Malware analysis convert_lite.cab Malicious activity | ANY.RUN

Add for printing

download:	convert_lite.cab
Full analysis:	https://app.any.run/tasks/53c86dbf-f9d8-4492-bd02-63140a1253e8
Verdict:	Malicious activity
Analysis date:	May 24, 2019, 08:38:56
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/vnd.ms-cab-compressed
File info:	Microsoft Cabinet archive data, 4746424 bytes, 41 files
MD5:	6665F15BF8841CAFFE4CF1C8349AE4FA
SHA1:	E7C4FEB463148AAE7F8D0CF5582B99C08A9E5030
SHA256:	B52F48FFF0AE1B41BA2B2C5AC7E0C6851830B983AD48E1A9A0E296B6853869F1
SSDEEP:	98304:wJuzOnftmiaF/CoyTj/0lR4+HNV4zFYxDJyE1rPcnwa5s6wN3gNDFo:wZftm3m/0jfTnDJyEFcl5nwgXo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - imagex.exe (PID: 2292)
  - 7z.exe (PID: 3556)
  - oscdimg.exe (PID: 300)
  - dism.exe (PID: 2236)
  - aria2c.exe (PID: 3016)
  - offlinereg.exe (PID: 3400)
  - pkgmgr.exe (PID: 2168)
  - pkgmgr.exe (PID: 2680)
  - wimlib-imagex.exe (PID: 1260)
  - wimserv.exe (PID: 2632)
  - wimmountadksetupx86.exe (PID: 2148)
  - wimmountadksetupx86.exe (PID: 636)
  - 7z.exe (PID: 1920)
  - 7z.exe (PID: 1824)
  - aria2c.exe (PID: 3332)
  - aria2c.exe (PID: 2300)
  - dism.exe (PID: 1888)
  - dism.exe (PID: 2600)
  - offlinereg.exe (PID: 2704)
  - pkgmgr.exe (PID: 2468)
  - imagex.exe (PID: 1496)
  - oscdimg.exe (PID: 3896)
  - wimmountadksetupx86.exe (PID: 3724)
  - wimserv.exe (PID: 2236)
  - wimmountadksetupx86.exe (PID: 1520)
  - pkgmgr.exe (PID: 3224)
  - wimlib-imagex.exe (PID: 3428)
- Loads dropped or rewritten executable
  - dism.exe (PID: 2236)
  - wimlib-imagex.exe (PID: 1260)
  - SearchProtocolHost.exe (PID: 1704)
  - dism.exe (PID: 1888)
  - dism.exe (PID: 2600)
  - explorer.exe (PID: 2044)
  - wimlib-imagex.exe (PID: 3428)
SUSPICIOUS
- Modifies files in Chrome extension folder
  - chrome.exe (PID: 1004)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2748)
  - WinRAR.exe (PID: 3600)
INFO
- Manual execution by user
  - chrome.exe (PID: 1004)
  - aria2c.exe (PID: 3332)
  - WinRAR.exe (PID: 2748)
  - 7z.exe (PID: 1920)
  - 7z.exe (PID: 1824)
  - aria2c.exe (PID: 2300)
  - dism.exe (PID: 1888)
  - dism.exe (PID: 2600)
- Application launched itself
  - chrome.exe (PID: 1004)
- Reads Internet Cache Settings
  - chrome.exe (PID: 1004)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.cab	\|	Microsoft Cabinet Archive (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

131

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3600	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\convert_lite.cab"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0
3556	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\7z.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\7z.exe	—	WinRAR.exe
User: admin Company: Igor Pavlov Integrity Level: MEDIUM Description: 7-Zip Console Exit code: 0 Version: 18.05
3016	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.17314\bin\aria2c.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.17314\bin\aria2c.exe	—	WinRAR.exe
User: admin Integrity Level: MEDIUM Exit code: 1
2236	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.17509\bin\dism.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.17509\bin\dism.exe	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Dism Image Servicing Utility Exit code: 740 Version: 10.0.17763.1 (WinBuild.160101.0800)
2292	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.18734\bin\imagex.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.18734\bin\imagex.exe	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Imaging Utility Exit code: 1 Version: 10.0.17763.1 (WinBuild.160101.0800)
3400	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19219\bin\offlinereg.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19219\bin\offlinereg.exe	—	WinRAR.exe
User: admin Integrity Level: MEDIUM Exit code: 0
300	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19463\bin\oscdimg.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19463\bin\oscdimg.exe	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft CD/DVD Premastering Utility Exit code: 1 Version: 2.56
2168	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19603\bin\pkgmgr.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19603\bin\pkgmgr.exe	—	WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Package Manager Exit code: 3221226540 Version: 10.0.17763.1 (WinBuild.160101.0800)
2680	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19603\bin\pkgmgr.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.19603\bin\pkgmgr.exe		WinRAR.exe
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Package Manager Exit code: 3221225781 Version: 10.0.17763.1 (WinBuild.160101.0800)
1260	"C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.20238\bin\wimlib-imagex.exe"	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.20238\bin\wimlib-imagex.exe	—	WinRAR.exe
User: admin Integrity Level: MEDIUM Exit code: 2

