analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.plumbytes.com/download/cuid/?tid=rwid_p00000

Full analysis: https://app.any.run/tasks/f035cc5c-5926-4d50-8ec5-900948826c92
Verdict: Malicious activity
Analysis date: May 24, 2019, 17:22:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

FB272237645C97D5C553376D8DCBDAA4

SHA1:

48F28A6C7F1F990EDDF86FBCAFC7F270B088BC16

SHA256:

67F1CC45583ECFB089FF1E8DC279FFCEB7030860BC11212D1AA02F178DCFC96B

SSDEEP:

3:N1KJS4pdWKL2X0d/V:Cc4pdNk0FV

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • cuid[1].exe (PID: 3660)
      • cuid[1].exe (PID: 2748)
      • pai364C.tmp (PID: 3928)
      • Plumbytes.exe (PID: 2712)
      • AmwService.exe (PID: 3120)
      • AmwService.exe (PID: 2572)
      • AmwService.exe (PID: 3404)

    • Loads dropped or rewritten executable

      • pai364C.tmp (PID: 3928)
      • AmwService.exe (PID: 3120)
      • Plumbytes.exe (PID: 2712)
      • AmwService.exe (PID: 3404)
      • AmwService.exe (PID: 2572)

    • Changes settings of System certificates

      • pai364C.tmp (PID: 3928)
      • AmwService.exe (PID: 3120)

    • Changes the autorun value in the registry

      • pai364C.tmp (PID: 3928)

    • Actions looks like stealing of personal data

      • AmwService.exe (PID: 3120)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2940)
      • iexplore.exe (PID: 3228)
      • cuid[1].exe (PID: 2748)
      • pai364C.tmp (PID: 3928)

    • Uses RUNDLL32.EXE to load library

      • cuid[1].exe (PID: 2748)

    • Starts application with an unusual extension

      • cuid[1].exe (PID: 2748)

    • Reads Internet Cache Settings

      • rundll32.exe (PID: 3572)
      • pai364C.tmp (PID: 3928)

    • Adds / modifies Windows certificates

      • pai364C.tmp (PID: 3928)
      • AmwService.exe (PID: 3120)

    • Creates files in the program directory

      • pai364C.tmp (PID: 3928)
      • AmwService.exe (PID: 3120)

    • Executed as Windows Service

      • AmwService.exe (PID: 3120)

    • Creates files in the user directory

      • pai364C.tmp (PID: 3928)

    • Creates a software uninstall entry

      • pai364C.tmp (PID: 3928)

    • Reads Environment values

      • Plumbytes.exe (PID: 2712)

    • Creates files in the Windows directory

      • AmwService.exe (PID: 3120)

    • Reads the cookies of Google Chrome

      • AmwService.exe (PID: 3404)
      • AmwService.exe (PID: 2572)
      • AmwService.exe (PID: 3120)

    • Application launched itself

      • AmwService.exe (PID: 3120)

    • Removes files from Windows directory

      • AmwService.exe (PID: 3120)

    • Reads the cookies of Mozilla Firefox

      • AmwService.exe (PID: 3120)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2940)

    • Creates files in the user directory

      • iexplore.exe (PID: 3228)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3228)
      • iexplore.exe (PID: 2940)

    • Changes internet zones settings

      • iexplore.exe (PID: 2940)

    • Reads settings of System Certificates

      • Plumbytes.exe (PID: 2712)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start iexplore.exe iexplore.exe cuid[1].exe no specs cuid[1].exe rundll32.exe no specs pai364c.tmp amwservice.exe plumbytes.exe amwservice.exe no specs amwservice.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3228"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3660"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exeiexplore.exe
User:
admin
Company:
Plumbytes Software Lp
Integrity Level:
MEDIUM
Description:
Plumbytes Anti-Malware
Exit code:
3221226540
Version:
1.0.5.3
2748"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exe
iexplore.exe
User:
admin
Company:
Plumbytes Software Lp
Integrity Level:
HIGH
Description:
Plumbytes Anti-Malware
Exit code:
0
Version:
1.0.5.3
3572"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\wininet.dll",DispatchAPICall 1 C:\Windows\system32\rundll32.execuid[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3928 /SC:\Users\admin\AppData\Local\Temp\pai364C.tmp
cuid[1].exe
User:
admin
Company:
Plumbytes Software Lp
Integrity Level:
HIGH
Description:
Plumbytes Anti-Malware
Exit code:
0
Version:
1.0.5.3
3120"C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" runC:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe
services.exe
User:
SYSTEM
Company:
Plumbytes Software Lp
Integrity Level:
SYSTEM
Description:
Anti-Malware Service
Version:
0.9.0.648
2712"C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\Plumbytes.exe"C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\Plumbytes.exe
pai364C.tmp
User:
admin
Company:
Plumbytes Software Lp
Integrity Level:
HIGH
Description:
Plumbytes Anti-Malware
Version:
1.0.5.3
3404"C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" getenv 1C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exeAmwService.exe
User:
admin
Company:
Plumbytes Software Lp
Integrity Level:
MEDIUM
Description:
Anti-Malware Service
Exit code:
0
Version:
0.9.0.648
2572"C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exe" getenv 2C:\Program Files\Plumbytes Software\Plumbytes Anti-Malware\AmwService.exeAmwService.exe
User:
admin
Company:
Plumbytes Software Lp
Integrity Level:
MEDIUM
Description:
Anti-Malware Service
Exit code:
0
Version:
0.9.0.648
Total events
1 317
Read events
1 155
Write events
0
Delete events
0

