| URL: | http://www.plumbytes.com/download/cuid/?tid=rwid_p00000 |
| Full analysis: | https://app.any.run/tasks/0b25f3e4-b397-4c78-8db0-b6166abdad3a |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | May 24, 2019, 13:30:48 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | FB272237645C97D5C553376D8DCBDAA4 |
| SHA1: | 48F28A6C7F1F990EDDF86FBCAFC7F270B088BC16 |
| SHA256: | 67F1CC45583ECFB089FF1E8DC279FFCEB7030860BC11212D1AA02F178DCFC96B |
| SSDEEP: | 3:N1KJS4pdWKL2X0d/V:Cc4pdNk0FV |
MALICIOUS
Application was dropped or rewritten from another process
- antimalwaresetup.exe (PID: 1260)
- paiBE5.tmp (PID: 1084)
- antimalwaresetup.exe (PID: 1780)
- AmwService.exe (PID: 3552)
- Plumbytes.exe (PID: 3824)
- AmwService.exe (PID: 1660)
Changes settings of System certificates
- paiBE5.tmp (PID: 1084)
- AmwService.exe (PID: 3552)
Downloads executable files from IP
- antimalwaresetup.exe (PID: 1780)
Changes the autorun value in the registry
- paiBE5.tmp (PID: 1084)
Loads dropped or rewritten executable
- AmwService.exe (PID: 3552)
- Plumbytes.exe (PID: 3824)
- AmwService.exe (PID: 1660)
- paiBE5.tmp (PID: 1084)
Actions looks like stealing of personal data
- AmwService.exe (PID: 3552)
Downloads executable files from the Internet
- antimalwaresetup.exe (PID: 1780)
SUSPICIOUS
Modifies files in Chrome extension folder
- chrome.exe (PID: 1964)
Uses RUNDLL32.EXE to load library
- antimalwaresetup.exe (PID: 1780)
Reads Internet Cache Settings
- rundll32.exe (PID: 1000)
Executable content was dropped or overwritten
- chrome.exe (PID: 1964)
- antimalwaresetup.exe (PID: 1780)
- paiBE5.tmp (PID: 1084)
Starts application with an unusual extension
- antimalwaresetup.exe (PID: 1780)
Adds / modifies Windows certificates
- paiBE5.tmp (PID: 1084)
- AmwService.exe (PID: 3552)
Creates files in the program directory
- paiBE5.tmp (PID: 1084)
- AmwService.exe (PID: 3552)
Executed as Windows Service
- AmwService.exe (PID: 3552)
Creates files in the user directory
- paiBE5.tmp (PID: 1084)
Reads Environment values
- Plumbytes.exe (PID: 3824)
Creates files in the Windows directory
- AmwService.exe (PID: 3552)
Removes files from Windows directory
- AmwService.exe (PID: 3552)
Application launched itself
- AmwService.exe (PID: 3552)
Creates a software uninstall entry
- paiBE5.tmp (PID: 1084)
Reads the cookies of Mozilla Firefox
- AmwService.exe (PID: 3552)
Reads the cookies of Google Chrome
- AmwService.exe (PID: 1660)
- AmwService.exe (PID: 3552)
INFO
Changes internet zones settings
- iexplore.exe (PID: 2888)
Application launched itself
- iexplore.exe (PID: 2888)
- chrome.exe (PID: 1964)
Creates files in the user directory
- iexplore.exe (PID: 3512)
Reads Internet Cache Settings
- iexplore.exe (PID: 3512)
- chrome.exe (PID: 1964)
Manual execution by user
- chrome.exe (PID: 1964)
Reads settings of System Certificates
- chrome.exe (PID: 1964)
- Plumbytes.exe (PID: 3824)
- AmwService.exe (PID: 3552)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
71
Monitored processes
34
Malicious processes
6
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 416 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=15152295766956357788 --mojo-platform-channel-handle=3928 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 Modules
| |||||||||||||||
| 896 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=18098551265901228813 --mojo-platform-channel-handle=3868 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 Modules
| |||||||||||||||
| 928 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --service-pipe-token=7901468687251067827 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7901468687251067827 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2180 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 Modules
| |||||||||||||||
| 1000 | "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1 | C:\Windows\system32\rundll32.exe | — | antimalwaresetup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1084 | /S | C:\Users\admin\AppData\Local\Temp\paiBE5.tmp | antimalwaresetup.exe | ||||||||||||
User: admin Company: Plumbytes Software Lp Integrity Level: HIGH Description: Plumbytes Anti-Malware Exit code: 0 Version: 1.0.5.3 Modules
| |||||||||||||||
| 1172 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=956,8677701971805442249,1223370136913831966,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=2779485825811438701 --mojo-platform-channel-handle=4092 --ignored=" --type=renderer " /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 Modules
| |||||||||||||||
| 1260 | "C:\Users\admin\Downloads\antimalwaresetup.exe" | C:\Users\admin\Downloads\antimalwaresetup.exe | — | chrome.exe | |||||||||||
User: admin Company: Plumbytes Software Lp Integrity Level: MEDIUM Description: Plumbytes Anti-Malware Exit code: 3221226540 Version: 1.0.5.3 Modules
| |||||||||||||||
| 1336 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6cbc0f18,0x6cbc0f28,0x6cbc0f34 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 73.0.3683.75 Modules
| |||||||||||||||
| 1660 | "C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" getenv 1 | C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe | — | AmwService.exe | |||||||||||
