| File name: | PANDAFREEAV.exe.7z |
| Full analysis: | https://app.any.run/tasks/2a52a337-4164-474a-ae42-ad898cb3b923 |
| Verdict: | Malicious activity |
| Analysis date: | January 14, 2022, 20:59:45 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-7z-compressed |
| File info: | 7-zip archive data, version 0.4 |
| MD5: | EE2D971CECF7C7C5B94B1DB04F324007 |
| SHA1: | 7BA348194261A903938E15265B0F73C579123E0D |
| SHA256: | 4CFBFC663343D9B814D3F34142D9732B70508FDF82C1AE15D927A13840EF0AD1 |
| SSDEEP: | 49152:bsNAb4fijC72sqTRBFrshjHk1gb/sCTB4ouI/YEeifx6Ekm1:qfi2SFTRBFIhOC14e/6tEt |
MALICIOUS
Application was dropped or rewritten from another process
- PANDAFREEAV.exe (PID: 460)
- PANDAFREEAV.exe (PID: 1324)
- Stub.exe (PID: 3652)
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
- Setup.exe (PID: 2368)
- SetupUtility.exe (PID: 832)
- SetupUtility.exe (PID: 2324)
Loads dropped or rewritten executable
- Stub.exe (PID: 3652)
- Setup.exe (PID: 2368)
Drops executable file immediately after starts
- PANDAFREEAV.exe (PID: 460)
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
Actions looks like stealing of personal data
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
Changes settings of System certificates
- Setup.exe (PID: 2368)
SUSPICIOUS
Checks supported languages
- PANDAFREEAV.exe (PID: 460)
- WinRAR.exe (PID: 2732)
- Stub.exe (PID: 3652)
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
- Setup.exe (PID: 2368)
- SetupUtility.exe (PID: 832)
- SetupUtility.exe (PID: 2324)
- TMP766B.tmp.exe (PID: 2684)
Reads the computer name
- WinRAR.exe (PID: 2732)
- Stub.exe (PID: 3652)
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
- Setup.exe (PID: 2368)
- SetupUtility.exe (PID: 832)
- TMP766B.tmp.exe (PID: 2684)
- SetupUtility.exe (PID: 2324)
Reads Environment values
- PANDAFREEAV.exe (PID: 460)
- Setup.exe (PID: 2368)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 2732)
- PANDAFREEAV.exe (PID: 460)
- Stub.exe (PID: 3652)
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
- TMP766B.tmp.exe (PID: 2684)
- Setup.exe (PID: 2368)
Drops a file that was compiled in debug mode
- PANDAFREEAV.exe (PID: 460)
- Stub.exe (PID: 3652)
- {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe (PID: 3076)
Creates files in the program directory
- Stub.exe (PID: 3652)
Reads CPU info
- Setup.exe (PID: 2368)
INFO
Reads settings of System Certificates
- Stub.exe (PID: 3652)
- Setup.exe (PID: 2368)
Manual execution by user
- PANDAFREEAV.exe (PID: 1324)
- PANDAFREEAV.exe (PID: 460)
Checks Windows Trust Settings
- Stub.exe (PID: 3652)
- Setup.exe (PID: 2368)
Dropped object may contain Bitcoin addresses
- SetupUtility.exe (PID: 832)
- Setup.exe (PID: 2368)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .7z | | | 7-Zip compressed archive (v0.4) (57.1) |
| .7z | | | 7-Zip compressed archive (gen) (42.8) |
Total processes
50
Monitored processes
9
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2732 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\PANDAFREEAV.exe.7z" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 1324 | "C:\Users\admin\Desktop\PANDAFREEAV.exe" | C:\Users\admin\Desktop\PANDAFREEAV.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Panda Security, S.L. Integrity Level: MEDIUM Description: Panda Security SFX Exit code: 3221226540 Version: 15.14.5.0 Modules
| |||||||||||||||
| 460 | "C:\Users\admin\Desktop\PANDAFREEAV.exe" | C:\Users\admin\Desktop\PANDAFREEAV.exe | Explorer.EXE | ||||||||||||
User: admin Company: Panda Security, S.L. Integrity Level: HIGH Description: Panda Security SFX Version: 15.14.5.0 Modules
| |||||||||||||||
