| URL: | https://download.eu-west-3.fromsmash.co/transfer/KzVzPR_o7E-c0 |
| Full analysis: | https://app.any.run/tasks/f9277095-fc95-471d-b070-e8e47e24c131 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 11, 2019, 15:56:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 134B115CD08C4F5C5F4D8B064BC7D0EE |
| SHA1: | B6AED6A8B92009A9427E8093CF28097D9F9F8B87 |
| SHA256: | 64B5F4E3290A88ED884B8A7B299F4EFA3F9F566DCE3DC717183252E33BF48C4F |
| SSDEEP: | 3:N8SElR9f3PEK0RXJQbfYJgR:2SKR9PPEK0xIYuR |
MALICIOUS
Downloads executable files from IP
- chrome.exe (PID: 2936)
Downloads executable files from the Internet
- chrome.exe (PID: 2936)
Application was dropped or rewritten from another process
- dbreader.exe (PID: 3660)
- taskdl.exe (PID: 2856)
- @WanaDecryptor@.exe (PID: 3312)
- @WanaDecryptor@.exe (PID: 3512)
- @WanaDecryptor@.exe (PID: 3708)
- taskdl.exe (PID: 916)
- taskdl.exe (PID: 2712)
- taskhsvc.exe (PID: 3968)
- @WanaDecryptor@.exe (PID: 1292)
Dropped file may contain instructions of ransomware
- dbreader.exe (PID: 3660)
Writes file to Word startup folder
- dbreader.exe (PID: 3660)
Modifies files in Chrome extension folder
- dbreader.exe (PID: 3660)
WannaCry Ransomware was detected
- cmd.exe (PID: 1512)
- dbreader.exe (PID: 3660)
Loads dropped or rewritten executable
- taskhsvc.exe (PID: 3968)
- SearchProtocolHost.exe (PID: 2416)
Starts BCDEDIT.EXE to disable recovery
- cmd.exe (PID: 3904)
Actions looks like stealing of personal data
- dbreader.exe (PID: 3660)
Loads the Task Scheduler COM API
- wbengine.exe (PID: 216)
Changes the autorun value in the registry
- reg.exe (PID: 3584)
Deletes shadow copies
- cmd.exe (PID: 3904)
SUSPICIOUS
Executable content was dropped or overwritten
- chrome.exe (PID: 2600)
- chrome.exe (PID: 2936)
- dbreader.exe (PID: 3660)
- @WanaDecryptor@.exe (PID: 3312)
Modifies files in Chrome extension folder
- chrome.exe (PID: 2600)
Starts CMD.EXE for commands execution
- dbreader.exe (PID: 3660)
- @WanaDecryptor@.exe (PID: 3512)
Uses ICACLS.EXE to modify access control list
- dbreader.exe (PID: 3660)
Uses ATTRIB.EXE to modify file attributes
- dbreader.exe (PID: 3660)
Creates files in the program directory
- dbreader.exe (PID: 3660)
Executes scripts
- cmd.exe (PID: 3388)
Creates files in the user directory
- taskhsvc.exe (PID: 3968)
- dbreader.exe (PID: 3660)
Creates files like Ransomware instruction
- dbreader.exe (PID: 3660)
Executed as Windows Service
- vssvc.exe (PID: 1000)
- wbengine.exe (PID: 216)
- vds.exe (PID: 2904)
Executed via COM
- vdsldr.exe (PID: 3036)
Creates files in the Windows directory
- wbadmin.exe (PID: 3756)
Low-level read access rights to disk partition
- wbengine.exe (PID: 216)
- vds.exe (PID: 2904)
Uses REG.EXE to modify Windows registry
- cmd.exe (PID: 3140)
INFO
Application launched itself
- chrome.exe (PID: 2600)
Reads settings of System Certificates
- chrome.exe (PID: 2936)
Manual execution by user
- dbreader.exe (PID: 3660)
Dropped object may contain Bitcoin addresses
- dbreader.exe (PID: 3660)
- taskhsvc.exe (PID: 3968)
Reads Internet Cache Settings
- chrome.exe (PID: 2600)
Dropped object may contain URL to Tor Browser
- dbreader.exe (PID: 3660)
Dropped object may contain TOR URL's
- dbreader.exe (PID: 3660)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
99
Monitored processes
51
Malicious processes
6
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 216 | "C:\Windows\system32\wbengine.exe" | C:\Windows\system32\wbengine.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Block Level Backup Engine Service EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 916 | taskdl.exe | C:\Users\admin\Downloads\taskdl.exe | — | dbreader.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: SQL Client Configuration Utility EXE Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 988 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1016,12447029348776758227,13007625632979093248,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15478404990385235815 --mojo-platform-channel-handle=2984 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 1000 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1292 | @WanaDecryptor@.exe | C:\Users\admin\Downloads\@WanaDecryptor@.exe | — | dbreader.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Load PerfMon Counters Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1512 | cmd.exe /c start /b @WanaDecryptor@.exe vs | C:\Windows\system32\cmd.exe | dbreader.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 1828 | vssadmin delete shadows /all /quiet | C:\Windows\system32\vssadmin.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Command Line Interface for Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2132 | bcdedit /set {default} recoveryenabled no | C:\Windows\system32\bcdedit.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Boot Configuration Data Editor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2168 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,12447029348776758227,13007625632979093248,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10769089010940865754 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2240 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
| 2256 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1016,12447029348776758227,13007625632979093248,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5136101781615893477 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4016 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 Modules
| |||||||||||||||
Total events
1 933
Read events
1 822
Write events
107
Delete events
4
Modification events
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\ThirdParty |
| Operation: | write | Name: | StatusCodes |
Value: 01000000 | |||
| (PID) Process: | (3188) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | write | Name: | 2600-13207334177145875 |
Value: 259 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Update\ClientState\{8A69D345-D564-463c-AFF1-A69D9E530F96} |
| Operation: | write | Name: | dr |
Value: 1 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome |
| Operation: | write | Name: | UsageStatsInSample |
Value: 0 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96} |
| Operation: | write | Name: | usagestats |
Value: 0 | |||
| (PID) Process: | (2600) chrome.exe | Key: | HKEY_CURRENT_USER\Software\Google\Chrome\BrowserExitCodes |
| Operation: | delete value | Name: | 1512-13197841398593750 |
Value: 0 | |||
Executable files
22
Suspicious files
542
Text files
436
Unknown types
15
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\920f5a8a-4eff-4026-8e7b-1620ebbaa2e5.tmp | — | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000020.dbtmp | — | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RFcdc6b.TMP | text | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RFcdcb9.TMP | text | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RFcdc5b.TMP | text | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 | — | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old | text | |
MD5:— | SHA256:— | |||
| 2600 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
26
DNS requests
16
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2936 | chrome.exe | GET | 200 | 205.185.216.10:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 56.3 Kb | whitelisted |
2936 | chrome.exe | GET | 302 | 172.217.21.206:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 515 b | whitelisted |
2936 | chrome.exe | GET | 200 | 173.194.183.201:80 | http://r4---sn-aigl6nl7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.217.117.45&mm=28&mn=sn-aigl6nl7&ms=nvh&mt=1562860524&mv=m&mvi=3&pl=24&shardbypass=yes | US | crx | 862 Kb | whitelisted |
2936 | chrome.exe | GET | 200 | 13.224.197.157:80 | http://x.ss2.us/x.cer | US | der | 1.27 Kb | whitelisted |
2936 | chrome.exe | GET | 302 | 81.5.88.13:80 | http://81.5.88.13/ | RU | text | 2 b | suspicious |
2936 | chrome.exe | GET | 200 | 81.5.88.13:80 | http://81.5.88.13/dbreader.exe | RU | executable | 3.35 Mb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2936 | chrome.exe | 172.217.21.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
2936 | chrome.exe | 13.224.196.32:443 | download.eu-west-3.fromsmash.co | — | US | unknown |
2936 | chrome.exe | 172.217.21.237:443 | accounts.google.com | Google Inc. | US | whitelisted |
2936 | chrome.exe | 205.185.216.42:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2936 | chrome.exe | 172.217.16.132:443 | www.google.com | Google Inc. | US | whitelisted |
2936 | chrome.exe | 172.217.18.3:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
2936 | chrome.exe | 13.224.197.157:80 | x.ss2.us | — | US | unknown |
2936 | chrome.exe | 205.185.216.10:80 | www.download.windowsupdate.com | Highwinds Network Group, Inc. | US | whitelisted |
2936 | chrome.exe | 216.58.206.14:443 | clients2.google.com | Google Inc. | US | whitelisted |
2936 | chrome.exe | 216.58.207.33:443 | clients2.googleusercontent.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
download.eu-west-3.fromsmash.co |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
x.ss2.us |
| whitelisted |
www.download.windowsupdate.com |
| whitelisted |
www.google.com |
| malicious |
ssl.gstatic.com |
| whitelisted |
clients2.google.com |
| whitelisted |
clients2.googleusercontent.com |
| whitelisted |
redirector.gvt1.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2936 | chrome.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2936 | chrome.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2936 | chrome.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
3968 | taskhsvc.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 124 |
3968 | taskhsvc.exe | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |
3968 | taskhsvc.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 587 |
3968 | taskhsvc.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 364 |
3968 | taskhsvc.exe | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 283 |
3968 | taskhsvc.exe | Misc activity | ET POLICY TLS possible TOR SSL traffic |