| download: | msc.exe |
| Full analysis: | https://app.any.run/tasks/2ef04e58-bf11-45a7-a6f4-b3d35f7fbdca |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 15, 2019, 01:38:28 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | 6E29D31DF34039682CC74D6667281077 |
| SHA1: | 8754B67952B2B7867195CC83DE08783E31C0B632 |
| SHA256: | 8C275B3D4F5A1F30D54AE7370F24F3D7CB0569AA0260B96DA5018A58AA490F37 |
| SSDEEP: | 24576:nnzABXFT5Nkp28OTkjPz+ynIAtuf+zsQ5jhozX3XSQ54Gli7vateD1Ax:nzukUZwb+ynttuf+zsAoB4ai7vUepA |
MALICIOUS
Loads dropped or rewritten executable
- java.exe (PID: 2780)
- java.exe (PID: 588)
- java.exe (PID: 2468)
- java.exe (PID: 2664)
- java.exe (PID: 2176)
- java.exe (PID: 2488)
Application was dropped or rewritten from another process
- MakeLink.exe (PID: 3516)
- runfile.exe (PID: 3044)
- msclientpe.exe (PID: 1256)
- myconnectionpc[1].exe (PID: 2352)
- MakeLink.exe (PID: 2256)
- msclientae.exe (PID: 3368)
- runfile.exe (PID: 880)
Downloads executable files from the Internet
- iexplore.exe (PID: 2328)
SUSPICIOUS
Executable content was dropped or overwritten
- java.exe (PID: 2780)
- java.exe (PID: 2616)
- java.exe (PID: 2312)
- iexplore.exe (PID: 2328)
- java.exe (PID: 2664)
- java.exe (PID: 280)
- java.exe (PID: 3648)
Creates files in the program directory
- java.exe (PID: 2780)
- MakeLink.exe (PID: 3516)
- MakeLink.exe (PID: 2256)
- java.exe (PID: 2664)
Creates a software uninstall entry
- java.exe (PID: 2780)
- java.exe (PID: 2664)
Starts Internet Explorer
- java.exe (PID: 2468)
Uses IPCONFIG.EXE to discover IP address
- java.exe (PID: 2488)
INFO
Reads internet explorer settings
- iexplore.exe (PID: 2328)
Application launched itself
- iexplore.exe (PID: 2940)
Creates files in the user directory
- iexplore.exe (PID: 2328)
Reads Internet Cache Settings
- iexplore.exe (PID: 2328)
Changes internet zones settings
- iexplore.exe (PID: 2940)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable MS Visual C++ (generic) (67.4) |
|---|---|---|
| .dll | | | Win32 Dynamic Link Library (generic) (14.2) |
| .exe | | | Win32 Executable (generic) (9.7) |
| .exe | | | Generic Win/DOS Executable (4.3) |
| .exe | | | DOS Executable Generic (4.3) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2005:12:19 19:55:35+01:00 |
| PEType: | PE32 |
| LinkerVersion: | 6 |
| CodeSize: | 6656 |
| InitializedDataSize: | 5632 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x26c8 |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
Summary
| Architecture: | IMAGE_FILE_MACHINE_I386 |
|---|---|
| Subsystem: | IMAGE_SUBSYSTEM_WINDOWS_GUI |
| Compilation Date: | 19-Dec-2005 18:55:35 |
| Detected languages: |
|
DOS Header
| Magic number: | MZ |
|---|---|
| Bytes on last page of file: | 0x0090 |
| Pages in file: | 0x0003 |
| Relocations: | 0x0000 |
| Size of header: | 0x0004 |
| Min extra paragraphs: | 0x0000 |
| Max extra paragraphs: | 0xFFFF |
| Initial SS value: | 0x0000 |
| Initial SP value: | 0x00B8 |
| Checksum: | 0x0000 |
| Initial IP value: | 0x0000 |
| Initial CS value: | 0x0000 |
| Overlay number: | 0x0000 |
| OEM identifier: | 0x0000 |
| OEM information: | 0x0000 |
| Address of NE header: | 0x000000D8 |
PE Headers
| Signature: | PE |
|---|---|
| Machine: | IMAGE_FILE_MACHINE_I386 |
| Number of sections: | 4 |
| Time date stamp: | 19-Dec-2005 18:55:35 |
| Pointer to Symbol Table: | 0x00000000 |
| Number of symbols: | 0 |
| Size of Optional Header: | 0x00E0 |
| Characteristics: |
|
Sections
Name | Virtual Address | Virtual Size | Raw Size | Charateristics | Entropy |
|---|---|---|---|---|---|
.text | 0x00001000 | 0x0000185C | 0x00001A00 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ | 5.99769 |
.rdata | 0x00003000 | 0x0000062A | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.11709 |
.data | 0x00004000 | 0x000005A4 | 0x00000600 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE | 4.36038 |
.rsrc | 0x00005000 | 0x00000608 | 0x00000800 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ | 4.97556 |
