analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Downloads.zip

Full analysis: https://app.any.run/tasks/430c04ce-43d0-4703-b951-6e84653c203e
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: March 30, 2020, 19:02:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
pua
lavasoft
loader
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

FC7F30E3EFF5D2E39CD4C2EDA7E61B2E

SHA1:

9C4D9E3C5EAF387539942E3854E5BAC419BB33A3

SHA256:

A972729CCD8771C09D53ED32262A60534D8EE02753CA8A50B822A140184EF950

SSDEEP:

196608:iC91QGauTpuHXCWgLMZp174LU0/njeoXTodCo0T5QeYhdiPIUWd/i:iCLlaikHXAlL1/njjqCoYTtBW5i

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • isoworkshop_9.1.exe (PID: 1296)
      • isoworkshop_9.1.exe (PID: 3872)
      • installer.exe (PID: 2400)
      • GenericSetup.exe (PID: 1688)
      • OfferInstaller.exe (PID: 2656)
      • nu3krf0l.2eq.exe (PID: 3360)
      • ISOWorkshop.exe (PID: 2736)
      • ISOTools.exe (PID: 2132)
      • Firefox_Setup_2.0.0.20.exe (PID: 1944)
      • Firefox_Setup_2.0.0.20.exe (PID: 2796)
      • setup.exe (PID: 2580)
    • Loads dropped or rewritten executable

      • GenericSetup.exe (PID: 1688)
      • OfferInstaller.exe (PID: 2656)
      • ISOTools.exe (PID: 2132)
      • setup.exe (PID: 2580)
    • LAVASOFT was detected

      • installer.exe (PID: 2400)
    • Changes settings of System certificates

      • nu3krf0l.2eq.exe (PID: 3360)
      • isoworkshop_9.1.tmp (PID: 1836)
    • Downloads executable files from the Internet

      • OfferInstaller.exe (PID: 2656)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3472)
      • isoworkshop_9.1.exe (PID: 1296)
      • isoworkshop_9.1.exe (PID: 3872)
      • isoworkshop_9.1.tmp (PID: 1836)
      • BA003.exe (PID: 2848)
      • OfferInstaller.exe (PID: 2656)
      • setup.exe (PID: 2580)
      • Firefox_Setup_2.0.0.20.exe (PID: 2796)
    • Reads the Windows organization settings

      • isoworkshop_9.1.tmp (PID: 1836)
      • GenericSetup.exe (PID: 1688)
      • OfferInstaller.exe (PID: 2656)
    • Reads Windows owner or organization settings

      • isoworkshop_9.1.tmp (PID: 1836)
      • GenericSetup.exe (PID: 1688)
      • OfferInstaller.exe (PID: 2656)
    • Reads Internet Cache Settings

      • isoworkshop_9.1.tmp (PID: 1836)
      • ISOWorkshop.exe (PID: 2736)
    • Reads Environment values

      • GenericSetup.exe (PID: 1688)
      • OfferInstaller.exe (PID: 2656)
    • Starts CMD.EXE for commands execution

      • OfferInstaller.exe (PID: 2656)
    • Creates files in the program directory

      • nu3krf0l.2eq.exe (PID: 3360)
    • Adds / modifies Windows certificates

      • nu3krf0l.2eq.exe (PID: 3360)
      • isoworkshop_9.1.tmp (PID: 1836)
    • Starts Internet Explorer

      • isoworkshop_9.1.tmp (PID: 1836)
    • Creates files in the user directory

      • ISOTools.exe (PID: 2132)
    • Searches for installed software

      • OfferInstaller.exe (PID: 2656)
      • GenericSetup.exe (PID: 1688)
  • INFO

    • Manual execution by user

      • isoworkshop_9.1.exe (PID: 1296)
      • WinRAR.exe (PID: 2792)
    • Application was dropped or rewritten from another process

      • isoworkshop_9.1.tmp (PID: 1836)
      • isoworkshop_9.1.tmp (PID: 3120)
      • BA003.exe (PID: 2848)
    • Loads dropped or rewritten executable

      • isoworkshop_9.1.tmp (PID: 1836)
    • Creates a software uninstall entry

      • isoworkshop_9.1.tmp (PID: 1836)
    • Creates files in the program directory

      • isoworkshop_9.1.tmp (PID: 1836)
    • Reads settings of System Certificates

      • isoworkshop_9.1.tmp (PID: 1836)
      • OfferInstaller.exe (PID: 2656)
      • iexplore.exe (PID: 2972)
    • Application launched itself