| 3652 | ".\Stub.exe" /c "181176" /u "http://acs.pandasoftware.com/Panda/FREEAV/181176/FREEAV.exe" /a "AFPZP1016" /p "4252" | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\Stub.exe | PANDAFREEAV.exe | ||||||||||||
User: admin Company: Panda Security, S.L. Integrity Level: HIGH Version: 5.0.38.3 Modules
| |||||||||||||||
| 3076 | "C:\Users\admin\AppData\Local\Temp\{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe" | C:\Users\admin\AppData\Local\Temp\{E6381693-C0F2-419C-80D1-DE353CB06F20}.exe | Stub.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.6 Setup Version: 4.6.00081.00 Modules
| |||||||||||||||
| 2368 | C:\39adf1b9158926f1f694\\Setup.exe /x86 /x64 /web | C:\39adf1b9158926f1f694\Setup.exe | {E6381693-C0F2-419C-80D1-DE353CB06F20}.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Setup Installer Version: 14.0.0081.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 832 | SetupUtility.exe /aupause | C:\39adf1b9158926f1f694\SetupUtility.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.0.0081.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 2324 | SetupUtility.exe /screboot | C:\39adf1b9158926f1f694\SetupUtility.exe | — | Setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.5 Setup Exit code: 0 Version: 14.0.0081.0 built by: NETFXREL2 Modules
| |||||||||||||||
| 2684 | TMP766B.tmp.exe /Q /X:C:\39adf1b9158926f1f694\TMP766B.tmp.exe.tmp | C:\39adf1b9158926f1f694\TMP766B.tmp.exe | Setup.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft .NET Framework 4.6 Setup Exit code: 0 Version: 4.6.00081.00 Modules
| |||||||||||||||
Total events
11 425
Read events
11 360
Write events
65
Delete events
0
Modification events
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\Win7-KB3191566-x86.zip | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\PANDAFREEAV.exe.7z | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (2732) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
Executable files
41
Suspicious files
8
Text files
114
Unknown types
8
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\recorte_cloud.png | image | |
MD5:F037258F333D7967D5CB7672AE0DD4CA | SHA256:226928BD446DBF9542DBDE8D38367194DCCA65C18A552F4F26DAF30520E41822 | |||
| 2732 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRb2732.15823\PANDAFREEAV.exe | executable | |
MD5:459AD089E2FE8FB886DCD22F641B75EA | SHA256:7B24813FEA6F9B2CFB91A5AEB8F400B397E769D82BF577A9EEFBDD6E794EA4CF | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\atras.png | image | |
MD5:6F14ADB92D1AA42AD923182993281A21 | SHA256:53F1830AE5664ABA50EDB70017519DB778953A269E4178566328A5328F422CEA | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\ico_ven_cancel.png | image | |
MD5:D3D94C8ACB4CE42424526DA2DCF5DF39 | SHA256:4E67660226A201929A6CF6D75CBA7681FA278D30541D412458768FF785EA886B | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\avDetect.dat | gpg | |
MD5:9A17B5AC44705CC4BC3608C6232E1F16 | SHA256:4AD849F737B18084B060828C7CCA48BCF512CC2ADA2A937F5CFBAB79F1B29677 | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\cancel.png | image | |
MD5:DC86C6898184A6335C26F7830A67B6B0 | SHA256:BB138DA55A6362AFC4851C30C23BE279B08B1FFA2B4D3170A715C7571C46E5C1 | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\img_product1.png | image | |
MD5:1714652A08968AAB7E4CCC1801E0050F | SHA256:EF693F45D5CFBE30A3F4F0081DAED414390B412DE0946CD45C14B9B218868390 | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\img_product2.png | image | |
MD5:FD92546FC781EFEF844196C15E45F570 | SHA256:99466F827368EF2FE2783E0112B683FDB29973055BEA1D88B30462918D776993 | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_bul.png | image | |
MD5:6BE345E9B3C61C4ABAFEEAEE15BB6DC6 | SHA256:5E6E8C18F239E740A842A167289C48D5DD8A72CBFB0519C83FA5AF7FBD61FC7D | |||
| 460 | PANDAFREEAV.exe | C:\Users\admin\AppData\Local\Temp\7zSCC1ECA71\res\opera_chi_sim.png | image | |
MD5:C7B6F609A1474B0CB8CF0FAF50A2285E | SHA256:1641E037E4E7C91270E4DC6359CE1D00E8A2B6BB31D143D764E221BDE5D02168 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
15
DNS requests
17
Threats
2
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3652 | Stub.exe | GET | 200 | 2.16.107.106:80 | http://acs.pandasoftware.com/Panda/FREEAV/Promo_pd/FREEAV_INST.txt | unknown | text | 175 b | whitelisted |
3652 | Stub.exe | GET | 200 | 2.16.107.106:80 | http://acs.pandasoftware.com/Panda/FREEAV/Promo_pd/FREEAV_INST.txt | unknown | text | 175 b | whitelisted |
3652 | Stub.exe | GET | 200 | 40.69.210.172:80 | http://eventtrack.pandasecurity.com/track/install/details.html?ProductID=4252&Stub_Event=Start&_ei=FD8174B1-CD36-4718-9BE0-AF16DE8B9B4D&_es=1&_et=Stub&_lt=20220114210010 | IE | — | — | suspicious |
3652 | Stub.exe | GET | 200 | 40.69.210.172:80 | http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1034&Installation_End=ERROR&Stub_Event=End&_ei=DE61434F-0189-4DAB-9CC7-9DBAB4B1F3C3&_es=1&_et=Stub&_lt=20220114210010 | IE | — | — | suspicious |
3652 | Stub.exe | GET | 200 | 40.69.210.172:80 | http://eventtrack.pandasecurity.com/track/install/details.html?Installation_Code=1035&Installation_End=ERROR&Stub_Event=End&_ei=CEC550F8-8E3D-4207-A21F-DB2F6AC746DB&_es=1&_et=Stub&_lt=20220114210010 | IE | — | — | suspicious |
3652 | Stub.exe | GET | 301 | 104.111.243.23:80 | http://www.pandasecurity.com/Vg5sw34C5j | NL | text | 105 b | unknown |
3652 | Stub.exe | GET | 302 | 92.122.255.148:80 | http://download.microsoft.com/download/1/4/A/14A6C422-0D3C-4811-A31F-5EF91A83C368/NDP46-KB3045560-Web.exe | unknown | — | — | whitelisted |
3652 | Stub.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.68 Kb | shared |
3652 | Stub.exe | GET | 200 | 41.63.96.0:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b77572da0326f97c | ZA | compressed | 4.70 Kb | whitelisted |
2368 | Setup.exe | GET | 200 | 92.123.194.163:80 | http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | unknown | der | 519 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3652 | Stub.exe | 104.111.243.23:80 | www.pandasecurity.com | Akamai International B.V. | NL | unknown |
3652 | Stub.exe | 92.122.255.148:443 | download.microsoft.com | GTT Communications Inc. | — | malicious |
3652 | Stub.exe | 40.69.210.172:80 | eventtrack.pandasecurity.com | Microsoft Corporation | IE | suspicious |
3652 | Stub.exe | 92.122.255.148:80 | download.microsoft.com | GTT Communications Inc. | — | malicious |
3652 | Stub.exe | 2.16.107.106:80 | acs.pandasoftware.com | Akamai International B.V. | — | suspicious |
3652 | Stub.exe | 41.63.96.0:80 | ctldl.windowsupdate.com | Limelight Networks, Inc. | ZA | suspicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
860 | svchost.exe | 104.89.38.104:80 | go.microsoft.com | Akamai Technologies, Inc. | NL | malicious |
860 | svchost.exe | 104.102.28.147:443 | download.microsoft.com | Akamai Technologies, Inc. | US | suspicious |
3652 | Stub.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
acs.pandasoftware.com |
| whitelisted |
eventtrack.pandasecurity.com |
| unknown |
www.pandasecurity.com |
| unknown |
download.microsoft.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| shared |
crl3.digicert.com |
| shared |
crl.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
download.visualstudio.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3652 | Stub.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3652 | Stub.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |