analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Your Package Tracked Now_5cadf9e53f83d.exe

Full analysis: https://app.any.run/tasks/6fba2ec5-5ad6-48c8-b6e6-ebaee51eabdb
Verdict: Malicious activity
Analysis date: April 14, 2019, 19:07:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
MD5:

1306823190016B9463291D6AA3082E88

SHA1:

D1D6AD0A9369638F40DBD9CE54D7FBA6116123B7

SHA256:

BD85622762BF36B5E2416519702B4C1B2346C204AA615AEA7FF67B034FEC43E7

SSDEEP:

12288:rgy5pqtaUnZ9Y4GtC51vxhIOwL+xfSl4LedqlwBTGXCeBedjM71SqnlfjvqsQr:b5pqtHzYpt+/RpelqWBTbVadl7SDr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)

    • Application was dropped or rewritten from another process

      • Your Package Tracked Now.exe (PID: 1360)
      • Your Package Tracked Now.exe (PID: 3368)

    • Changes the autorun value in the registry

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)

    • Creates a software uninstall entry

      • Your Package Tracked Now_5cadf9e53f83d.exe (PID: 2432)
      • Your Package Tracked Now.exe (PID: 1360)
      • Your Package Tracked Now.exe (PID: 3368)

    • Reads internet explorer settings

      • Your Package Tracked Now.exe (PID: 1360)

    • Starts Internet Explorer

      • Your Package Tracked Now.exe (PID: 1360)

  • INFO

    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 2968)

    • Application launched itself

      • IEXPLORE.EXE (PID: 2968)

    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 2160)

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2160)

    • Reads settings of System Certificates

      • IEXPLORE.EXE (PID: 2160)

    • Reads Internet Cache Settings

      • IEXPLORE.EXE (PID: 2968)
      • IEXPLORE.EXE (PID: 2160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

ProductVersion: 3.1.0.5
ProductName: Desktop Search Bar
OriginalFileName: SBInstaller
LegalCopyright: (c) 2018 Springtech Ltd
FileVersion: 3.1.0.5
FileDescription: Desktop web search
CompanyName: Springtech Ltd
CharacterSet: ASCII
LanguageCode: English (U.S.)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x0000
ProductVersionNumber: 3.1.0.5
FileVersionNumber: 3.1.0.5
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: 6
OSVersion: 4
EntryPoint: 0x33b6
UninitializedDataSize: 2048
InitializedDataSize: 141824
CodeSize: 25088
LinkerVersion: 6
PEType: PE32
TimeStamp: 2016:07:25 02:55:51+02:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 25-Jul-2016 00:55:51
Detected languages:
  • English - United States
CompanyName: Springtech Ltd
FileDescription: Desktop web search
FileVersion: 3.1.0.5
LegalCopyright: (c) 2018 Springtech Ltd
OriginalFilename: SBInstaller
ProductName: Desktop Search Bar
ProductVersion: 3.1.0.5

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x000000C8

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 25-Jul-2016 00:55:51
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE
  • IMAGE_FILE_LINE_NUMS_STRIPPED
  • IMAGE_FILE_LOCAL_SYMS_STRIPPED
  • IMAGE_FILE_RELOCS_STRIPPED

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
.text
0x00001000
0x0000615D
0x00006200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
6.45023
.rdata
0x00008000
0x000013A4
0x00001400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
5.163
.data
0x0000A000
0x00020338
0x00000600
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
3.9824
.ndata
0x0002B000
0x00026000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
.rsrc
0x00051000
0x00007C20
0x00007E00
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
6.04043

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.29536
1058
UNKNOWN
English - United States
RT_MANIFEST
2
6.01823
9640
UNKNOWN
English - United States
RT_ICON
3
6.44112
4264
UNKNOWN
English - United States
RT_ICON
4
6.6049
2440
UNKNOWN
English - United States
RT_ICON
5
6.45535
1128
UNKNOWN
English - United States
RT_ICON
6
0
744
UNKNOWN
English - United States
RT_ICON
7
0
296
UNKNOWN
English - United States
RT_ICON
103
2.80068
104
UNKNOWN
English - United States
RT_GROUP_ICON
105
2.73893
514
UNKNOWN
English - United States
RT_DIALOG
106
2.91148
248
UNKNOWN
English - United States
RT_DIALOG

Imports

ADVAPI32.dll
COMCTL32.dll
GDI32.dll
KERNEL32.dll
SHELL32.dll
USER32.dll
ole32.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start your package tracked now_5cadf9e53f83d.exe your package tracked now.exe iexplore.exe iexplore.exe your package tracked now.exe

Process information

PID
CMD
Path
Indicators
Parent process
2432"C:\Users\admin\AppData\Local\Temp\Your Package Tracked Now_5cadf9e53f83d.exe" C:\Users\admin\AppData\Local\Temp\Your Package Tracked Now_5cadf9e53f83d.exe
explorer.exe
User:
admin
Company:
Springtech Ltd
Integrity Level:
MEDIUM
Description:
Desktop web search
Exit code:
0
Version:
3.1.0.5
1360"C:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" /firstrunC:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe
Your Package Tracked Now_5cadf9e53f83d.exe
User:
admin
Company:
Springtech LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Version:
3.1.0.5
2968"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43e9-a319-702230adc835&uc=20190410&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&i_id=packages_&ap=appfocus84C:\Program Files\Internet Explorer\IEXPLORE.EXE
Your Package Tracked Now.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2160"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2968 CREDAT:71937C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3368"C:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe" /dsC:\Users\admin\AppData\Local\Your Package Tracked Now\Your Package Tracked Now.exe
explorer.exe
User:
admin
Company:
Springtech LTD
Integrity Level:
MEDIUM
Description:
Desktop web search
Version:
3.1.0.5
Total events
1 031
Read events
906
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
5
Text files
48
Unknown types
10

Dropped files

PID
Process
Filename
Type
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Cab9678.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Tar9679.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Cab967A.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Tar967B.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Cab9757.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\Tar9758.tmp
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\Local\Temp\nsn6554.tmp
MD5:
SHA256:
1360Your Package Tracked Now.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\rotate_strings[1].json
MD5:
SHA256:
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015compressed
MD5:04D79A0DC77A8F449CBFF6252862D398
SHA256:4C9C4D831D61C8C38B2513F9B431EF4F4CF6AF9FB18A2317CD2178D6E0997822
2432Your Package Tracked Now_5cadf9e53f83d.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416binary
MD5:8028558598668EBAE282E4A2BB0EEFED
SHA256:DB86BD38235FC6E072546756BB639321734698CA056AB6AE506B05C7324BB1BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
22
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/?uc=20190410&ap=appfocus84&source=%7Bsource%7D_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&uid=2d96fe23-823d-43e9-a319-702230adc835&i_id=packages_1&page=newtab
US
html
9.62 Kb
unknown
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
13.32.222.30:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
1360
Your Package Tracked Now.exe
GET
200
3.18.145.221:80
http://sbdistro.com/Content/kits/rotate_strings.json?useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_
US
text
455 b
suspicious
2968
IEXPLORE.EXE
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
3.18.145.221:80
http://sbdistro.com/Content/kits/sbui/widgets/packages/packages_ab.json?useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_
US
text
816 b
suspicious
2160
IEXPLORE.EXE
GET
302
52.6.170.180:80
http://results.hyourpackagetrackednow.com/s?uid=2d96fe23-823d-43e9-a319-702230adc835&uc=20190410&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&i_id=packages_&ap=appfocus84
US
html
302 b
unknown
2432
Your Package Tracked Now_5cadf9e53f83d.exe
GET
200
3.18.145.221:80
http://sbdistro.com/cgi/adk/chrdlid.cgi?id=5cadf9e53f83d
US
text
583 b
suspicious
1360
Your Package Tracked Now.exe
GET
200
34.206.226.127:80
http://imp.hyourpackagetrackednow.com/impression.do?event=sbe_alive&useragent=Mozilla/5.0%20(Windows%20NT%2010.0;%20Win64;%20x64)%20AppleWebKit/537.36%20(KHTML,%20like%20Gecko)%20Chrome/64.0.3282.140%20Safari/537.36%20Edge/17.17134&user_id=2d96fe23-823d-43e9-a319-702230adc835&source={source}_v1-dsf_packages--bb9_v1-dsf_packages--bb9-sbe-ab&traffic_source=appfocus84&subid=20190410&implementation_id=packages_&subid2=3.1.0.5
US
image
109 b
malicious
2160
IEXPLORE.EXE
GET
200
52.6.170.180:80
http://results.hyourpackagetrackednow.com/Content/Images/saveMoney.png
US
image
1.96 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2432
Your Package Tracked Now_5cadf9e53f83d.exe
3.18.145.221:443
sbdistro.com
US
unknown
2432
Your Package Tracked Now_5cadf9e53f83d.exe
3.18.145.221:80
sbdistro.com
US
unknown
34.206.226.127:80
imp.hyourpackagetrackednow.com
Amazon.com, Inc.
US
unknown
1360
Your Package Tracked Now.exe
3.18.145.221:80
sbdistro.com
US
unknown
2432
Your Package Tracked Now_5cadf9e53f83d.exe
13.32.222.30:80
x.ss2.us
Amazon.com, Inc.
US
whitelisted
2432
Your Package Tracked Now_5cadf9e53f83d.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2968
IEXPLORE.EXE
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3.18.145.221:80
sbdistro.com
US
unknown
2160
IEXPLORE.EXE
13.32.222.47:80
dap2y8k6nefku.cloudfront.net
Amazon.com, Inc.
US
whitelisted
2160
IEXPLORE.EXE
52.6.170.180:80
results.hyourpackagetrackednow.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
sbdistro.com
  • 3.18.145.221
  • 3.18.236.124
suspicious
x.ss2.us
  • 13.32.222.30
  • 13.32.222.51
  • 13.32.222.12
  • 13.32.222.163
whitelisted
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted
imp.hyourpackagetrackednow.com
  • 34.206.226.127
  • 52.202.155.97
unknown
results.hyourpackagetrackednow.com
  • 52.6.170.180
  • 18.215.37.163
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
d3ff8olul1r3ot.cloudfront.net
  • 13.32.222.17
  • 13.32.222.118
  • 13.32.222.21
  • 13.32.222.238
shared
imp.mt48.net
  • 104.111.241.173
whitelisted
dap2y8k6nefku.cloudfront.net
  • 13.32.222.47
  • 13.32.222.9
  • 13.32.222.250
  • 13.32.222.110
whitelisted
imp.onesearch.org
  • 52.22.227.196
  • 54.174.5.12
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Your Package Tracked Now_5cadf9e53f83d.exe