analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cdn.line-apps.com/client/win/4_10_0_1236/LineInst.exe

Full analysis: https://app.any.run/tasks/fbe0b100-a98d-45b6-97d2-c41ff069647d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 16, 2019, 10:31:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

8BFA3CD9F9182A69149002E98AEED226

SHA1:

F0EDC8C0B774B71625D1B0DF37CB3E32F13BE876

SHA256:

9EE2D8900A6D7BB95B905A9F74060765599C0DCBC68F61CEBC1DED55E44E7B3C

SSDEEP:

3:N1KdBLuxB2JMuOUV6V6OUjq:CXmB2JMA6hMq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • LineInst[1].exe (PID: 2516)
      • LineInst[1].exe (PID: 1708)
      • LineAppMgr.exe (PID: 4092)
      • LINE.exe (PID: 532)

    • Application was dropped or rewritten from another process

      • LineInst[1].exe (PID: 1708)
      • LineInst[1].exe (PID: 2516)
      • LineAppMgr.exe (PID: 4092)
      • LineLauncher.exe (PID: 3888)
      • LineAppMgr.exe (PID: 2856)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 720)

  • SUSPICIOUS

    • Modifies the open verb of a shell class

      • LineInst[1].exe (PID: 2516)

    • Application launched itself

      • LineInst[1].exe (PID: 2516)

    • Executable content was dropped or overwritten

      • LineInst[1].exe (PID: 2516)
      • LineInst[1].exe (PID: 1708)

    • Creates a software uninstall entry

      • LineInst[1].exe (PID: 2516)

    • Creates files in the user directory

      • LineInst[1].exe (PID: 2516)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 504)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 720)

    • Changes internet zones settings

      • iexplore.exe (PID: 504)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
8
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe lineinst[1].exe lineinst[1].exe lineappmgr.exe lineappmgr.exe no specs linelauncher.exe no specs line.exe

Process information

PID
CMD
Path
Indicators
Parent process
504"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
720"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:504 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2516"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LineInst[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LineInst[1].exe
iexplore.exe
User:
admin
Company:
LINE Corporation
Integrity Level:
MEDIUM
Description:
LINE
Exit code:
0
Version:
4.10.0.1236
1708"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LineInst[1].exe" /uacC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LineInst[1].exe
LineInst[1].exe
User:
admin
Company:
LINE Corporation
Integrity Level:
HIGH
Description:
LINE
Exit code:
0
Version:
4.10.0.1236
4092"C:\Users\admin\AppData\Local\LINE\bin\4.10.0.1236\LineAppMgr.exe" -afterinstallC:\Users\admin\AppData\Local\LINE\bin\4.10.0.1236\LineAppMgr.exe
LineInst[1].exe
User:
admin
Company:
LINE Corporation
Integrity Level:
HIGH
Description:
LINE
Exit code:
0
Version:
4.7.0.987
2856"C:\Users\admin\AppData\Local\LINE\bin\4.10.0.1236\LineAppMgr.exe" -afterinstallC:\Users\admin\AppData\Local\LINE\bin\4.10.0.1236\LineAppMgr.exeLineInst[1].exe
User:
admin
Company:
LINE Corporation
Integrity Level:
MEDIUM
Description:
LINE
Exit code:
3221226540
Version:
4.7.0.987
3888"C:\Users\admin\AppData\Local\LINE\bin\LineLauncher.exe"C:\Users\admin\AppData\Local\LINE\bin\LineLauncher.exeLineInst[1].exe
User:
admin
Company:
LINE Corporation
Integrity Level:
MEDIUM
Description:
LINE
Exit code:
0
Version:
1.0.0.0
532"C:\Users\admin\AppData\Local\LINE\bin\4.10.0.1236.\LINE.exe" run C:\Users\admin\AppData\Local\LINE\bin\4.10.0.1236.\LINE.exe
LineLauncher.exe
User:
admin
Company:
LINE Corporation
Integrity Level:
MEDIUM
Description:
LINE
Version:
4.10.0.1236
Total events
1 737
Read events
1 636
Write events
0
Delete events
0

Modification events

No data
Executable files
31
Suspicious files
1
Text files
70
Unknown types
8

Dropped files

PID
Process
Filename
Type
504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
504iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
504iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF384C4600F233FA8F.TMP
MD5:
SHA256:
720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6HS3RVG7\LineInst[1].exe
MD5:
SHA256:
504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\LineInst[1].exe
MD5:
SHA256:
504iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6313555A9E6CCD78.TMP
MD5:
SHA256:
504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{45476827-085C-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019111620191117\index.datdat
MD5:6BFFB393BE1AF50F7BD0FD7A1F6E17FD
SHA256:40D86870FFDE17338A232332EFD7692F0B390F7045DFDF35E19BE3B781508694
720iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:D55862F060A4ECB59AFFCB413DC5D307
SHA256:E39F7BE160DB1F2EE6420938142A157AFF0E13BA308A3D4BCC45551545EB243E
504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{45476828-085C-11EA-AB41-5254004A04AF}.datbinary
MD5:290B64595BB8E057378B221173C84261
SHA256:1C2F6902918CB0EA02E96C7CBC14C332D1F69E6C9C713D6CF7285C359A2EEE25
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
720
iexplore.exe
GET
200
2.16.186.97:80
http://cdn.line-apps.com/client/win/4_10_0_1236/LineInst.exe
unknown
executable
33.7 Mb
suspicious
532
LINE.exe
POST
200
203.104.153.91:80
http://nelo2-col.nhncorp.jp:80/_store
JP
text
32 b
unknown
504
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
504
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
532
LINE.exe
203.104.142.52:443
lan.line.me
LINE Corporation
JP
unknown
143.204.213.67:443
desktop.line-scdn.net
US
unknown
532
LINE.exe
143.204.213.67:443
desktop.line-scdn.net
US
unknown
532
LINE.exe
23.210.248.55:443
scdn.line-apps.com
Akamai International B.V.
NL
whitelisted
532
LINE.exe
203.104.153.91:80
nelo2-col.nhncorp.jp
LINE Corporation
JP
unknown
720
iexplore.exe
2.16.186.97:80
cdn.line-apps.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cdn.line-apps.com
  • 2.16.186.97
  • 2.16.186.105
suspicious
scdn.line-apps.com
  • 23.210.248.55
unknown
nelo2-col.nhncorp.jp
  • 203.104.153.91
unknown
lan.line.me
  • 203.104.142.52
unknown
desktop.line-scdn.net
  • 143.204.213.67
unknown

Threats

PID
Process
Class
Message
720
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
LineAppMgr.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
LINE.exe
%s------------------------------------------------ --- Themida Professional --- --- (c)2012 Oreans Technologies --- ------------------------------------------------
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://cdn.line-apps.com/client/win/4_10_0_1236/LineInst.exe