analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

HskDDNS_5.0.0.21724.zip

Full analysis: https://app.any.run/tasks/113a8283-cab8-4c4f-b925-ee7607937b84
Verdict: Malicious activity
Analysis date: November 16, 2019, 08:31:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

D1E6C3AF5BD8263A1E11158EF5BB54AF

SHA1:

206E651011F98CAF3E50B2B16E9957CC3F687D19

SHA256:

7616A7BA2639294D832CEDE343ED8381B87083BE4F1CADF3E66B025E59AD5E88

SSDEEP:

98304:8OcA3BPQXFvr1GT7GfhIGIR9BSiD0q2n1olG3bXX9YepmOj7Ar+qsHwl:8O5B4Z1GT7KqdVDR43b2XOj7waQl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • HskDDNS_5.0.0.21724.exe (PID: 3704)
      • HskDDNS_5.0.0.21724.exe (PID: 2456)
      • HskDDNSMaint.exe (PID: 1324)
      • phtunnel.exe (PID: 1524)
      • HskDDNS.exe (PID: 956)
      • HskDDNS.exe (PID: 2040)

    • Changes the autorun value in the registry

      • HskDDNS_5.0.0.21724.exe (PID: 2456)
      • HskDDNS.exe (PID: 956)

    • Loads dropped or rewritten executable

      • HskDDNSMaint.exe (PID: 1324)
      • WerFault.exe (PID: 4008)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2304)
      • HskDDNS_5.0.0.21724.exe (PID: 2456)

    • Application launched itself

      • HskDDNS_5.0.0.21724.exe (PID: 3704)

    • Creates files in the program directory

      • HskDDNS_5.0.0.21724.exe (PID: 2456)
      • phtunnel.exe (PID: 1524)
      • HskDDNS.exe (PID: 956)
      • WerFault.exe (PID: 4008)

    • Executed as Windows Service

      • phtunnel.exe (PID: 1524)

    • Creates a software uninstall entry

      • HskDDNS_5.0.0.21724.exe (PID: 2456)

    • Creates files in the Windows directory

      • phtunnel.exe (PID: 1524)
      • HskDDNS.exe (PID: 2040)
      • WerFault.exe (PID: 4008)

    • Connects to unusual port

      • phtunnel.exe (PID: 1524)

    • Starts itself from another location

      • HskDDNS_5.0.0.21724.exe (PID: 2456)

    • Starts Internet Explorer

      • HskDDNS.exe (PID: 956)
      • rundll32.exe (PID: 2648)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3824)

    • Uses RUNDLL32.EXE to load library

      • chrome.exe (PID: 3824)

    • Executed via COM

      • DllHost.exe (PID: 2276)

    • Removes files from Windows directory

      • WerFault.exe (PID: 4008)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 4080)
      • iexplore.exe (PID: 1756)

    • Creates files in the user directory

      • iexplore.exe (PID: 1608)
      • iexplore.exe (PID: 2404)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1608)
      • chrome.exe (PID: 3824)
      • iexplore.exe (PID: 1756)
      • iexplore.exe (PID: 2404)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1608)
      • iexplore.exe (PID: 2404)

    • Manual execution by user

      • chrome.exe (PID: 3824)
      • rundll32.exe (PID: 2580)
      • explorer.exe (PID: 1940)

    • Reads the hosts file

      • chrome.exe (PID: 2748)
      • chrome.exe (PID: 3824)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2748)
      • iexplore.exe (PID: 1756)

    • Application launched itself

      • chrome.exe (PID: 3824)
      • iexplore.exe (PID: 1756)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2404)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1756)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1756)

    • Application was crashed

      • HskDDNS.exe (PID: 2040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: HskDDNS_5.0.0.21724.exe
ZipUncompressedSize: 6261616
ZipCompressedSize: 5717160
ZipCRC: 0x96b75a38
ZipModifyDate: 2019:11:16 14:35:17
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
94
Monitored processes
46
Malicious processes
7
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start winrar.exe hskddns_5.0.0.21724.exe no specs hskddns_5.0.0.21724.exe phtunnel.exe hskddnsmaint.exe hskddns.exe iexplore.exe iexplore.exe hskddns.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe explorer.exe no specs rundll32.exe no specs PhotoViewer.dll no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2304"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\HskDDNS_5.0.0.21724.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3704"C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exeWinRAR.exe
User:
admin
Company:
上海贝锐信息科技股份有限公司
Integrity Level:
MEDIUM
Description:
花生壳程序
Exit code:
0
Version:
5.0.0.21724
2456"C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe" "C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2304.14422\HskDDNS_5.0.0.21724.exe
HskDDNS_5.0.0.21724.exe
User:
admin
Company:
上海贝锐信息科技股份有限公司
Integrity Level:
HIGH
Description:
花生壳程序
Exit code:
0
Version:
5.0.0.21724
1524"C:\Program Files\Oray\HskDDNS\phtunnel.exe" -S -vC:\Program Files\Oray\HskDDNS\phtunnel.exe
services.exe
User:
SYSTEM
Company:
上海贝锐信息科技股份有限公司
Integrity Level:
SYSTEM
Description:
花生壳程序
Version:
1.0.0.1
1324"C:\Program Files\Oray\HskDDNS\HskDDNSMaint.exe" 1524 0 HskServiceC:\Program Files\Oray\HskDDNS\HskDDNSMaint.exe
phtunnel.exe
User:
SYSTEM
Company:
Shanghai Best Oray
Integrity Level:
SYSTEM
Description:
SunLogin Clients Maintainence Process
Version:
3, 5, 18, 18283
956"C:\Program Files\Oray\HskDDNS\HskDDNS.exe" C:\Program Files\Oray\HskDDNS\HskDDNS.exe
HskDDNS_5.0.0.21724.exe
User:
admin
Company:
上海贝锐信息科技股份有限公司
Integrity Level:
HIGH
Description:
花生壳程序
Version:
5.0.0.21724
4080"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
HskDDNS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1608"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4080 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2040"C:\Program Files\Oray\HskDDNS\HskDDNS.exe" --mod=localscan -i 0 -w 185.92.25.20C:\Program Files\Oray\HskDDNS\HskDDNS.exe
phtunnel.exe
User:
SYSTEM
Company:
上海贝锐信息科技股份有限公司
Integrity Level:
SYSTEM
Description:
花生壳程序
Exit code:
255
Version:
5.0.0.21724
3824"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
Total events
3 364
Read events
3 044
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
53
Text files
341
Unknown types
27

Dropped files

PID
Process
Filename
Type
2456HskDDNS_5.0.0.21724.exeC:\Users\Public\Desktop\花生壳.lnklnk
MD5:CBC86E89D37A152A77420D6C91998031
SHA256:FB153EAAA71E7B1532642179AFD47F397C5315C60E8BD606DC568BFF94F7B49A
1524phtunnel.exeC:\Program Files\Oray\HskDDNS\phtunnel.jsontext
MD5:023C4497D3BAE7B3011417445C34D9E9
SHA256:645F44A0F3C2316B739D3BCB31E036AB9DA871EE3B1A0C76B5E61274AD90F098
2456HskDDNS_5.0.0.21724.exeC:\Program Files\Oray\HskDDNS\oraylog.dllexecutable
MD5:79186064E2310681C28052F0BE5C4652
SHA256:A9612CC064B472BFA2CAC89CDF2C73B0F804BFA98A8DBCA767D2A329A205B20B
1524phtunnel.exeC:\Windows\system32\config\systemprofile\phtunnel.pidtext
MD5:443D689EF45B90232F958F6D09EF3172
SHA256:96E473C63085DBC5B19C20F7825A732F0DD61D40DAA87A36E8210F2A8AAFBBF0
956HskDDNS.exeC:\Users\admin\AppData\Local\Temp\NetProj.48x48.pngimage
MD5:EB128548D171E158D55A9324EAC9ACBD
SHA256:640BD10707A94C0983E78D96DFF49468B0D1C65D52FC7ED91DE6AC20C63BEE36
956HskDDNS.exeC:\Users\admin\AppData\Local\Temp\calc.48x48.pngimage
MD5:F9A7FE118D73079F2DDD67E8CE65C95D
SHA256:3560247B3C9785F803E73AB7F0D0FFA097C12E73003BD211A9B3ABEFEA0C3ECF
2456HskDDNS_5.0.0.21724.exeC:\Program Files\Oray\HskDDNS\HskDDNSMaint.exeexecutable
MD5:8BC19CC265C5732EBF2800E34EE6E905
SHA256:9A66D29989DFD4E25306928EA63B3E9D371C3B252432832AEF7E0A8E3D697F4D
2456HskDDNS_5.0.0.21724.exeC:\Program Files\Oray\HskDDNS\phtunnel.exeexecutable
MD5:DD8AC5044E2EB46508BFB106A755DD29
SHA256:494FBE379FC15D6FB3CCCDEB1B634750C465F2ABDE30F95952D2D91E7F9BEF5D
2456HskDDNS_5.0.0.21724.exeC:\ProgramData\HskDDNS\collectdata\equipment_idtext
MD5:4D28EA86AE6C2ACA83B5A4E7C2044DE2
SHA256:CC6BAA231B1484C90C753E9FA333A2756530EAAD881531DB4CBDB7BB1A2BD5C3
2456HskDDNS_5.0.0.21724.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\花生壳\卸载花生壳.lnklnk
MD5:D00F3795B4965097F8547B2D22A5F236
SHA256:F2BCB84C0023970B2CCE8099DE16C3C94C036C264657ED0A08787721C1F128DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
76
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2748
chrome.exe
GET
200
74.125.4.216:80
http://r2---sn-aigzrney.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mip=185.92.25.20&mm=28&mn=sn-aigzrney&ms=nvh&mt=1573893262&mv=m&mvi=1&pl=24&shardbypass=yes
US
crx
293 Kb
whitelisted
2748
chrome.exe
GET
302
216.58.207.46:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
508 b
whitelisted
2748
chrome.exe
GET
302
216.58.207.46:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
2404
iexplore.exe
GET
301
2.16.186.27:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=apk
unknown
whitelisted
956
HskDDNS.exe
POST
200
114.55.209.149:80
http://ph-tk.oray.com/track
CN
text
50 b
unknown
2456
HskDDNS_5.0.0.21724.exe
POST
200
114.55.209.149:80
http://ph-tk.oray.com/track
CN
text
50 b
unknown
2456
HskDDNS_5.0.0.21724.exe
POST
200
114.55.209.149:80
http://ph-tk.oray.com/track
CN
text
50 b
unknown
2456
HskDDNS_5.0.0.21724.exe
GET
200
222.73.7.11:80
http://client.oray.net/feedback/install?isgreen=0&track=oray.com&r=1573893151&version=5.0.0.21724&key=c91ea8b1aa8ceed0a148c43c5345bb96&client=ddns
CN
text
7 b
unknown
2748
chrome.exe
GET
200
47.246.43.206:80
http://download.oray.com/peanuthull/android/peanuthull_2.5.apk
US
compressed
18.9 Mb
malicious
4080
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2456
HskDDNS_5.0.0.21724.exe
222.73.7.11:80
client.oray.net
China Telecom (Group)
CN
unknown
2456
HskDDNS_5.0.0.21724.exe
172.217.22.46:80
www.google-analytics.com
Google Inc.
US
whitelisted
1524
phtunnel.exe
118.31.225.247:443
hsk-api.oray.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
2456
HskDDNS_5.0.0.21724.exe
114.55.209.149:80
ph-tk.oray.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1524
phtunnel.exe
47.99.166.140:6061
phsle5-std01.oray.net
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
956
HskDDNS.exe
118.31.225.247:443
hsk-api.oray.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
4080
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1608
iexplore.exe
223.4.222.86:443
hsk.oray.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1608
iexplore.exe
120.26.161.226:443
login.oray.com
Hangzhou Alibaba Advertising Co.,Ltd.
CN
unknown
1608
iexplore.exe
47.246.2.230:443
cdn.orayimg.com
US
malicious

DNS requests

Domain
IP
Reputation
ph-tk.oray.com
  • 114.55.209.149
unknown
client.oray.net
  • 222.73.7.11
unknown
hsk-api.oray.com
  • 118.31.225.247
unknown
phsle5-std01.oray.net
  • 47.99.166.140
unknown
www.google-analytics.com
  • 172.217.22.46
whitelisted
hsk.oray.com
  • 223.4.222.86
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cdn.orayimg.com
  • 47.246.2.230
  • 47.246.2.232
  • 47.246.2.231
  • 47.246.2.225
  • 47.246.2.226
  • 47.246.2.228
  • 47.246.2.229
  • 47.246.2.227
malicious
console.oray.com
  • 121.40.142.26
  • 121.40.118.39
  • 115.29.163.170
unknown
static.orayimg.com
  • 47.246.2.227
  • 47.246.2.228
  • 47.246.2.229
  • 47.246.2.230
  • 47.246.2.231
  • 47.246.2.232
  • 47.246.2.225
  • 47.246.2.226
malicious

Threats

No threats detected
Process
Message
HskDDNSMaint.exe
load oraylog.dll
HskDDNSMaint.exe
CreateFileMapping oraylog file mapping ok,
HskDDNSMaint.exe
Global\764F2066-E3C5-4108-A748-B7D2D1003748C__PROGRA~1_Oray_HskDDNS_oraylog.dll.sd.share
HskDDNSMaint.exe
HskDDNSMaint.exe
oraylog MapViewOfFile ok
HskDDNS.exe
2019-11-16 08:32:42.158 - Info - [interface] now status is 4
HskDDNS.exe
[sª
HskDDNS.exe
[string "..."]:4547: attempt to index a nil value (global 'password_edit')
HskDDNS.exe
HskDDNS.exe
lua::call() attempt to call global `on_init' (not a function)
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
HskDDNS_5.0.0.21724.zip