File name: | Downloads.zip |
Full analysis: | https://app.any.run/tasks/430c04ce-43d0-4703-b951-6e84653c203e |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | March 30, 2020, 19:02:39 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/zip |
File info: | Zip archive data, at least v2.0 to extract |
MD5: | FC7F30E3EFF5D2E39CD4C2EDA7E61B2E |
SHA1: | 9C4D9E3C5EAF387539942E3854E5BAC419BB33A3 |
SHA256: | A972729CCD8771C09D53ED32262A60534D8EE02753CA8A50B822A140184EF950 |
SSDEEP: | 196608:iC91QGauTpuHXCWgLMZp174LU0/njeoXTodCo0T5QeYhdiPIUWd/i:iCLlaikHXAlL1/njjqCoYTtBW5i |
.zip | | | ZIP compressed archive (100) |
---|
ZipRequiredVersion: | 20 |
---|---|
ZipBitFlag: | - |
ZipCompression: | Deflated |
ZipModifyDate: | 2020:03:30 13:36:22 |
ZipCRC: | 0x76126107 |
ZipCompressedSize: | 5988256 |
ZipUncompressedSize: | 6048152 |
ZipFileName: | Firefox_Setup_2.0.0.20.exe |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3472 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Downloads.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 | ||||
1296 | "C:\Users\admin\Desktop\isoworkshop_9.1.exe" | C:\Users\admin\Desktop\isoworkshop_9.1.exe | explorer.exe | |
User: admin Company: Glorylogic Integrity Level: MEDIUM Description: ISO Workshop Installation Exit code: 0 Version: 9.1.0.0 | ||||
3120 | "C:\Users\admin\AppData\Local\Temp\is-EU27D.tmp\isoworkshop_9.1.tmp" /SL5="$170224,3213412,121344,C:\Users\admin\Desktop\isoworkshop_9.1.exe" | C:\Users\admin\AppData\Local\Temp\is-EU27D.tmp\isoworkshop_9.1.tmp | — | isoworkshop_9.1.exe |
User: admin Integrity Level: MEDIUM Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
3872 | "C:\Users\admin\Desktop\isoworkshop_9.1.exe" /SPAWNWND=$701CE /NOTIFYWND=$170224 | C:\Users\admin\Desktop\isoworkshop_9.1.exe | isoworkshop_9.1.tmp | |
User: admin Company: Glorylogic Integrity Level: HIGH Description: ISO Workshop Installation Exit code: 0 Version: 9.1.0.0 | ||||
1836 | "C:\Users\admin\AppData\Local\Temp\is-RDDBT.tmp\isoworkshop_9.1.tmp" /SL5="$1C01FA,3213412,121344,C:\Users\admin\Desktop\isoworkshop_9.1.exe" /SPAWNWND=$701CE /NOTIFYWND=$170224 | C:\Users\admin\AppData\Local\Temp\is-RDDBT.tmp\isoworkshop_9.1.tmp | isoworkshop_9.1.exe | |
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.1052.0.0 | ||||
2848 | "C:\Users\admin\AppData\Local\Temp\is-18KT7.tmp\BA003.exe" | C:\Users\admin\AppData\Local\Temp\is-18KT7.tmp\BA003.exe | isoworkshop_9.1.tmp | |
User: admin Company: Glorylogic Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 10.3.0.0 | ||||
2400 | .\installer.exe | C:\Users\admin\AppData\Local\Temp\7zS02BB4307\installer.exe | BA003.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 2.5.0.1009 | ||||
1688 | C:\Users\admin\AppData\Local\Temp\7zS02BB4307\GenericSetup.exe husertype=Admin | C:\Users\admin\AppData\Local\Temp\7zS02BB4307\GenericSetup.exe | installer.exe | |
User: admin Company: adaware Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 2.5.0.1009 | ||||
2656 | "C:\Users\admin\AppData\Local\Temp\7zS02BB4307\OfferInstaller.exe" | C:\Users\admin\AppData\Local\Temp\7zS02BB4307\OfferInstaller.exe | GenericSetup.exe | |
User: admin Integrity Level: HIGH Description: Glorylogic Installation Exit code: 0 Version: 1.0.0.0 | ||||
3412 | "C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe" /affid 91212 PaidDistribution=true InstallID=51e3bf09-d4d9-4810-a00c-565399eec8b5 subID=CZ" | C:\Windows\system32\cmd.exe | — | OfferInstaller.exe |
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 4294967295 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
1836 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\Local\Temp\CabF8DF.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\Local\Temp\TarF8E0.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-7QM92.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-49O8H.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-09HR1.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-9C81P.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-CUEMR.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Program Files\Glorylogic\ISO Workshop\is-CCE0B.tmp | — | |
MD5:— | SHA256:— | |||
1836 | isoworkshop_9.1.tmp | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDA | binary | |
MD5:493391E339A8DD7F1BBC79FACB054533 | SHA256:8715EE197E377A12FF2559E0646504615A0A63AF503F86B500B80E5DBBFAFE9A | |||
3472 | WinRAR.exe | C:\Users\admin\Desktop\Firefox_Setup_2.0.0.20.exe | executable | |
MD5:BE504A7C00F29B5FEB332A51F7D68F69 | SHA256:B7CA35BDDDB8E4ADF099C62013E889EFD0E0B0BBAC90BB18C847F7632B214960 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1836 | isoworkshop_9.1.tmp | GET | 200 | 151.139.128.14:80 | http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY | US | der | 728 b | whitelisted |
2736 | ISOWorkshop.exe | GET | 301 | 208.100.25.83:80 | http://www.glorylogic.com/upd_workshop.ini | US | html | 251 b | suspicious |
3312 | iexplore.exe | GET | 301 | 208.100.25.83:80 | http://www.glorylogic.com/after-install.html | US | html | 253 b | suspicious |
1836 | isoworkshop_9.1.tmp | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D | US | der | 471 b | whitelisted |
2656 | OfferInstaller.exe | GET | 200 | 104.16.236.79:80 | http://sdl.adaware.com/cdn/saBSI.exe | US | executable | 1.06 Mb | whitelisted |
3312 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDfMYPZCGzPzwgAAAAAMgoG | US | der | 472 b | whitelisted |
3312 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDy4NKedukSQwgAAAAAMgpY | US | der | 472 b | whitelisted |
3312 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDfMYPZCGzPzwgAAAAAMgoG | US | der | 472 b | whitelisted |
3312 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3312 | iexplore.exe | GET | 200 | 172.217.23.131:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1836 | isoworkshop_9.1.tmp | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
1836 | isoworkshop_9.1.tmp | 208.100.25.83:443 | www.glorylogic.com | Steadfast | US | suspicious |
2656 | OfferInstaller.exe | 104.16.236.79:80 | sos.adaware.com | Cloudflare Inc | US | shared |
1688 | GenericSetup.exe | 104.18.88.101:443 | flow.lavasoft.com | Cloudflare Inc | US | shared |
1688 | GenericSetup.exe | 104.16.235.79:443 | sos.adaware.com | Cloudflare Inc | US | shared |
2400 | installer.exe | 104.18.87.101:80 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2656 | OfferInstaller.exe | 104.18.88.101:443 | flow.lavasoft.com | Cloudflare Inc | US | shared |
2736 | ISOWorkshop.exe | 208.100.25.83:80 | www.glorylogic.com | Steadfast | US | suspicious |
2736 | ISOWorkshop.exe | 208.100.25.83:443 | www.glorylogic.com | Steadfast | US | suspicious |
2656 | OfferInstaller.exe | 185.26.182.112:80 | net.geo.opera.com | Opera Software AS | — | malicious |
Domain | IP | Reputation |
---|---|---|
www.glorylogic.com |
| suspicious |
ocsp.usertrust.com |
| whitelisted |
ocsp.comodoca.com |
| whitelisted |
www.google.com |
| whitelisted |
sos.adaware.com |
| whitelisted |
flow.lavasoft.com |
| whitelisted |
sdl.adaware.com |
| whitelisted |
net.geo.opera.com |
| whitelisted |
cu1pehnswad01.servicebus.windows.net |
| whitelisted |
sadownload.mcafee.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2400 | installer.exe | A Network Trojan was detected | ET MALWARE Lavasoft PUA/Adware Client Install |
2400 | installer.exe | Misc activity | ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install |
2400 | installer.exe | Misc activity | ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install |
2656 | OfferInstaller.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2656 | OfferInstaller.exe | Potentially Bad Traffic | ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download |
Process | Message |
---|---|
nu3krf0l.2eq.exe | NotComDllGetInterface: DLL not found in install location, looking in current directory |
nu3krf0l.2eq.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
nu3krf0l.2eq.exe | NotComDllGetInterface: DLL not found in install location, looking in current directory |
nu3krf0l.2eq.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|
nu3krf0l.2eq.exe | NotComDllGetInterface: DLL not found in install location, looking in current directory |
nu3krf0l.2eq.exe | NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
|