      • iexplore.exe (PID: 2972)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3312)
      • iexplore.exe (PID: 2972)
    • Changes internet zones settings

      • iexplore.exe (PID: 2972)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3312)
    • Creates files in the user directory

      • iexplore.exe (PID: 3312)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3312)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:30 13:36:22
ZipCRC: 0x76126107
ZipCompressedSize: 5988256
ZipUncompressedSize: 6048152
ZipFileName: Firefox_Setup_2.0.0.20.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
67
Monitored processes
19
Malicious processes
11
Suspicious processes
3

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start winrar.exe isoworkshop_9.1.exe isoworkshop_9.1.tmp no specs isoworkshop_9.1.exe isoworkshop_9.1.tmp ba003.exe #LAVASOFT installer.exe genericsetup.exe offerinstaller.exe cmd.exe no specs nu3krf0l.2eq.exe isoworkshop.exe iexplore.exe iexplore.exe isotools.exe no specs firefox_setup_2.0.0.20.exe no specs firefox_setup_2.0.0.20.exe setup.exe winrar.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3472"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Downloads.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1296"C:\Users\admin\Desktop\isoworkshop_9.1.exe" C:\Users\admin\Desktop\isoworkshop_9.1.exe
explorer.exe
User:
admin
Company:
Glorylogic
Integrity Level:
MEDIUM
Description:
ISO Workshop Installation
Exit code:
0
Version:
9.1.0.0
3120"C:\Users\admin\AppData\Local\Temp\is-EU27D.tmp\isoworkshop_9.1.tmp" /SL5="$170224,3213412,121344,C:\Users\admin\Desktop\isoworkshop_9.1.exe" C:\Users\admin\AppData\Local\Temp\is-EU27D.tmp\isoworkshop_9.1.tmpisoworkshop_9.1.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3872"C:\Users\admin\Desktop\isoworkshop_9.1.exe" /SPAWNWND=$701CE /NOTIFYWND=$170224 C:\Users\admin\Desktop\isoworkshop_9.1.exe
isoworkshop_9.1.tmp
User:
admin
Company:
Glorylogic
Integrity Level:
HIGH
Description:
ISO Workshop Installation
Exit code:
0
Version:
9.1.0.0
1836"C:\Users\admin\AppData\Local\Temp\is-RDDBT.tmp\isoworkshop_9.1.tmp" /SL5="$1C01FA,3213412,121344,C:\Users\admin\Desktop\isoworkshop_9.1.exe" /SPAWNWND=$701CE /NOTIFYWND=$170224 C:\Users\admin\AppData\Local\Temp\is-RDDBT.tmp\isoworkshop_9.1.tmp
isoworkshop_9.1.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
2848"C:\Users\admin\AppData\Local\Temp\is-18KT7.tmp\BA003.exe"C:\Users\admin\AppData\Local\Temp\is-18KT7.tmp\BA003.exe
isoworkshop_9.1.tmp
User:
admin
Company:
Glorylogic
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
10.3.0.0
2400.\installer.exeC:\Users\admin\AppData\Local\Temp\7zS02BB4307\installer.exe
BA003.exe
User:
admin
Company:
adaware
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
2.5.0.1009
1688C:\Users\admin\AppData\Local\Temp\7zS02BB4307\GenericSetup.exe husertype=AdminC:\Users\admin\AppData\Local\Temp\7zS02BB4307\GenericSetup.exe
installer.exe
User:
admin
Company:
adaware
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
2.5.0.1009
2656"C:\Users\admin\AppData\Local\Temp\7zS02BB4307\OfferInstaller.exe" C:\Users\admin\AppData\Local\Temp\7zS02BB4307\OfferInstaller.exe
GenericSetup.exe
User:
admin
Integrity Level:
HIGH
Description:
Glorylogic Installation
Exit code:
0
Version:
1.0.0.0
3412"C:\Windows\system32\cmd.exe" /C ""C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe" /affid 91212 PaidDistribution=true InstallID=51e3bf09-d4d9-4810-a00c-565399eec8b5 subID=CZ"C:\Windows\system32\cmd.exeOfferInstaller.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
4294967295
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
13 148
Read events
11 576
Write events
0
Delete events
0

