analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://windowgrid.net/public/downloads/WindowGrid_1.3.1.1.zip

Full analysis: https://app.any.run/tasks/a7a1dc9e-52a2-4695-92e0-5e1c860c1808
Verdict: Malicious activity
Analysis date: July 18, 2019, 11:43:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

ECD4880E0AC72AB436E175791D9F32A9

SHA1:

3F56C85445D4CFCDD8FD8BF12153DE6B833439B1

SHA256:

BE1D77A3E51127ECC9E37BD5176A20088EB94ADF520F46F3710334799CCEED6A

SSDEEP:

3:N1KJMEMBLXVQHJVKjBKSL6UiPkVn:CCbLX6HmoSLKPkVn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • WindowGrid.exe (PID: 1692)
      • WindowGrid.exe (PID: 3728)
      • WindowGrid.exe (PID: 1092)
      • WindowGridOverlay.exe (PID: 3468)
    • Uses Task Scheduler to run other applications

      • WindowGrid.exe (PID: 1692)
    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 3164)
    • Changes the autorun value in the registry

      • WindowGrid.exe (PID: 1692)
    • Loads dropped or rewritten executable

      • WindowGrid.exe (PID: 1092)
      • rundll32.exe (PID: 2136)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3436)
      • WindowGrid.exe (PID: 1692)
      • WindowGrid.exe (PID: 1092)
    • Creates files in the program directory

      • WindowGrid.exe (PID: 1692)
      • WindowGrid.exe (PID: 1092)
    • Uses RUNDLL32.EXE to load library

      • WindowGrid.exe (PID: 1092)
    • Reads Environment values

      • WindowGrid.exe (PID: 1092)
    • Starts itself from another location

      • WindowGrid.exe (PID: 1692)
  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 2896)
    • Manual execution by user

      • WinRAR.exe (PID: 3436)
      • WindowGrid.exe (PID: 1692)
      • WindowGrid.exe (PID: 3728)
    • Reads Internet Cache Settings

      • opera.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
8
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start opera.exe winrar.exe windowgrid.exe no specs windowgrid.exe schtasks.exe no specs windowgrid.exe windowgridoverlay.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\Opera\opera.exe" "http://windowgrid.net/public/downloads/WindowGrid_1.3.1.1.zip"C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
3436"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\WindowGrid_1.3.1.1.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3728"C:\Users\admin\Desktop\WindowGrid.exe" C:\Users\admin\Desktop\WindowGrid.exeexplorer.exe
User:
admin
Company:
windowgrid.net
Integrity Level:
MEDIUM
Description:
WindowGrid
Exit code:
3221226540
Version:
1.3.1.1
1692"C:\Users\admin\Desktop\WindowGrid.exe" C:\Users\admin\Desktop\WindowGrid.exe
explorer.exe
User:
admin
Company:
windowgrid.net
Integrity Level:
HIGH
Description:
WindowGrid
Exit code:
0
Version:
1.3.1.1
3164"schtasks.exe" /CREATE /TN "WindowGrid" /XML "C:\Program Files\WindowGrid\temp\Autostart.xml" /FC:\Windows\system32\schtasks.exeWindowGrid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Manages scheduled tasks
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1092"C:\Program Files\WindowGrid\WindowGrid.exe"C:\Program Files\WindowGrid\WindowGrid.exe
WindowGrid.exe
User:
admin
Company:
windowgrid.net
Integrity Level:
HIGH
Description:
WindowGrid
Version:
1.3.1.1
3468"C:\Program Files\WindowGrid\WindowGridOverlay.exe"C:\Program Files\WindowGrid\WindowGridOverlay.exeWindowGrid.exe
User:
admin
Company:
windowgrid.net
Integrity Level:
HIGH
Description:
WindowGridOverlay
Version:
1.3.1.1
2136"C:\Windows\System32\rundll32.exe" WindowGrid32.dll, RunDllC:\Windows\System32\rundll32.exeWindowGrid.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
954
Read events
809
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
27
Text files
8
Unknown types
1

Dropped files

PID
Process
Filename
Type
2896opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprC9D8.tmp
MD5:
SHA256:
2896opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprC9E8.tmp
MD5:
SHA256:
2896opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprCA37.tmp
MD5:
SHA256:
2896opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1W1A2PIMJ174XEWR6GP1.temp
MD5:
SHA256:
2896opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp
MD5:
SHA256:
2896opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:208F9DD3D23F22CCE2F0AAA89D2043BF
SHA256:9BD3726C511B261FC4895FF1BFB384584125227D8C85537ABC9CAFD6E3C74BAC
2896opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RF17d561.TMPbinary
MD5:8D2AF1B32332CBC3EB43E52363BC928D
SHA256:A8A64BE8EAB84CF198494B0773676DF0FB6CAB57E8DC1329EBCFDCD849EBDFE0
2896opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:EB4A682C9E54EAB3FF0D6CEBD4512827
SHA256:6E5D55AE64ECDB04AC71F70281E7A8A1AE8E03E13FC8667B43DC0CD9609D26ED
2896opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:DD0455C527882BE1DC37EB9B83E8AB2A
SHA256:9544028789ED31A5BBE66FA12B5718C5281DB87E0631974D13E127D827CA2D47
2896opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-msbinary
MD5:8D2AF1B32332CBC3EB43E52363BC928D
SHA256:A8A64BE8EAB84CF198494B0773676DF0FB6CAB57E8DC1329EBCFDCD849EBDFE0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1092
WindowGrid.exe
GET
200
128.199.218.156:80
http://windowgrid.net/latest
SG
text
7 b
unknown
2896
opera.exe
GET
200
128.199.218.156:80
http://windowgrid.net/public/downloads/WindowGrid_1.3.1.1.zip
SG
compressed
433 Kb
unknown
2896
opera.exe
GET
400
185.26.182.94:80
http://sitecheck2.opera.com/?host=windowgrid.net&hdn=0z7dYufKCyTdNW22t2aAkg==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2896
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2896
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
2896
opera.exe
185.26.182.94:80
certs.opera.com
Opera Software AS
whitelisted
2896
opera.exe
128.199.218.156:80
windowgrid.net
Digital Ocean, Inc.
SG
unknown
1092
WindowGrid.exe
128.199.218.156:80
windowgrid.net
Digital Ocean, Inc.
SG
unknown

DNS requests

Domain
IP
Reputation
windowgrid.net
  • 128.199.218.156
unknown
certs.opera.com
  • 185.26.182.94
  • 185.26.182.93
whitelisted
sitecheck2.opera.com
  • 185.26.182.94
  • 185.26.182.111
  • 185.26.182.112
  • 185.26.182.93
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info