Resources
Title | Entropy | Size | Codepage | Language | Type |
|---|---|---|---|---|---|
1 | 4.81202 | 546 | Latin 1 / Western European | English - United States | RT_MANIFEST |
234 | 2.16096 | 20 | Latin 1 / Western European | English - United States | RT_GROUP_ICON |
Imports
ADVAPI32.dll |
KERNEL32.dll |
MSVCRT.dll |
SHELL32.dll |
USER32.dll |
Total processes
60
Monitored processes
22
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 280 | java -mx256m jexepackboot E "C:\Program Files\MyConnection PC\runfile.exe" "C:\Users\admin\AppData\Local\Temp\X44E370" "/install" | C:\ProgramData\Oracle\Java\javapath\java.exe | runfile.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 12345 Version: 8.0.920.14 Modules
| |||||||||||||||
| 352 | "C:\Users\admin\AppData\Local\Temp\msc.exe" | C:\Users\admin\AppData\Local\Temp\msc.exe | explorer.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 1 Modules
| |||||||||||||||
| 588 | java -mx256m jexepackboot R "C:\Program Files\MyConnection PC Lite Edition\runfile.exe" "C:\Users\admin\AppData\Local\Temp\X438BE4" "/install" | C:\ProgramData\Oracle\Java\javapath\java.exe | — | runfile.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
| 880 | "C:\Program Files\MyConnection PC\runfile.exe" -Q* /install | C:\Program Files\MyConnection PC\runfile.exe | — | java.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 1256 | "C:\Program Files\MyConnection PC Lite Edition\msclientpe.exe" | C:\Program Files\MyConnection PC Lite Edition\msclientpe.exe | — | java.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2176 | java -mx256m jexepackboot R "C:\Program Files\MyConnection PC\runfile.exe" "C:\Users\admin\AppData\Local\Temp\X44E370" "/install" | C:\ProgramData\Oracle\Java\javapath\java.exe | — | runfile.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.920.14 Modules
| |||||||||||||||
| 2256 | "C:\Users\admin\AppData\Local\Temp\X449930\MakeLink" C:\Users\admin\AppData\Local\Temp\X449930\makelinks.txt | C:\Users\admin\AppData\Local\Temp\X449930\MakeLink.exe | — | java.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2312 | java -mx256m jexepackboot E "C:\Program Files\MyConnection PC Lite Edition\msclientpe.exe" "C:\Users\admin\AppData\Local\Temp\X4394E8" | C:\ProgramData\Oracle\Java\javapath\java.exe | msclientpe.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: HIGH Description: Java(TM) Platform SE binary Exit code: 12345 Version: 8.0.920.14 Modules
| |||||||||||||||
| 2328 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2352 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\myconnectionpc[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\myconnectionpc[1].exe | — | iexplore.exe | |||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
Total events
1 219
Read events
1 130
Write events
88
Delete events
1
Modification events
| (PID) Process: | (2780) java.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: java.exe | |||
| (PID) Process: | (2780) java.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msclientpe.exe |
| Operation: | write | Name: | |
Value: C:\Program Files\MyConnection PC Lite Edition\msclientpe.exe | |||
| (PID) Process: | (2780) java.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\msclientpe.exe |
| Operation: | write | Name: | Path |
Value: C:\Program Files\MyConnection PC Lite Edition | |||
| (PID) Process: | (2780) java.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyConnection PC Lite Edition |
| Operation: | write | Name: | DisplayName |
Value: MyConnection PC Lite Edition | |||
| (PID) Process: | (2780) java.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MyConnection PC Lite Edition |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\MyConnection PC Lite Edition\Uninstall.exe" "C:\Program Files\MyConnection PC Lite Edition" | |||