User: admin Company: Plumbytes Software Lp Integrity Level: MEDIUM Description: Anti-Malware Service Exit code: 0 Version: 0.9.0.648 Modules
| |||||||||||||||
| 1780 | "C:\Users\admin\Downloads\antimalwaresetup.exe" | C:\Users\admin\Downloads\antimalwaresetup.exe | chrome.exe | ||||||||||||
User: admin Company: Plumbytes Software Lp Integrity Level: HIGH Description: Plumbytes Anti-Malware Exit code: 0 Version: 1.0.5.3 Modules
| |||||||||||||||
Total events
1 933
Read events
1 676
Write events
251
Delete events
6
Modification events
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {2D8634F7-7E28-11E9-B63D-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 1 | |||
| (PID) Process: | (2888) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E3070500050018000D001F000500A601 | |||
Executable files
67
Suspicious files
62
Text files
232
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2888 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2888 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0 | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1 | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2 | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3 | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a010e1a0-54b5-415f-b0bc-07bbc7dae5ca.tmp | — | |
MD5:— | SHA256:— | |||
| 1964 | chrome.exe | C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp | — | |
MD5:— | SHA256:— | |||
| 3512 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
40
DNS requests
26
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1780 | antimalwaresetup.exe | GET | — | 45.55.29.117:80 | http://45.55.29.117/download/nsis/pb_nsissetup.exe | US | — | — | suspicious |
1780 | antimalwaresetup.exe | GET | — | 45.55.29.117:80 | http://45.55.29.117/download/nsis/pb_nsissetup.exe | US | — | — | suspicious |
3512 | iexplore.exe | GET | 301 | 45.55.29.117:80 | http://www.plumbytes.com/download/cuid/?tid=rwid_p00000 | US | html | 260 b | suspicious |
1964 | chrome.exe | GET | 200 | 173.194.137.71:80 | http://r2---sn-aigzrn76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=194.187.251.125&mm=28&mn=sn-aigzrn76&ms=nvh&mt=1558704640&mv=m&pl=24&shardbypass=yes | US | crx | 842 Kb | whitelisted |
1780 | antimalwaresetup.exe | GET | 206 | 45.55.29.117:80 | http://45.55.29.117/download/nsis/pb_nsissetup.exe | US | executable | 20.8 Mb | suspicious |
1964 | chrome.exe | GET | 301 | 45.55.29.117:80 | http://plumbytes.com/download/cuid/?tid=rwid_p00000 | US | html | 260 b | suspicious |
3824 | Plumbytes.exe | GET | 301 | 45.55.29.117:80 | http://www.plumbytes.com/settings/amw.xml | US | html | 246 b | suspicious |
2888 | iexplore.exe | GET | 200 | 13.107.21.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
1084 | paiBE5.tmp | GET | 301 | 45.55.29.117:80 | http://plumbytes.com/logs.php?cuid=ver_ | US | html | 248 b | suspicious |
1964 | chrome.exe | GET | 302 | 172.217.16.174:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 506 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2888 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3512 | iexplore.exe | 45.55.29.117:80 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
3512 | iexplore.exe | 45.55.29.117:443 | www.plumbytes.com | Digital Ocean, Inc. | US | suspicious |
2888 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1964 | chrome.exe | 172.217.21.227:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1964 | chrome.exe | 172.217.16.141:443 | accounts.google.com | Google Inc. | US | suspicious |
1964 | chrome.exe | 172.217.23.142:443 | clients1.google.com | Google Inc. | US | whitelisted |
1964 | chrome.exe | 172.217.21.195:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
1964 | chrome.exe | 172.217.16.174:80 | redirector.gvt1.com | Google Inc. | US | whitelisted |
1964 | chrome.exe | 173.194.137.71:80 | r2---sn-aigzrn76.gvt1.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
www.plumbytes.com |
| suspicious |
plumbytes.com |
| suspicious |
clientservices.googleapis.com |
| whitelisted |
www.google.com.ua |
| whitelisted |
accounts.google.com |
| shared |
clients1.google.com |
| whitelisted |
ssl.gstatic.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1780 | antimalwaresetup.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
1780 | antimalwaresetup.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
1780 | antimalwaresetup.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
1780 | antimalwaresetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1780 | antimalwaresetup.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1084 | paiBE5.tmp | A Network Trojan was detected | ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers |
1084 | paiBE5.tmp | Misc activity | SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer |
1780 | antimalwaresetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1780 | antimalwaresetup.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
1780 | antimalwaresetup.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1 ETPRO signatures available at the full report