Modification events

No data
Executable files
66
Suspicious files
1
Text files
14
Unknown types
11

Dropped files

PID
Process
Filename
Type
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA1D1107E99BBB696.TMP
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{805C922E-7E48-11E9-B3B3-5254004A04AF}.datbinary
MD5:8AD79C54ADB125E6F186942502376AF2
SHA256:2FF427288CAD4B5CDAB6C6958E196FD3DA417F1ABDC926B7109315B29E140148
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:9B323F9706E1CC496BC6972D2349BA7A
SHA256:DC701A3C373D1C354AD6913C22E82A49AFB5B35662FFB82ED157453981BC9148
3228iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@plumbytes[1].txttext
MD5:1CD377DF19008A7F26F3A16AD64E0FD6
SHA256:E99CE70CF77E96744E94354C4132FF0E4D77ADD61657D20302F1CF4BFFB110C8
2940iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF2FDF2E4BAFDC413.TMP
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\cuid[1].exeexecutable
MD5:F36109A59AC6AA22CE9DC878778EBC72
SHA256:FD5CE06CB117B435237BEE8B689F717CE1F1900402C6E555CFBA66C1E20907C8
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VPOIEHBO\antimalwaresetup[1].exeexecutable
MD5:F36109A59AC6AA22CE9DC878778EBC72
SHA256:FD5CE06CB117B435237BEE8B689F717CE1F1900402C6E555CFBA66C1E20907C8
3228iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D10F5317143C3571ACCBB97358925673
SHA256:B997F883C9C8B9DDB303F4CFD1E9E3C1908909E7E6F1504D39A6379C4946FF44
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
13
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2748
cuid[1].exe
GET
45.55.29.117:80
http://45.55.29.117/download/nsis/pb_nsissetup.exe
US
suspicious
2748
cuid[1].exe
GET
45.55.29.117:80
http://45.55.29.117/download/nsis/pb_nsissetup.exe
US
suspicious
3228
iexplore.exe
GET
301
45.55.29.117:80
http://www.plumbytes.com/download/cuid/?tid=rwid_p00000
US
html
260 b
suspicious
3928
pai364C.tmp
GET
301
45.55.29.117:80
http://plumbytes.com/logs.php?cuid=ver_
US
html
248 b
suspicious
2748
cuid[1].exe
GET
45.55.29.117:80
http://45.55.29.117/download/nsis/pb_nsissetup.exe
US
suspicious
2940
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2712
Plumbytes.exe
GET
301
45.55.29.117:80
http://www.plumbytes.com/settings/amw.xml
US
html
246 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2940
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3228
iexplore.exe
45.55.29.117:443
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
3928
pai364C.tmp
45.55.29.117:80
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
3228
iexplore.exe
45.55.29.117:80
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
2748
cuid[1].exe
45.55.29.117:80
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
3928
pai364C.tmp
45.55.29.117:443
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
2712
Plumbytes.exe
45.55.29.117:80
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
2712
Plumbytes.exe
45.55.29.117:443
www.plumbytes.com
Digital Ocean, Inc.
US
suspicious
3120
AmwService.exe
152.199.19.161:443
plumbytes.azureedge.net
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2712
Plumbytes.exe
104.40.92.107:443
license.plumbytes.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
www.plumbytes.com
  • 45.55.29.117
suspicious
plumbytes.com
  • 45.55.29.117
suspicious
plumbytes.azureedge.net
  • 152.199.19.161
whitelisted
license.plumbytes.com
  • 104.40.92.107
suspicious

Threats

PID
Process
Class
Message
2748
cuid[1].exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2748
cuid[1].exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2748
cuid[1].exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
2748
cuid[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2748
cuid[1].exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3928
pai364C.tmp
A Network Trojan was detected
ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
3928
pai364C.tmp
Misc activity
SUSPICIOUS [PTsecurity] Suspicious HTTP header - Sometimes used by hostile installer
2748
cuid[1].exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2748
cuid[1].exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.plumbytes.com/download/cuid/?tid=rwid_p00000