analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://download3.portableapps.com/portableapps/PortableApps.comPlatform/

Full analysis: https://app.any.run/tasks/cb504b8e-cea2-42d6-b3b8-dabb1b604495
Verdict: Malicious activity
Analysis date: November 08, 2018, 10:08:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3E1C0A7F38047316C89CC0AA38197E98

SHA1:

4F2110188161619E7AB2B3B166DD5D949525B527

SHA256:

9943D0B75EF46F6EE2F992764D4ADD0B4F80CB5781DE04A36EEA8C4A5C9AD844

SSDEEP:

3:N1KaKE4LgyKZlKUq4pB/Wy+M3n:CaNbQUdppeM3n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • PortableApps.com_Platform_Setup_15.0.2.exe (PID: 2908)
      • PortableAppsPlatform.exe (PID: 4024)
      • PortableAppsUpdater.exe (PID: 2340)
      • ns9525.tmp (PID: 1452)
      • nsEDFE.tmp (PID: 1244)
      • PortableAppsUpdater.exe (PID: 4072)
      • 7za.exe (PID: 2312)
      • 7za.exe (PID: 3028)
      • SudokuPortable_1.1.7.4_English.paf.exe (PID: 3576)
      • sudoku.exe (PID: 3396)
      • SudokuPortable.exe (PID: 608)

    • Loads dropped or rewritten executable

      • PortableApps.com_Platform_Setup_15.0.2.exe (PID: 2908)
      • PortableAppsUpdater.exe (PID: 2340)
      • PortableAppsUpdater.exe (PID: 4072)
      • SudokuPortable_1.1.7.4_English.paf.exe (PID: 3576)
      • SudokuPortable.exe (PID: 608)

    • Changes settings of System certificates

      • explorer.exe (PID: 1772)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3708)
      • iexplore.exe (PID: 3776)
      • PortableApps.com_Platform_Setup_15.0.2.exe (PID: 2908)
      • PortableAppsUpdater.exe (PID: 2340)
      • PortableAppsUpdater.exe (PID: 4072)
      • SudokuPortable_1.1.7.4_English.paf.exe (PID: 3576)
      • SudokuPortable.exe (PID: 608)

    • Creates files in the user directory

      • explorer.exe (PID: 1772)
      • PortableApps.com_Platform_Setup_15.0.2.exe (PID: 2908)

    • Starts Internet Explorer

      • explorer.exe (PID: 1772)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • PortableApps.com_Platform_Setup_15.0.2.exe (PID: 2908)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 1772)

    • Starts application with an unusual extension

      • PortableAppsUpdater.exe (PID: 2340)
      • PortableAppsUpdater.exe (PID: 4072)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3708)
      • iexplore.exe (PID: 3084)

    • Application launched itself

      • iexplore.exe (PID: 3708)
      • iexplore.exe (PID: 3084)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3776)
      • iexplore.exe (PID: 2636)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3776)
      • iexplore.exe (PID: 3708)
      • iexplore.exe (PID: 2636)

    • Reads settings of System Certificates

      • explorer.exe (PID: 1772)
      • PortableAppsUpdater.exe (PID: 4072)

    • Dropped object may contain Bitcoin addresses

      • 7za.exe (PID: 3028)
      • 7za.exe (PID: 2312)

    • Creates files in the user directory

      • opera.exe (PID: 1580)
      • iexplore.exe (PID: 3708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
17
Malicious processes
7
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe explorer.exe portableapps.com_platform_setup_15.0.2.exe portableappsplatform.exe no specs portableappsupdater.exe ns9525.tmp no specs 7za.exe no specs portableappsupdater.exe nsedfe.tmp no specs 7za.exe no specs sudokuportable_1.1.7.4_english.paf.exe sudokuportable.exe sudoku.exe no specs opera.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3708"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3776"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3708 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1772C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2908"C:\Users\admin\Downloads\PortableApps.com_Platform_Setup_15.0.2.exe" C:\Users\admin\Downloads\PortableApps.com_Platform_Setup_15.0.2.exe
explorer.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
PortableApps.com Platform
Exit code:
0
Version:
15.0.2.0
4024C:\PortableApps\PortableApps.com\PortableAppsPlatform.exeC:\PortableApps\PortableApps.com\PortableAppsPlatform.exePortableApps.com_Platform_Setup_15.0.2.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
PortableApps.com Platform
Version:
15.0.2.0
2340"C:\PortableApps\PortableApps.com\PortableAppsUpdater.exe" /MODE=ADD /OPENSOURCEONLY=false /KEYBOARDFRIENDLY=false /ADVANCED=false /SHOWINSTALLEDAPPS=false /HIDEPORTABLE=true /BETA=false /CONNECTION=AutomaticC:\PortableApps\PortableApps.com\PortableAppsUpdater.exe
PortableAppsPlatform.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
PortableApps.com Updater
Exit code:
0
Version:
15.0.2.0
1452"C:\Users\admin\AppData\Local\Temp\nsd91B9.tmp\ns9525.tmp" "C:\PortableApps\PortableApps.com\App\7-Zip\7za.exe" x "C:\Users\admin\AppData\Local\Temp\nsd91B9.tmp\update.7z" -o"C:\Users\admin\AppData\Local\Temp\nsd91B9.tmp" -aoaC:\Users\admin\AppData\Local\Temp\nsd91B9.tmp\ns9525.tmpPortableAppsUpdater.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3028"C:\PortableApps\PortableApps.com\App\7-Zip\7za.exe" x "C:\Users\admin\AppData\Local\Temp\nsd91B9.tmp\update.7z" -o"C:\Users\admin\AppData\Local\Temp\nsd91B9.tmp" -aoaC:\PortableApps\PortableApps.com\App\7-Zip\7za.exens9525.tmp
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Standalone Console
Exit code:
0
Version:
18.05
4072"C:\PortableApps\PortableApps.com\PortableAppsUpdater.exe" /MODE=ADD /OPENSOURCEONLY=false /KEYBOARDFRIENDLY=false /ADVANCED=false /SHOWINSTALLEDAPPS=false /HIDEPORTABLE=true /BETA=false /ORDER=new /CONNECTION=AutomaticC:\PortableApps\PortableApps.com\PortableAppsUpdater.exe
PortableAppsPlatform.exe
User:
admin
Company:
PortableApps.com
Integrity Level:
MEDIUM
Description:
PortableApps.com Updater
Exit code:
0
Version:
15.0.2.0
1244"C:\Users\admin\AppData\Local\Temp\nstEB4D.tmp\nsEDFE.tmp" "C:\PortableApps\PortableApps.com\App\7-Zip\7za.exe" x "C:\Users\admin\AppData\Local\Temp\nstEB4D.tmp\update.7z" -o"C:\Users\admin\AppData\Local\Temp\nstEB4D.tmp" -aoaC:\Users\admin\AppData\Local\Temp\nstEB4D.tmp\nsEDFE.tmpPortableAppsUpdater.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 752
Read events
3 144
Write events
0
Delete events
0

Modification events

No data
Executable files
40
Suspicious files
45
Text files
1 547
Unknown types
8

Dropped files

PID
Process
Filename
Type
3708iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1772explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\PortableApps.com_Platform_Setup_15.0.2.paf[1].lnklnk
MD5:5F9674D8CA11782F6CCF64C5D3937862
SHA256:D5C80E51C017751C6C6DC5F8D5CE0CDB6A1FCD3AEE8D645F171278505550CC94
1772explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:60BB3F317C3726EAD1D3B9C53A06D8B0
SHA256:5A57F0AE450783486E991FB88050D2F8A528C2B3136905338CEEB7FEADAF3659
3776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\PortableApps.com_Platform_Setup_15.0.2.paf[1]executable
MD5:C02FC058BE0E9985CC56AA4073A207AF
SHA256:65E95458BDB40290D1207408834B6E8F9B20E3F374925D1885103AF0D210EDE8
1772explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\Downloads.lnklnk
MD5:191DE3E958F52C07FC99AC3056AE7A76
SHA256:803F0BBA6C0A2D0514765DDB29C24FA1E28B3ABC00AE71BF6BC2BF5A68403D1B
1772explorer.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018110820181109\index.datdat
MD5:7791AFC4179D1CEC984DDB3952BBBCAF
SHA256:7F4757A5C7DD62CA1D470337C616A863C91F1B435E30AE40CCBF4532C73159BC
2908PortableApps.com_Platform_Setup_15.0.2.exeC:\Users\admin\AppData\Local\Temp\nst2023.tmp\InstallLocationCustom.icoimage
MD5:415846A977E2AA4D069350BE62064228
SHA256:42CD691AB4C2264DCA073C2E56270A45BCB5340DAA34C9DA0D60D8B8997C7DEE
3708iexplore.exeC:\Users\admin\Downloads\PortableApps.com_Platform_Setup_15.0.2.paf[1]executable
MD5:C02FC058BE0E9985CC56AA4073A207AF
SHA256:65E95458BDB40290D1207408834B6E8F9B20E3F374925D1885103AF0D210EDE8
1772explorer.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\74FBF93595CFC8459196065CE54AD928binary
MD5:FE1DD3F806E43B9ACDD877D653E08DA4
SHA256:231D995106BD8653DF0C4692C031129C872B2A3D4B66415E12DEAFE83EBD8D88
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
21
TCP/UDP connections
15
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3776
iexplore.exe
GET
162.243.236.235:80
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/PortableApps.com_Platform_Setup_15.0.2.paf.exe?201806
US
suspicious
2340
PortableAppsUpdater.exe
GET
303
104.239.166.87:80
http://portableapps.com/updater/update.php
US
suspicious
2340
PortableAppsUpdater.exe
GET
200
104.239.166.87:80
http://portableapps.com/files/images/updatericons/OBSPortable.ico
US
image
1.12 Kb
suspicious
2340
PortableAppsUpdater.exe
GET
200
104.239.166.87:80
http://portableapps.com/updater/update2.7z
US
compressed
42.0 Kb
suspicious
1772
explorer.exe
GET
200
104.16.93.188:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
US
der
1.37 Kb
whitelisted
4072
PortableAppsUpdater.exe
GET
303
104.239.166.87:80
http://portableapps.com/redirect/?s=p&a=SudokuPortable&d=sfpa&wv=7&f=SudokuPortable_1.1.7.4_English.paf.exe
US
suspicious
3776
iexplore.exe
GET
403
162.243.236.235:80
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/
US
html
332 b
suspicious
4072
PortableAppsUpdater.exe
GET
303
104.239.166.87:80
http://portableapps.com/updater/update.php
US
suspicious
2340
PortableAppsUpdater.exe
GET
200
104.239.166.87:80
http://portableapps.com/files/images/updatericons/LameXPPortable.ico
US
image
1.12 Kb
suspicious
2340
PortableAppsUpdater.exe
GET
200
104.239.166.87:80
http://portableapps.com/files/images/updatericons/MPC-BEPortable.ico
US
image
1.12 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3708
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1772
explorer.exe
104.16.93.188:80
crt.comodoca.com
Cloudflare Inc
US
shared
3084
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1580
opera.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4072
PortableAppsUpdater.exe
216.105.38.13:443
downloads.sourceforge.net
American Internet Services, LLC.
US
malicious
1580
opera.exe
82.145.215.40:443
certs.opera.com
Opera Software AS
whitelisted
3776
iexplore.exe
162.243.236.235:80
download3.portableapps.com
Digital Ocean, Inc.
US
suspicious
1580
opera.exe
66.225.197.197:80
crl4.digicert.com
CacheNetworks, Inc.
US
whitelisted
2340
PortableAppsUpdater.exe
104.239.166.87:80
portableapps.com
Rackspace Ltd.
US
suspicious
4072
PortableAppsUpdater.exe
87.121.121.2:443
netix.dl.sourceforge.net
NetIX Communications Ltd.
BG
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
download3.portableapps.com
  • 162.243.236.235
unknown
crt.comodoca.com
  • 104.16.93.188
  • 104.16.92.188
  • 104.16.91.188
  • 104.16.90.188
  • 104.16.89.188
whitelisted
portableapps.com
  • 104.239.166.87
suspicious
downloads.sourceforge.net
  • 216.105.38.13
whitelisted
netix.dl.sourceforge.net
  • 87.121.121.2
suspicious
certs.opera.com
  • 82.145.215.40
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl4.digicert.com
  • 66.225.197.197
whitelisted

Threats

PID
Process
Class
Message
3776
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download3.portableapps.com/portableapps/PortableApps.comPlatform/