Modification events

No data
Executable files
54
Suspicious files
72
Text files
342
Unknown types
42

Dropped files

PID
Process
Filename
Type
1836isoworkshop_9.1.tmpC:\Users\admin\AppData\Local\Temp\CabF8DF.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Users\admin\AppData\Local\Temp\TarF8E0.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-7QM92.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-49O8H.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-09HR1.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-9C81P.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-CUEMR.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Program Files\Glorylogic\ISO Workshop\is-CCE0B.tmp
MD5:
SHA256:
1836isoworkshop_9.1.tmpC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5080DC7A65DB6A5960ECD874088F3328_862BA1770B2FEE013603D2FF9ABEAFDAbinary
MD5:493391E339A8DD7F1BBC79FACB054533
SHA256:8715EE197E377A12FF2559E0646504615A0A63AF503F86B500B80E5DBBFAFE9A
3472WinRAR.exeC:\Users\admin\Desktop\Firefox_Setup_2.0.0.20.exeexecutable
MD5:BE504A7C00F29B5FEB332A51F7D68F69
SHA256:B7CA35BDDDB8E4ADF099C62013E889EFD0E0B0BBAC90BB18C847F7632B214960
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
69
DNS requests
35
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1836
isoworkshop_9.1.tmp
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEQDwHUvue3yjezwFZqwFlyRY
US
der
728 b
whitelisted
2736
ISOWorkshop.exe
GET
301
208.100.25.83:80
http://www.glorylogic.com/upd_workshop.ini
US
html
251 b
suspicious
3312
iexplore.exe
GET
301
208.100.25.83:80
http://www.glorylogic.com/after-install.html
US
html
253 b
suspicious
1836
isoworkshop_9.1.tmp
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
2656
OfferInstaller.exe
GET
200
104.16.236.79:80
http://sdl.adaware.com/cdn/saBSI.exe
US
executable
1.06 Mb
whitelisted
3312
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDfMYPZCGzPzwgAAAAAMgoG
US
der
472 b
whitelisted
3312
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDy4NKedukSQwgAAAAAMgpY
US
der
472 b
whitelisted
3312
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDfMYPZCGzPzwgAAAAAMgoG
US
der
472 b
whitelisted
3312
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3312
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1836
isoworkshop_9.1.tmp
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
1836
isoworkshop_9.1.tmp
208.100.25.83:443
www.glorylogic.com
Steadfast
US
suspicious
2656
OfferInstaller.exe
104.16.236.79:80
sos.adaware.com
Cloudflare Inc
US
shared
1688
GenericSetup.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared
1688
GenericSetup.exe
104.16.235.79:443
sos.adaware.com
Cloudflare Inc
US
shared
2400
installer.exe
104.18.87.101:80
flow.lavasoft.com
Cloudflare Inc
US
shared
2656
OfferInstaller.exe
104.18.88.101:443
flow.lavasoft.com
Cloudflare Inc
US
shared
2736
ISOWorkshop.exe
208.100.25.83:80
www.glorylogic.com
Steadfast
US
suspicious
2736
ISOWorkshop.exe
208.100.25.83:443
www.glorylogic.com
Steadfast
US
suspicious
2656
OfferInstaller.exe
185.26.182.112:80
net.geo.opera.com
Opera Software AS
malicious

DNS requests

Domain
IP
Reputation
www.glorylogic.com
  • 208.100.25.83
suspicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
www.google.com
  • 172.217.22.68
whitelisted
sos.adaware.com
  • 104.16.235.79
  • 104.16.236.79
whitelisted
flow.lavasoft.com
  • 104.18.87.101
  • 104.18.88.101
whitelisted
sdl.adaware.com
  • 104.16.236.79
  • 104.16.235.79
whitelisted
net.geo.opera.com
  • 185.26.182.111
  • 185.26.182.112
whitelisted
cu1pehnswad01.servicebus.windows.net
  • 104.208.16.0
whitelisted
sadownload.mcafee.com
  • 92.122.253.199
whitelisted

Threats

PID
Process
Class
Message
2400
installer.exe
A Network Trojan was detected
ET MALWARE Lavasoft PUA/Adware Client Install
2400
installer.exe
Misc activity
ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install
2400
installer.exe
Misc activity
ADWARE [PTsecurity] lavasoft StubBundleStart PUP Install
2656
OfferInstaller.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2656
OfferInstaller.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
Process
Message
nu3krf0l.2eq.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
nu3krf0l.2eq.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
nu3krf0l.2eq.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
nu3krf0l.2eq.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003
nu3krf0l.2eq.exe
NotComDllGetInterface: DLL not found in install location, looking in current directory
nu3krf0l.2eq.exe
NotComDllGetInterface: C:\Users\admin\AppData\Local\Temp\nu3krf0l.2eq.exe loading C:\Users\admin\AppData\Local\Temp\mfeaaca.dll, WinVerifyTrust failed with 80092003