Add for printing

Total events

4 078

Read events

3 371

Write events

Delete events

Modification events

No data

Add for printing

Executable files

385

Suspicious files

Text files

322

Unknown types

Dropped files

PID	Process	Filename		Type
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\bootwim.txt		text
		MD5:55780EED8B17096C76A2E5C352E451EA	SHA256:39BE7DAC4984C8741237A3D217DF3C4073E7EEC626CFA60CFBBF922C9726E9B1
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\convert-UUP.cmd		text
		MD5:0F3A05A0825D9AC05B35CDAC36BE795B	SHA256:20C243B275FA1ABEC32594EC574A5487639C34E8E8682A583781C79C11467BDD
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\ffuprovider.dll		executable
		MD5:8F364C9B3BB548EE7E438D58A132ACEC	SHA256:94D40AB41BABACA3B65CD9E4B2655E75340E389B728EF78DB4AD2F4532C48BAB
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\dismcoreps.dll		executable
		MD5:8BDA6E3379AB78A80B78C89E47113A48	SHA256:FF71A1E0C8553ED8D28F7B2FD25BF1035892737878D7C6928D39469238FF25C4
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\imagex.exe		executable
		MD5:183092F9DC251A1CE5C4ADF082AA1ACA	SHA256:59C105765B76E32DF7A6A32ED1FB31C404D2796E8C08AF8D845996767148D83A
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\dism.exe		executable
		MD5:9178DE39027C783AA131CE0BE2267696	SHA256:1191C2EDAF336ECB417D3E82C2EB54914E6CDE176F29F0CD5368231423B710A2
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\imagingprovider.dll		executable
		MD5:5546436817AFF09757FCAC7646682531	SHA256:6E6DAEAF0DB5A41D0D3D6A9C6D7EDE669741D067FF35B0159C5F0B779B57DD4F
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\dism.Format.ps1xml		text
		MD5:22E53D0E44212AFFE536AD0C658953CC	SHA256:0476E8C703EC695CC4CDBA62D795A546DB567ADA3C916AEFB7473937D1E6C256
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\dism.psd1		text
		MD5:02EABFA2001FAC51C13285EC0C3899FB	SHA256:F90B6A9A5727E25D1C7D4DFBFF04E2EF420A8696EEA3CBDF85A29C6212C8FD54
3600	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$EXa3600.16970\bin\aria2c.exe		executable
		MD5:3885ADC6619A8257C8B42DFA7349CE11	SHA256:3EB8712B0DB6BA466F8AFE1BF606983FE8341C941BDFCADC07068288C7CA5A9C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1004	chrome.exe	GET	302	216.58.207.46:80	http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx	US	html	506 b	whitelisted
1004	chrome.exe	GET	200	209.85.226.6:80	http://r1---sn-5hnekn76.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.104.185.243&mm=28&mn=sn-5hnekn76&ms=nvh&mt=1558687188&mv=m&pl=24&shardbypass=yes	US	crx	842 Kb	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1004	chrome.exe	172.217.16.206:443	clients1.google.com	Google Inc.	US	whitelisted
1004	chrome.exe	216.58.208.35:443	ssl.gstatic.com	Google Inc.	US	whitelisted
1004	chrome.exe	172.217.23.132:443	www.google.com	Google Inc.	US	whitelisted
1004	chrome.exe	216.58.210.3:443	www.gstatic.com	Google Inc.	US	whitelisted
1004	chrome.exe	172.217.22.35:443	www.google.fr	Google Inc.	US	whitelisted
1004	chrome.exe	172.217.16.142:443	apis.google.com	Google Inc.	US	whitelisted
1004	chrome.exe	172.217.21.238:443	ogs.google.com	Google Inc.	US	whitelisted
1004	chrome.exe	216.58.207.74:443	fonts.googleapis.com	Google Inc.	US	whitelisted
1004	chrome.exe	216.58.207.67:443	clientservices.googleapis.com	Google Inc.	US	whitelisted
1004	chrome.exe	216.58.207.35:443	www.google.com.ua	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
clientservices.googleapis.com	216.58.207.67	whitelisted
www.google.com.ua	216.58.207.35	whitelisted
accounts.google.com	172.217.22.109	shared
clients1.google.com	172.217.16.206	whitelisted
ssl.gstatic.com	216.58.208.35	whitelisted
www.gstatic.com	216.58.210.3	whitelisted
apis.google.com	172.217.16.142	whitelisted
www.google.com	172.217.23.132	whitelisted
www.google.fr	172.217.22.35	whitelisted
fonts.googleapis.com	216.58.207.74	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

convert_lite.cab

6665F15BF8841CAFFE4CF1C8349AE4FA

E7C4FEB463148AAE7F8D0CF5582B99C08A9E5030

B52F48FFF0AE1B41BA2B2C5AC7E0C6851830B983AD48E1A9A0E296B6853869F1

98304:wJuzOnftmiaF/CoyTj/0lR4+HNV4zFYxDJyE1rPcnwa5s6wN3gNDFo:wZftm3m/0jfTnDJyEFcl5nwgXo

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

SUSPICIOUS

Modifies files in Chrome extension folder

Executable content was dropped or overwritten

INFO

Manual execution by user

Application launched itself

Reads Internet Cache Settings

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings