analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

loas-crystal-h-208912983.zip

Full analysis: https://app.any.run/tasks/2b84b6fb-0448-43db-b023-35c232d801f2
Verdict: Malicious activity
Analysis date: November 30, 2020, 06:10:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

400DAAEB60473307ACA47D65A7515D91

SHA1:

B566AE9062D659C1A29A656D04C857F0E04123EB

SHA256:

57B0E949DA44E7A74753E66A1A65A51C9FA061BE919C4CDFA9499A8A8EEA4A3B

SSDEEP:

393216:ZSREC0bltFJP7pLNmkNu+5ujrg1pWRaUWEJYrSJq6ict:Yv0xtFxzu+5K29UtOqq6X

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • loas-crystal-h-208912983.exe (PID: 2980)
      • loas-crystal-h-208912983.exe (PID: 2704)
      • wmfdist.exe (PID: 184)
      • VirtualDVW.exe (PID: 2892)
      • CaretVisible.exe (PID: 4012)
      • CaretVisible.exe (PID: 2736)
      • inst.exe (PID: 2556)
      • PcSetup.exe (PID: 4008)
      • loas-crystal-h-208912983.exe (PID: 4040)
      • loas-crystal-h-208912983.exe (PID: 2784)
      • Inspector.exe (PID: 2444)
      • loas-crystal-h-208912983.exe (PID: 2304)
      • loas-crystal-h-208912983.exe (PID: 3568)
      • wmfdist.exe (PID: 2124)
      • VirtualDVW.exe (PID: 3536)
    • Drops executable file immediately after starts

      • loas-crystal-h-208912983.exe (PID: 2980)
      • loas-crystal-h-208912983.exe (PID: 2704)
      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.exe (PID: 4012)
      • CaretVisible.exe (PID: 2736)
      • DrvInst.exe (PID: 292)
      • loas-crystal-h-208912983.exe (PID: 2784)
      • loas-crystal-h-208912983.exe (PID: 4040)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • loas-crystal-h-208912983.exe (PID: 2304)
      • loas-crystal-h-208912983.tmp (PID: 1828)
      • loas-crystal-h-208912983.exe (PID: 3568)
    • Loads dropped or rewritten executable

      • VirtualDVW.exe (PID: 2892)
      • WerFault.exe (PID: 2088)
      • VirtualDVW.exe (PID: 3536)
    • Changes settings of System certificates

      • inst.exe (PID: 2556)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2696)
      • loas-crystal-h-208912983.exe (PID: 2980)
      • loas-crystal-h-208912983.exe (PID: 2704)
      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.exe (PID: 4012)
      • CaretVisible.exe (PID: 2736)
      • CaretVisible.tmp (PID: 3384)
      • PcSetup.exe (PID: 4008)
      • DrvInst.exe (PID: 292)
      • inst.exe (PID: 2556)
      • loas-crystal-h-208912983.exe (PID: 4040)
      • loas-crystal-h-208912983.exe (PID: 2784)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • DrvInst.exe (PID: 3244)
      • loas-crystal-h-208912983.exe (PID: 2304)
      • loas-crystal-h-208912983.tmp (PID: 1828)
      • loas-crystal-h-208912983.exe (PID: 3568)
    • Drops a file with too old compile date

      • WinRAR.exe (PID: 2696)
      • loas-crystal-h-208912983.exe (PID: 2980)
      • loas-crystal-h-208912983.exe (PID: 2704)
      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.tmp (PID: 3384)
      • PcSetup.exe (PID: 4008)
      • inst.exe (PID: 2556)
      • DrvInst.exe (PID: 292)
      • loas-crystal-h-208912983.exe (PID: 2784)
      • loas-crystal-h-208912983.exe (PID: 4040)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • DrvInst.exe (PID: 3244)
      • loas-crystal-h-208912983.exe (PID: 2304)
      • loas-crystal-h-208912983.tmp (PID: 1828)
      • loas-crystal-h-208912983.exe (PID: 3568)
    • Drops a file with a compile date too recent

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • inst.exe (PID: 2556)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • DrvInst.exe (PID: 292)
      • DrvInst.exe (PID: 3244)
      • loas-crystal-h-208912983.tmp (PID: 1828)
    • Drops a file that was compiled in debug mode

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.tmp (PID: 3384)
      • PcSetup.exe (PID: 4008)
      • inst.exe (PID: 2556)
      • DrvInst.exe (PID: 292)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • DrvInst.exe (PID: 3244)
      • loas-crystal-h-208912983.tmp (PID: 1828)
    • Creates a directory in Program Files

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.tmp (PID: 3384)
    • Reads the Windows organization settings

      • CaretVisible.tmp (PID: 3384)
    • Reads Windows owner or organization settings

      • CaretVisible.tmp (PID: 3384)
    • Creates files in the user directory

      • CaretVisible.tmp (PID: 3384)
      • PcSetup.exe (PID: 4008)
      • Inspector.exe (PID: 2444)
      • inst.exe (PID: 2556)
    • Adds / modifies Windows certificates

      • inst.exe (PID: 2556)
    • Creates files in the Windows directory

      • DrvInst.exe (PID: 292)
      • DrvInst.exe (PID: 3244)
    • Executed via COM

      • DrvInst.exe (PID: 292)
      • DrvInst.exe (PID: 3244)
    • Removes files from Windows directory

      • DrvInst.exe (PID: 292)
      • DrvInst.exe (PID: 3244)
    • Creates files in the driver directory

      • DrvInst.exe (PID: 292)
      • DrvInst.exe (PID: 3244)
    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 292)
    • Executed as Windows Service

      • vssvc.exe (PID: 3616)
    • Reads Environment values

      • Inspector.exe (PID: 2444)
    • Creates files in the program directory

      • WerFault.exe (PID: 2088)
  • INFO

    • Manual execution by user

      • loas-crystal-h-208912983.exe (PID: 2980)
      • CaretVisible.exe (PID: 4012)
      • loas-crystal-h-208912983.exe (PID: 2784)
      • loas-crystal-h-208912983.exe (PID: 2304)
    • Application was dropped or rewritten from another process

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • loas-crystal-h-208912983.tmp (PID: 780)
      • CaretVisible.tmp (PID: 1848)
      • CaretVisible.tmp (PID: 3384)
      • loas-crystal-h-208912983.tmp (PID: 3976)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • loas-crystal-h-208912983.tmp (PID: 3776)
      • loas-crystal-h-208912983.tmp (PID: 1828)
    • Creates files in the program directory

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.tmp (PID: 3384)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • loas-crystal-h-208912983.tmp (PID: 1828)
    • Creates a software uninstall entry

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.tmp (PID: 3384)
      • loas-crystal-h-208912983.tmp (PID: 1828)
    • Loads dropped or rewritten executable

      • loas-crystal-h-208912983.tmp (PID: 3024)
      • CaretVisible.tmp (PID: 3384)
      • loas-crystal-h-208912983.tmp (PID: 988)
      • loas-crystal-h-208912983.tmp (PID: 1828)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3616)
    • Searches for installed software

      • DrvInst.exe (PID: 292)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:21 21:24:14
ZipCRC: 0x09f882c6
ZipCompressedSize: 2916667
ZipUncompressedSize: 3000008
ZipFileName: CaretVisible.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
79
Monitored processes
29
Malicious processes
20
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe loas-crystal-h-208912983.exe loas-crystal-h-208912983.tmp no specs loas-crystal-h-208912983.exe loas-crystal-h-208912983.tmp wmfdist.exe no specs virtualdvw.exe caretvisible.exe caretvisible.tmp no specs caretvisible.exe caretvisible.tmp pcsetup.exe inst.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs loas-crystal-h-208912983.exe loas-crystal-h-208912983.tmp no specs loas-crystal-h-208912983.exe loas-crystal-h-208912983.tmp drvinst.exe werfault.exe no specs inspector.exe no specs loas-crystal-h-208912983.exe loas-crystal-h-208912983.tmp no specs loas-crystal-h-208912983.exe loas-crystal-h-208912983.tmp wmfdist.exe no specs virtualdvw.exe

Process information

PID
CMD
Path
Indicators
Parent process
2696"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\loas-crystal-h-208912983.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2980"C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" C:\Users\admin\Desktop\loas-crystal-h-208912983.exe
explorer.exe
User:
admin
Company:
pasoft
Integrity Level:
MEDIUM
Description:
http://www.yburn.com
Exit code:
0
Version:
1.1.0.0
780"C:\Users\admin\AppData\Local\Temp\is-23TSU.tmp\loas-crystal-h-208912983.tmp" /SL5="$2015A,11846826,50688,C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" C:\Users\admin\AppData\Local\Temp\is-23TSU.tmp\loas-crystal-h-208912983.tmploas-crystal-h-208912983.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
2704"C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" /SPAWNWND=$30156 /NOTIFYWND=$2015A C:\Users\admin\Desktop\loas-crystal-h-208912983.exe
loas-crystal-h-208912983.tmp
User:
admin
Company:
pasoft
Integrity Level:
HIGH
Description:
http://www.yburn.com
Exit code:
0
Version:
1.1.0.0
3024"C:\Users\admin\AppData\Local\Temp\is-CH7NN.tmp\loas-crystal-h-208912983.tmp" /SL5="$40128,11846826,50688,C:\Users\admin\Desktop\loas-crystal-h-208912983.exe" /SPAWNWND=$30156 /NOTIFYWND=$2015A C:\Users\admin\AppData\Local\Temp\is-CH7NN.tmp\loas-crystal-h-208912983.tmp
loas-crystal-h-208912983.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
184"C:\Program Files\IrtualDVW\wmfdist.exe" /Q:A /R:NC:\Program Files\IrtualDVW\wmfdist.exeloas-crystal-h-208912983.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Media Component Setup Application
Exit code:
0
Version:
9.00.00.2926
2892"C:\Program Files\IrtualDVW\VirtualDVW.exe" loas-crystal-h-208912983.exeC:\Program Files\IrtualDVW\VirtualDVW.exe
loas-crystal-h-208912983.tmp
User:
admin
Company:
Ower Software Ltd
Integrity Level:
HIGH
Description:
AnyBurn
Exit code:
3221225477
Version:
8, 1, 0, 3
4012"C:\Users\admin\Desktop\CaretVisible.exe" C:\Users\admin\Desktop\CaretVisible.exe
explorer.exe
User:
admin
Company:
VSO-Software SARL
Integrity Level:
MEDIUM
Description:
VSO Inspector Setup
Exit code:
0
Version:
1848"C:\Users\admin\AppData\Local\Temp\is-LUBC9.tmp\CaretVisible.tmp" /SL5="$70138,2571070,140800,C:\Users\admin\Desktop\CaretVisible.exe" C:\Users\admin\AppData\Local\Temp\is-LUBC9.tmp\CaretVisible.tmpCaretVisible.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
2736"C:\Users\admin\Desktop\CaretVisible.exe" /SPAWNWND=$1018E /NOTIFYWND=$70138 C:\Users\admin\Desktop\CaretVisible.exe
CaretVisible.tmp
User:
admin
Company:
VSO-Software SARL
Integrity Level:
HIGH
Description:
VSO Inspector Setup
Exit code:
0
Version:
Total events
1 876
Read events
1 528
Write events
0
Delete events
0

Modification events

No data
Executable files
53
Suspicious files
15
Text files
221
Unknown types
20

Dropped files

PID
Process
Filename
Type
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-K8QOU.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-TL0I2.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-MQSE2.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-9BAH7.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-QS6LA.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-967F1.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-FHO9Q.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-KCKIU.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\is-54IGR.tmp
MD5:
SHA256:
3024loas-crystal-h-208912983.tmpC:\Program Files\IrtualDVW\LibSSL\is-OC2NM.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3536
VirtualDVW.exe
POST
104.27.183.150:80
http://opengolad.com/v2/events
US
malicious
2892
VirtualDVW.exe
POST
104.27.183.150:80
http://opengolad.com/v2/events
US
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2892
VirtualDVW.exe
104.27.183.150:80
opengolad.com
Cloudflare Inc
US
malicious
3536
VirtualDVW.exe
104.27.183.150:80
opengolad.com
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
opengolad.com
  • 104.27.183.150
  • 104.27.182.150
  • 172.67.188.36
unknown

Threats

PID
Process
Class
Message
2892
VirtualDVW.exe
A Network Trojan was detected
ET MALWARE DownloadAssistant Activity
2892
VirtualDVW.exe
Misc activity
ADWARE [PTsecurity] Possible DownloadAssistant
2892
VirtualDVW.exe
Misc activity
ADWARE [PTsecurity] DownloadAssistant
3536
VirtualDVW.exe
A Network Trojan was detected
ET MALWARE DownloadAssistant Activity
3536
VirtualDVW.exe
Misc activity
ADWARE [PTsecurity] Possible DownloadAssistant
3536
VirtualDVW.exe
Misc activity
ADWARE [PTsecurity] DownloadAssistant
No debug info