analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://oldwww.asc.edu/download/CiscoVPN/Windows/

Full analysis: https://app.any.run/tasks/4cbadd7e-ee4d-40e7-9de7-aabc3d7e3028
Verdict: Malicious activity
Analysis date: November 08, 2019, 14:58:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

2EEBD561B6D46D374B898661ECCB8A06

SHA1:

1F34F6CD64DA0E0E07673BD0EFD662C2DF1E7C49

SHA256:

6098645587D90E5A918AE17497B8742B201CFE7AC3D773912DC9A4D035C83C1B

SSDEEP:

3:N8AkdOLAjzk7BoeDN:2AkwL4YBo4N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • svchost.exe (PID: 864)
      • SearchProtocolHost.exe (PID: 3372)
      • dne2000.exe (PID: 1400)

    • Application was dropped or rewritten from another process

      • WiseCustomCalla41.exe (PID: 4048)
      • WiseCustomCalla50.exe (PID: 2232)
      • dne2000.exe (PID: 1400)
      • dneinst.exe (PID: 2232)

    • Writes to a start menu file

      • msiexec.exe (PID: 332)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 3976)
      • chrome.exe (PID: 2576)
      • WinRAR.exe (PID: 3484)
      • msiexec.exe (PID: 1976)
      • MsiExec.exe (PID: 3844)
      • MsiExec.exe (PID: 3908)
      • msiexec.exe (PID: 332)
      • dne2000.exe (PID: 1400)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2576)

    • Executed as Windows Service

      • vssvc.exe (PID: 640)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 1976)

    • Creates files in the Windows directory

      • MsiExec.exe (PID: 3908)
      • msiexec.exe (PID: 332)
      • dneinst.exe (PID: 2232)
      • DrvInst.exe (PID: 3364)
      • dne2000.exe (PID: 1400)
      • DrvInst.exe (PID: 2176)

    • Creates files in the driver directory

      • msiexec.exe (PID: 332)
      • DrvInst.exe (PID: 3364)
      • dne2000.exe (PID: 1400)
      • DrvInst.exe (PID: 2176)

    • Executed via COM

      • DrvInst.exe (PID: 3364)
      • DrvInst.exe (PID: 2176)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 3364)
      • dne2000.exe (PID: 1400)
      • DrvInst.exe (PID: 2176)

    • Creates COM task schedule object

      • dne2000.exe (PID: 1400)

  • INFO

    • Reads the hosts file

      • chrome.exe (PID: 2576)
      • chrome.exe (PID: 3976)

    • Manual execution by user

      • explorer.exe (PID: 3952)
      • msiexec.exe (PID: 1976)
      • WinRAR.exe (PID: 3484)

    • Application launched itself

      • chrome.exe (PID: 2576)
      • msiexec.exe (PID: 332)

    • Reads Internet Cache Settings

      • chrome.exe (PID: 2576)

    • Searches for installed software

      • msiexec.exe (PID: 332)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3844)
      • MsiExec.exe (PID: 3908)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 640)

    • Creates files in the program directory

      • msiexec.exe (PID: 332)
      • MsiExec.exe (PID: 3096)

    • Starts application with an unusual extension

      • msiexec.exe (PID: 332)

    • Creates or modifies windows services

      • msiexec.exe (PID: 332)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
83
Monitored processes
43
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe no specs winrar.exe msiexec.exe msiexec.exe msiexec.exe wisecustomcalla41.exe no specs msi341d.tmp no specs svchost.exe searchprotocolhost.exe no specs vssvc.exe no specs msiexec.exe wisecustomcalla50.exe no specs msiexec.exe msiede9.tmp no specs msiee19.tmp no specs dneinst.exe dne2000.exe drvinst.exe no specs drvinst.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2576"C:\Program Files\Google\Chrome\Application\chrome.exe" "https://oldwww.asc.edu/download/CiscoVPN/Windows/"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2132"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d90a9d0,0x6d90a9e0,0x6d90a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2548"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=436 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3444"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=13256439839336932303 --mojo-platform-channel-handle=1024 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3976"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=10916854817064614616 --mojo-platform-channel-handle=1620 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3752"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3443399593512727643 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1648"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2402729060848663898 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2236 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2684"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=12330916889184521802 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3800"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=17391584240408245852 --mojo-platform-channel-handle=2992 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
4000"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,2688865722745345868,11237240407269661448,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=9924040694271771388 --mojo-platform-channel-handle=3556 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
2 381
Read events
1 583
Write events
0
Delete events
0

Modification events

No data
Executable files
77
Suspicious files
51
Text files
454
Unknown types
41

Dropped files

PID
Process
Filename
Type
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old
MD5:
SHA256:
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old
MD5:
SHA256:
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF39a841.TMP
MD5:
SHA256:
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\d5851756-1fce-4a0d-b822-42612c5b2948.tmp
MD5:
SHA256:
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp
MD5:
SHA256:
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF39a831.TMPtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
864svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:74DC25C12CA59FB0F9AF8FC1CA3A1318
SHA256:3FCC863F670408EA1D3D7A80421994FF39F92FBC25FF1586523ECB2B4DE05206
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old
MD5:
SHA256:
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:DC32343F45B01764B6267AD36548102A
SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
2576chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF39a86f.TMPtext
MD5:A519780ED0A2F4336DB4F5651D79C369
SHA256:DA5B71BD0075B55757BF757BF5F4D4A1DCBCF0762CDA5B31B28680963E068C75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
22
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
3976
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
3976
chrome.exe
GET
200
173.194.183.103:80
http://r2---sn-aigl6nek.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigl6nek&ms=nvh&mt=1573225103&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
3976
chrome.exe
GET
200
173.194.183.169:80
http://r4---sn-aigl6ney.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigl6ney&ms=nvh&mt=1573225043&mv=m&mvi=3&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3976
chrome.exe
172.217.21.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3976
chrome.exe
172.217.18.14:443
clients2.google.com
Google Inc.
US
whitelisted
3976
chrome.exe
172.217.16.164:443
www.google.com
Google Inc.
US
whitelisted
3976
chrome.exe
129.66.13.111:443
oldwww.asc.edu
Alabama Supercomputer Network
US
unknown
3976
chrome.exe
216.58.206.13:443
accounts.google.com
Google Inc.
US
whitelisted
3976
chrome.exe
173.194.183.103:80
r2---sn-aigl6nek.gvt1.com
Google Inc.
US
whitelisted
3976
chrome.exe
172.217.18.99:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3976
chrome.exe
172.217.21.193:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted
3976
chrome.exe
172.217.16.206:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3976
chrome.exe
173.194.183.169:80
r4---sn-aigl6ney.gvt1.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
oldwww.asc.edu
  • 129.66.13.111
unknown
clientservices.googleapis.com
  • 172.217.21.195
whitelisted
accounts.google.com
  • 216.58.206.13
shared
www.google.com
  • 172.217.16.164
whitelisted
clients2.google.com
  • 172.217.18.14
whitelisted
redirector.gvt1.com
  • 172.217.16.206
whitelisted
r2---sn-aigl6nek.gvt1.com
  • 173.194.183.103
whitelisted
ssl.gstatic.com
  • 172.217.18.99
whitelisted
clients2.googleusercontent.com
  • 172.217.21.193
whitelisted
r4---sn-aigl6ney.gvt1.com
  • 173.194.183.169
whitelisted

Threats

No threats detected
Process
Message
MsiExec.exe
UpgradeCheck: Begin...
MsiExec.exe
UpgradeCheck: ...End
MsiExec.exe
LOG:
MsiExec.exe
DnecaLogInit starting (dneca, 1.3.2.17951)
MsiExec.exe
LOG:
MsiExec.exe
DnLogInit, logfile fqn = 'C:\Windows\temp\dneca.log'
MsiExec.exe
LOG:
MsiExec.exe
MakeDirectory, looking for C:\Windows\temp
MsiExec.exe
LOG:
MsiExec.exe
MakeDirectory, directory exists already
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://oldwww.asc.edu/download/CiscoVPN/Windows/