| (PID) Process: | (588) java.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (588) java.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2468) java.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Direct3D\MostRecentApplication |
| Operation: | write | Name: | Name |
Value: java.exe | |||
| (PID) Process: | (2940) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2940) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
21
Suspicious files
7
Text files
236
Unknown types
25
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\install.ini | text | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | text | |
MD5:— | SHA256:— | |||
| 352 | msc.exe | C:\Users\admin\AppData\Local\Temp\X433160\jexepackboot.class | class | |
MD5:EEC36E37CEA2A02ED0AD4D29F4402293 | SHA256:5189CD87E4D46DAB11E7E204BDE8ADAF9226346C7428085FE182A380764A882E | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\src\images\appspeed.png | image | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\packlist.txt | text | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\src\images\boxbplus.gif | image | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\src\images\box.gif | image | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\src\images\boxadv.gif | image | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\src\images\bighelp.png | image | |
MD5:— | SHA256:— | |||
| 2780 | java.exe | C:\Users\admin\AppData\Local\Temp\X433160\src\images\boxbus.gif | image | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
15
DNS requests
10
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/gcss/styles_mcs2.css | US | text | 8.55 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/liteexpired.html | US | html | 7.05 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/gcss/js/cr.js | US | text | 161 b | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/js/quicklinks.js | US | html | 14.3 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/images/test/pagebg.gif | US | image | 1.22 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/gimages/logo.gif | US | image | 6.62 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/images/titlebg/mainbg.png | US | image | 2.32 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/images/openquotes.png | US | image | 1.51 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/images/mainpageimage.png | US | image | 21.3 Kb | suspicious |
2328 | iexplore.exe | GET | 200 | 38.100.141.76:80 | http://www.myconnectionpc.com/gimages/newimages/bottombar.gif | US | image | 4.90 Kb | suspicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2940 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2328 | iexplore.exe | 38.100.141.76:80 | www.myconnectionpc.com | Cogent Communications | US | suspicious |
2328 | iexplore.exe | 38.100.141.80:80 | dresdemo.visualware.com | Cogent Communications | US | malicious |
2328 | iexplore.exe | 38.96.140.83:80 | download.visualware.com | Cogent Communications | US | suspicious |
2488 | java.exe | 38.100.141.80:80 | dresdemo.visualware.com | Cogent Communications | US | malicious |
2488 | java.exe | 38.100.141.110:80 | update.visualware.com | Cogent Communications | US | suspicious |
2488 | java.exe | 38.100.141.75:80 | secure.visualware.com | Cogent Communications | US | unknown |
2328 | iexplore.exe | 52.216.138.251:80 | twitter-badges.s3.amazonaws.com | Amazon.com, Inc. | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.myconnectionpc.com |
| suspicious |
www.bing.com |
| whitelisted |
twitter-badges.s3.amazonaws.com |
| shared |
dresdemo.visualware.com |
| malicious |
www.visualware.com |
| malicious |
download.visualware.com |
| suspicious |
www.myspeed.com |
| malicious |
update.visualware.com |
| suspicious |
secure.visualware.com |
| suspicious |
sUMQVzV3NqeAnt2gsW41Ev4JvY2wEKYgR3CmUixFRzp.1S9MpZEXVPUdUsu613LyHwqUQtNBA3eUvbgB1uIffpU.kD2OPMuYYDtk1YsD2VhSG5MK5QZYK3RJ71i9TXThunA.LiveUpdate.crm.visualware.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2328 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |