN1866DA021942&a=1513072204351284&bn=deepteep&s=MEME_VIDEO_LTD_SIGNATURE | RU | executable | 331 Kb | malicious |
2428 | firefox.exe | GET | 200 | 2.16.186.112:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
2428 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2428 | firefox.exe | POST | 200 | 216.58.210.3:80 | http://ocsp.pki.goog/gts1o1 | US | der | 471 b | whitelisted |
2676 | ZUpdater.exe | POST | 200 | 62.76.74.244:80 | http://inf.bonnapatit.com/api/report? | RU | — | — | malicious |
2428 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2428 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2428 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2428 | firefox.exe | POST | 200 | 216.58.210.3:80 | http://ocsp.pki.goog/gts1o1 | US | der | 471 b | whitelisted |
2428 | firefox.exe | GET | 200 | 2.16.186.112:80 | http://detectportal.firefox.com/success.txt | unknown | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2428 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2428 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2428 | firefox.exe | 35.164.109.147:443 | search.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2428 | firefox.exe | 62.76.74.244:80 | getapp.deepteep.com | OOO Sirius-Project | RU | malicious |
2428 | firefox.exe | 52.34.188.51:443 | push.services.mozilla.com | Amazon.com, Inc. | US | malicious |
2428 | firefox.exe | 13.35.253.14:443 | snippets.cdn.mozilla.net | — | US | unknown |
2428 | firefox.exe | 216.58.207.74:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2428 | firefox.exe | 52.33.18.205:443 | tiles.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2428 | firefox.exe | 216.58.210.3:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
2428 | firefox.exe | 13.35.253.55:443 | content-signature-2.cdn.mozilla.net | — | US | malicious |
Domain | IP | Reputation |
---|---|---|
getapp.deepteep.com |
| malicious |
detectportal.firefox.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
alpha-one.giantlaser.net |
| malicious |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
push.services.mozilla.com |
| whitelisted |
autopush.prod.mozaws.net |
| whitelisted |
snippets.cdn.mozilla.net |
| whitelisted |
d228z91au11ukj.cloudfront.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2428 | firefox.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .cloud TLD |
2676 | ZUpdater.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan.Win32.Tasker.fqzeya (zupdater base64 xor key takton) |