analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://kcsoftwares.com/files/sumo_lite.exe

Full analysis: https://app.any.run/tasks/ac669099-616c-4ca1-9aad-30d324019ea6
Verdict: Malicious activity
Analysis date: January 17, 2019, 21:00:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

E1A24CFD2C6FAB2DA60783D4841DF3A3

SHA1:

5E6276931D369BE311B13649494F6FBDA2787C6E

SHA256:

6A099BE79F603AACCD849B6C8600042529A36B1B2BFA277C2A0CAC3E55ADD182

SSDEEP:

3:N8DWY0EXGU0KYhAC:2KY0EWqC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes settings of System certificates

      • explorer.exe (PID: 2028)

    • Application was dropped or rewritten from another process

      • sumo_lite.exe (PID: 2784)
      • sumo_lite.exe (PID: 3432)
      • SUMo.exe (PID: 2404)

    • Loads dropped or rewritten executable

      • SUMo.exe (PID: 2404)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2992)
      • sumo_lite.exe (PID: 2784)
      • sumo_lite.exe (PID: 3432)
      • sumo_lite.tmp (PID: 4064)

    • Creates files in the user directory

      • sumo_lite.tmp (PID: 4064)
      • SUMo.exe (PID: 2404)

    • Starts Internet Explorer

      • sumo_lite.tmp (PID: 4064)
      • SUMo.exe (PID: 2404)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 2028)

    • Creates files in the program directory

      • SUMo.exe (PID: 2404)
      • iexplore.exe (PID: 3488)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2992)
      • firefox.exe (PID: 3540)
      • firefox.exe (PID: 2652)
      • firefox.exe (PID: 3544)

    • Application launched itself

      • firefox.exe (PID: 2992)
      • iexplore.exe (PID: 2416)
      • iexplore.exe (PID: 2820)

    • Creates files in the user directory

      • firefox.exe (PID: 2992)
      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 3000)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1476)

    • Application was dropped or rewritten from another process

      • sumo_lite.tmp (PID: 2272)
      • sumo_lite.tmp (PID: 4064)

    • Reads settings of System Certificates

      • firefox.exe (PID: 2992)
      • explorer.exe (PID: 2028)

    • Loads dropped or rewritten executable

      • sumo_lite.tmp (PID: 4064)

    • Creates files in the program directory

      • sumo_lite.tmp (PID: 4064)

    • Creates a software uninstall entry

      • sumo_lite.tmp (PID: 4064)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3488)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2416)
      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 3000)

    • Changes internet zones settings

      • iexplore.exe (PID: 2416)
      • iexplore.exe (PID: 2820)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 3000)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3488)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
15
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start firefox.exe firefox.exe firefox.exe firefox.exe explorer.exe sumo_lite.exe sumo_lite.tmp no specs sumo_lite.exe sumo_lite.tmp iexplore.exe iexplore.exe sumo.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2992"C:\Program Files\Mozilla Firefox\firefox.exe" https://kcsoftwares.com/files/sumo_lite.exeC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
2652"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2992.0.980185700\1912493366" -childID 1 -isForBrowser -prefsHandle 700 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2992 "\\.\pipe\gecko-crash-server-pipe.2992" 1464 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3540"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2992.6.915471901\70391030" -childID 2 -isForBrowser -prefsHandle 2552 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2992 "\\.\pipe\gecko-crash-server-pipe.2992" 2564 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3544"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2992.12.969738700\1297441576" -childID 3 -isForBrowser -prefsHandle 2192 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2992 "\\.\pipe\gecko-crash-server-pipe.2992" 3488 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2028C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2784"C:\Users\admin\Downloads\sumo_lite.exe" C:\Users\admin\Downloads\sumo_lite.exe
explorer.exe
User:
admin
Company:
KC Softwares
Integrity Level:
MEDIUM
Description:
KC Softwares SUMo Setup
Exit code:
0
Version:
5.8.11.414
2272"C:\Users\admin\AppData\Local\Temp\is-E8QN6.tmp\sumo_lite.tmp" /SL5="$40132,2106972,163328,C:\Users\admin\Downloads\sumo_lite.exe" C:\Users\admin\AppData\Local\Temp\is-E8QN6.tmp\sumo_lite.tmpsumo_lite.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
3432"C:\Users\admin\Downloads\sumo_lite.exe" /SPAWNWND=$301F8 /NOTIFYWND=$40132 C:\Users\admin\Downloads\sumo_lite.exe
sumo_lite.tmp
User:
admin
Company:
KC Softwares
Integrity Level:
HIGH
Description:
KC Softwares SUMo Setup
Exit code:
0
Version:
5.8.11.414
4064"C:\Users\admin\AppData\Local\Temp\is-ST8B0.tmp\sumo_lite.tmp" /SL5="$401F6,2106972,163328,C:\Users\admin\Downloads\sumo_lite.exe" /SPAWNWND=$301F8 /NOTIFYWND=$40132 C:\Users\admin\AppData\Local\Temp\is-ST8B0.tmp\sumo_lite.tmp
sumo_lite.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
2416"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
sumo_lite.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
4 821
Read events
4 402
Write events
0
Delete events
0

Modification events

No data
Executable files
10
Suspicious files
114
Text files
127
Unknown types
47

Dropped files

PID
Process
Filename
Type
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2992firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
2992firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstorebinary
MD5:04824A1F92353F43EBB9E7F74B7476FD
SHA256:B48E58EBAB82E4C376F16150A3FFF850C1111FF1F5985D68819CFD6F0DB159D2
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:3E512FCCEF24E016F109DD550405239D
SHA256:126A277F3A923B1D8F30360450E24ED3F6F464948341E86E4E76FA821EB6C92B
2992firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.dbsqlite
MD5:AC0468E050C54BE44A871AD97EECDF42
SHA256:BDE80EFC2E2FF5846450B7859D13959B50100B7EBC1EDD9D5B21FFE50D4EE62A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
50
TCP/UDP connections
63
DNS requests
63
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2992
firefox.exe
POST
200
172.217.22.14:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3488
iexplore.exe
GET
404
173.194.76.82:80
http://html5shim.googlecode.com/svn/trunk/html5.js
US
html
1.54 Kb
whitelisted
2992
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2028
explorer.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
3000
iexplore.exe
GET
200
213.186.33.69:80
http://www.kcsoftwares.com/images/kclogo.png
FR
image
1.15 Kb
malicious
2992
firefox.exe
POST
200
2.21.242.204:80
http://ocsp.int-x3.letsencrypt.org/
NL
der
527 b
whitelisted
3000
iexplore.exe
GET
200
213.186.33.69:80
http://www.kcsoftwares.com/assets/js/jquery.js
FR
text
32.5 Kb
malicious
2992
firefox.exe
POST
200
2.21.242.204:80
http://ocsp.int-x3.letsencrypt.org/
NL
der
527 b
whitelisted
2992
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2992
firefox.exe
172.217.23.174:443
sb-ssl.google.com
Google Inc.
US
whitelisted
2992
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2992
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2028
explorer.exe
91.199.212.52:80
crt.comodoca.com
Comodo CA Ltd
GB
suspicious
2992
firefox.exe
172.217.22.14:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2992
firefox.exe
52.41.60.30:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3488
iexplore.exe
104.19.199.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
2992
firefox.exe
52.27.184.151:443
search.r53-2.services.mozilla.com
Amazon.com, Inc.
US
unknown
2992
firefox.exe
172.217.22.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2416
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
kcsoftwares.com
  • 213.186.33.69
whitelisted
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.r53-2.services.mozilla.com
  • 52.89.32.107
  • 34.216.89.123
  • 52.27.184.151
whitelisted
search.services.mozilla.com
  • 52.27.184.151
  • 34.216.89.123
  • 52.89.32.107
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.21.242.204
  • 2.21.242.245
whitelisted
a771.dscq.akamai.net
  • 2.21.242.245
  • 2.21.242.204
whitelisted
tiles.services.mozilla.com
  • 52.41.60.30
  • 52.43.40.243
  • 34.208.7.98
  • 52.40.109.206
  • 52.41.78.152
  • 34.209.108.219
  • 54.187.46.234
  • 54.218.239.186
whitelisted
tiles.r53-2.services.mozilla.com
  • 54.218.239.186
  • 54.187.46.234
  • 34.209.108.219
  • 52.41.78.152
  • 52.40.109.206
  • 34.208.7.98
  • 52.43.40.243
  • 52.41.60.30
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://kcsoftwares.com/files/sumo_lite.exe