analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://mirror42.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/1d6b94c7bb2b89ea2601a5362fd43072/DTLite10100-0797.exe

Full analysis: https://app.any.run/tasks/1e084030-341f-4d37-8420-58130977e8f3
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 11:02:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

F86EF81BABE1A41FB33F03F28FD1D798

SHA1:

396D8FCE38CEEB9C1A41D906A13515E628BF595F

SHA256:

68518FAF1DA79F61C552C363250186FF04C4AE215F254192159D2954490CBEE1

SSDEEP:

3:N1KTfh8Z3XyTZARQJAkgFmpSWLK5LD0HcXT4ncSLN:CjhC2Z0Q5CSl2H0E4c4N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DTPro821-0709.exe (PID: 1548)
      • DTPro821-0709.exe (PID: 3260)
      • DiscSoftBusServicePro.exe (PID: 3064)
      • InstallGadget.exe (PID: 3416)
      • DiscSoftBusServicePro.exe (PID: 3576)
      • DTShellHlp.exe (PID: 1828)
      • DTPro.exe (PID: 2548)
      • DTAgent.exe (PID: 2040)

    • Changes the autorun value in the registry

      • DTPro821-0709.exe (PID: 3260)
      • sidebar.exe (PID: 1180)

    • Changes settings of System certificates

      • DTPro821-0709.exe (PID: 3260)
      • sidebar.exe (PID: 1180)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2632)

    • Loads dropped or rewritten executable

      • DiscSoftBusServicePro.exe (PID: 3064)
      • DTPro821-0709.exe (PID: 3260)
      • regsvr32.exe (PID: 2708)
      • regsvr32.exe (PID: 1932)
      • DiscSoftBusServicePro.exe (PID: 3576)
      • DTShellHlp.exe (PID: 1828)
      • sidebar.exe (PID: 1180)
      • explorer.exe (PID: 1696)
      • DTAgent.exe (PID: 2040)
      • DTPro.exe (PID: 2548)
      • svchost.exe (PID: 872)
      • regsvr32.exe (PID: 3972)

    • Registers / Runs the DLL via REGSVR32.EXE

      • DTPro821-0709.exe (PID: 3260)
      • InstallGadget.exe (PID: 3416)

  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 1696)

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2368)
      • iexplore.exe (PID: 2632)
      • DTPro821-0709.exe (PID: 3260)
      • DiscSoftBusServicePro.exe (PID: 3064)
      • DrvInst.exe (PID: 2892)
      • DrvInst.exe (PID: 1332)

    • Adds / modifies Windows certificates

      • DTPro821-0709.exe (PID: 3260)

    • Creates files in the Windows directory

      • DiscSoftBusServicePro.exe (PID: 3064)
      • DrvInst.exe (PID: 2892)
      • DrvInst.exe (PID: 1332)

    • Creates files in the program directory

      • DiscSoftBusServicePro.exe (PID: 3064)
      • DTPro821-0709.exe (PID: 3260)
      • regsvr32.exe (PID: 3972)

    • Creates a software uninstall entry

      • DTPro821-0709.exe (PID: 3260)

    • Creates files in the driver directory

      • DrvInst.exe (PID: 2892)
      • DrvInst.exe (PID: 1332)

    • Removes files from Windows directory

      • DrvInst.exe (PID: 2892)
      • DrvInst.exe (PID: 1332)

    • Searches for installed software

      • DrvInst.exe (PID: 2892)

    • Uses RUNDLL32.EXE to load library

      • DrvInst.exe (PID: 2892)

    • Reads Internet Cache Settings

      • sidebar.exe (PID: 1180)
      • explorer.exe (PID: 1696)

    • Creates COM task schedule object

      • regsvr32.exe (PID: 1932)
      • regsvr32.exe (PID: 2708)
      • regsvr32.exe (PID: 3972)

    • Reads internet explorer settings

      • sidebar.exe (PID: 1180)

    • Modifies the open verb of a shell class

      • DTPro821-0709.exe (PID: 3260)

    • Creates files in the user directory

      • DTPro.exe (PID: 2548)

  • INFO

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2904)
      • iexplore.exe (PID: 2368)
      • iexplore.exe (PID: 2632)

    • Application launched itself

      • iexplore.exe (PID: 2368)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2368)
      • iexplore.exe (PID: 2632)

    • Changes internet zones settings

      • iexplore.exe (PID: 2368)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2632)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2368)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2368)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2368)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3564)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
25
Malicious processes
11
Suspicious processes
7

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start drop and start drop and start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs dtpro821-0709.exe no specs dtpro821-0709.exe discsoftbusservicepro.exe drvinst.exe rundll32.exe no specs vssvc.exe no specs drvinst.exe no specs drvinst.exe regsvr32.exe no specs installgadget.exe no specs regsvr32.exe no specs regsvr32.exe no specs explorer.exe no specs explorer.exe no specs sidebar.exe discsoftbusservicepro.exe no specs regsvr32.exe no specs explorer.exe no specs svchost.exe dtshellhlp.exe no specs dtpro.exe dtagent.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2368"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2632"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2368 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2904C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
1548"C:\Users\admin\Downloads\DTPro821-0709.exe" C:\Users\admin\Downloads\DTPro821-0709.exeiexplore.exe
User:
admin
Company:
Disc Soft Ltd
Integrity Level:
MEDIUM
Description:
DAEMON Tools Pro Setup
Exit code:
3221226540
Version:
8.2.1.0709.0
3260"C:\Users\admin\Downloads\DTPro821-0709.exe" C:\Users\admin\Downloads\DTPro821-0709.exe
iexplore.exe
User:
admin
Company:
Disc Soft Ltd
Integrity Level:
HIGH
Description:
DAEMON Tools Pro Setup
Exit code:
0
Version:
8.2.1.0709.0
3064"C:\Program Files\DAEMON Tools Pro\DiscSoftBusServicePro.exe" /ServiceC:\Program Files\DAEMON Tools Pro\DiscSoftBusServicePro.exe
DTPro821-0709.exe
User:
admin
Company:
Disc Soft Ltd
Integrity Level:
HIGH
Description:
Disc Soft Bus Service Pro
Exit code:
0
Version:
8.2.1.0709
2892DrvInst.exe "4" "0" "C:\Users\admin\AppData\Local\Temp\{2fbbe234-38a2-01d7-cc29-ee29c2cca524}\dtproscsibus.inf" "0" "6ade3b53b" "000003F4" "WinSta0\Default" "000003B4" "208" "c:\program files\daemon tools pro"C:\Windows\system32\DrvInst.exe
svchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
696rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1b4dd322-4feb-24a3-d44e-cc1df31ff40c} Global\{71f7fed3-80e5-22d5-f050-1f70209b2b7f} C:\Windows\System32\DriverStore\Temp\{1fd1da28-78b6-1f0c-ea5c-330949330420}\dtproscsibus.inf C:\Windows\System32\DriverStore\Temp\{1fd1da28-78b6-1f0c-ea5c-330949330420}\dtproscsibus.catC:\Windows\system32\rundll32.exeDrvInst.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3564C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3452DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000005E4" "000005E0"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 699
Read events
3 779
Write events
0
Delete events
0

Modification events

No data
Executable files
85
Suspicious files
26
Text files
318
Unknown types
27

Dropped files

PID
Process
Filename
Type
2368iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2368iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:616B117B1D150D3F7BCF42DF3FD7C40C
SHA256:7441000F9541E9A65867AA6A1DD99627DD1CA4EA7EC9460F0FA568E8A8284F00
872svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:27BFFD90E081DEE316ABE45AFDD62629
SHA256:AD9A31DB4A3C7D160B4770098DC531F65AC55B101BD5C987FC132A09BCE51C7F
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:818280F91C3C301614872D1689D7BBAC
SHA256:8DC65BE5DCF1ABCB1A726CA6F13D6580FFE25367CC479BA864099FAA07C1A212
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WF4ZZKUH\download[1].txt
MD5:
SHA256:
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:66D20D9CF2322C4B662EA6E754325CD7
SHA256:D6A4C1DF6554CDC6D56F1D92FD09F3D7991E3620151F00DB51D55C8EE260C3CC
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WF4ZZKUH\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OB1IF56X\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JVCO06AF\bullet[1]image
MD5:0C4C086DD852704E8EEB8FF83E3B73D1
SHA256:1CB3B6EA56C5B5DECF5E1D487AD51DBB2F62E6A6C78F23C1C81FDA1B64F8DB16
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
23
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
iexplore.exe
GET
410
217.150.241.164:80
http://mirror42.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/1d6b94c7bb2b89ea2601a5362fd43072/DTLite10100-0797.exe
CH
suspicious
2632
iexplore.exe
GET
302
212.38.168.6:80
http://eu-uk7.disk-tools.com/1d6b94c7bb2b89ea2601a5362fd43072/DTLite10100-0797.exe
GB
unknown
2632
iexplore.exe
GET
200
109.169.28.157:80
http://mirror31.daemon-tools.cc/getfile.php?p=http://eu-uk7.disk-tools.com/1c5d1c8b0868be7bad06c9eae52bf08c/DTPro821-0709.exe
GB
executable
31.4 Mb
suspicious
2548
DTPro.exe
POST
200
94.242.254.192:80
http://depot.mountspace.com/
LU
binary
256 b
suspicious
1180
sidebar.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
3260
DTPro821-0709.exe
GET
200
216.58.210.14:80
http://www.google-analytics.com/collect?v=1&tid=UA-56351243-1&cid=12C38DD4-6B25-4938-A406-0CE7C1EFA0CC&ul=en-US&av=8.2&t=event&an=DTPro&ec=Installer&ea=Started&el=new
US
image
35 b
whitelisted
2548
DTPro.exe
GET
301
212.117.184.51:80
http://gamespace.daemon-tools.cc/widget/build/2.40/2.40_eng.zip
LU
html
185 b
unknown
2632
iexplore.exe
GET
301
212.38.168.6:80
http://eu-uk7.disk-tools.com/
GB
html
185 b
unknown
2632
iexplore.exe
GET
302
212.38.168.6:80
http://eu-uk7.disk-tools.com/request?p=1c5d1c8b0868be7bad06c9eae52bf08c/DTPro821-0709.exe
GB
html
185 b
unknown
2368
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2632
iexplore.exe
172.217.18.104:443
ssl.google-analytics.com
Google Inc.
US
suspicious
2368
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2368
iexplore.exe
212.38.168.6:443
eu-uk7.disk-tools.com
iomart Cloud Services Limited.
GB
unknown
2632
iexplore.exe
172.217.21.226:443
adservice.google.ch
Google Inc.
US
whitelisted
2632
iexplore.exe
104.19.196.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
3260
DTPro821-0709.exe
216.58.210.14:80
www.google-analytics.com
Google Inc.
US
whitelisted
2632
iexplore.exe
212.38.168.7:443
img.disk-tools.com
iomart Cloud Services Limited.
GB
unknown
2632
iexplore.exe
212.38.168.6:80
eu-uk7.disk-tools.com
iomart Cloud Services Limited.
GB
unknown
1180
sidebar.exe
91.199.212.52:80
crt.comodoca.com
Comodo CA Ltd
GB
suspicious
2632
iexplore.exe
212.38.168.6:443
eu-uk7.disk-tools.com
iomart Cloud Services Limited.
GB
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
mirror42.mountspace.com
  • 217.150.241.164
suspicious
eu-uk7.disk-tools.com
  • 212.38.168.6
unknown
www.disk-tools.com
  • 212.38.168.6
unknown
cdnjs.cloudflare.com
  • 104.19.196.151
  • 104.19.198.151
  • 104.19.199.151
  • 104.19.197.151
  • 104.19.195.151
whitelisted
img.disk-tools.com
  • 212.38.168.7
unknown
pagead2.googlesyndication.com
  • 172.217.22.2
whitelisted
ssl.google-analytics.com
  • 172.217.18.104
whitelisted
adservice.google.com
  • 172.217.18.2
whitelisted
adservice.google.ch
  • 172.217.21.226
whitelisted

Threats

PID
Process
Class
Message
2632
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2632
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2632
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://mirror42.mountspace.com/getfile.php?p=http://eu-uk7.disk-tools.com/1d6b94c7bb2b89ea2601a5362fd43072/DTLite10100-0797.exe