| URL: | http://s3.amazonaws.com/Boson/netsim11.exe |
| Full analysis: | https://app.any.run/tasks/7096ec70-ffc1-4b1b-a7db-29fd79da9cff |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | April 25, 2019, 20:25:09 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 4D6D46AC454E1A65C20A646572EC70D9 |
| SHA1: | 301F9BC06E90F4E9D204AC201108FEDA1D999954 |
| SHA256: | C699B23CFC5269679EE084213C4FB9D15A471630853CD17B007AE8253DE2B8BC |
| SSDEEP: | 3:N1KNY7WtKWK+L0Wj4A:CaLN00Wj4A |
MALICIOUS
Loads dropped or rewritten executable
- netsim11[1].exe (PID: 1796)
- NetSim.exe (PID: 2724)
Application was dropped or rewritten from another process
- netsim11[1].exe (PID: 2392)
- netsim11[1].exe (PID: 1796)
- NetSim.exe (PID: 2724)
Changes settings of System certificates
- netsim11[1].exe (PID: 1796)
Downloads executable files from the Internet
- iexplore.exe (PID: 3160)
SUSPICIOUS
Executable content was dropped or overwritten
- netsim11[1].exe (PID: 1796)
- msiexec.exe (PID: 2828)
Adds / modifies Windows certificates
- netsim11[1].exe (PID: 1796)
Reads internet explorer settings
- netsim11[1].exe (PID: 1796)
Reads Internet Cache Settings
- netsim11[1].exe (PID: 1796)
Searches for installed software
- netsim11[1].exe (PID: 1796)
Creates files in the Windows directory
- msiexec.exe (PID: 2828)
Creates COM task schedule object
- MsiExec.exe (PID: 3752)
- msiexec.exe (PID: 2828)
Creates a software uninstall entry
- netsim11[1].exe (PID: 1796)
Creates files in the program directory
- netsim11[1].exe (PID: 1796)
- NetSim.exe (PID: 2724)
Creates files in the user directory
- NetSim.exe (PID: 2724)
Reads the BIOS version
- NetSim.exe (PID: 2724)
Reads Environment values
- NetSim.exe (PID: 2724)
Modifies the open verb of a shell class
- NetSim.exe (PID: 2724)
INFO
Changes internet zones settings
- iexplore.exe (PID: 2720)
Reads Internet Cache Settings
- iexplore.exe (PID: 3160)
- iexplore.exe (PID: 2720)
Creates files in the user directory
- iexplore.exe (PID: 3160)
Application launched itself
- iexplore.exe (PID: 2720)
- msiexec.exe (PID: 2828)
Loads dropped or rewritten executable
- msiexec.exe (PID: 2828)
- MsiExec.exe (PID: 2440)
- MsiExec.exe (PID: 120)
- MsiExec.exe (PID: 3752)
Low-level read access rights to disk partition
- vssvc.exe (PID: 2464)
Creates a software uninstall entry
- msiexec.exe (PID: 2828)
Dropped object may contain Bitcoin addresses
- msiexec.exe (PID: 2828)
Reads settings of System Certificates
- NetSim.exe (PID: 2724)
Creates files in the program directory
- msiexec.exe (PID: 2828)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
49
Monitored processes
11
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 120 | C:\Windows\system32\MsiExec.exe -Embedding CF9905A73CC1CEF3F5C78EDBD91B7DB6 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1796 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\netsim11[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\netsim11[1].exe | iexplore.exe | ||||||||||||
User: admin Company: Boson Software, LLC Integrity Level: HIGH Description: Contact: Your local administrator Exit code: 0 Version: 11.9.0000 Modules
| |||||||||||||||
| 2392 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\netsim11[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\netsim11[1].exe | — | iexplore.exe | |||||||||||
User: admin Company: Boson Software, LLC Integrity Level: MEDIUM Description: Contact: Your local administrator Exit code: 3221226540 Version: 11.9.0000 Modules
| |||||||||||||||
| 2440 | C:\Windows\system32\MsiExec.exe -Embedding A1D4F1C0D0577638030E8974DB854E2E C | C:\Windows\system32\MsiExec.exe | — | msiexec.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2464 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2720 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2724 | "C:\Program Files\Boson Software\Boson NetSim 11\NetSim.exe" | C:\Program Files\Boson Software\Boson NetSim 11\NetSim.exe | explorer.exe | ||||||||||||
User: admin Company: Boson Software, LLC Integrity Level: MEDIUM Description: NetSim Exit code: 0 Version: 11.9.0.27536 Modules
| |||||||||||||||
| 2828 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3068 | DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000004D8" "00000320" | C:\Windows\system32\DrvInst.exe | — | svchost.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Driver Installation Module Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3160 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2720 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
2 119
Read events
1 172
Write events
933
Delete events
14
Modification events
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {41FDFC8B-6798-11E9-B3B3-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 1 | |||
| (PID) Process: | (2720) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E307040004001900140019001A00FF01 | |||
Executable files
70
Suspicious files
22
Text files
136
Unknown types
12
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2720 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2720 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF285A98E95E6158C5.TMP | — | |
MD5:— | SHA256:— | |||
| 3160 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UFYWVZQG\netsim11[1].exe | — | |
MD5:— | SHA256:— | |||
| 2720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\netsim11[1].exe | — | |
MD5:— | SHA256:— | |||
| 1796 | netsim11[1].exe | C:\Users\admin\AppData\Local\Temp\~D395.tmp | — | |
MD5:— | SHA256:— | |||
| 1796 | netsim11[1].exe | C:\Users\admin\AppData\Local\Temp\~D396.tmp | — | |
MD5:— | SHA256:— | |||
| 2720 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{41FDFC8C-6798-11E9-B3B3-5254004A04AF}.dat | binary | |
MD5:— | SHA256:— | |||
| 3160 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
| 1796 | netsim11[1].exe | C:\Users\admin\AppData\Local\Temp\_isD3C6..dll | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
3
DNS requests
3
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2724 | NetSim.exe | POST | 200 | 52.224.218.24:80 | http://services.boson.com/Helpers.asmx | US | xml | 426 b | suspicious |
2724 | NetSim.exe | POST | 200 | 52.224.218.24:80 | http://services.boson.com/netsimaccess.asmx | US | xml | 423 b | suspicious |
3160 | iexplore.exe | GET | 200 | 52.216.145.181:80 | http://s3.amazonaws.com/Boson/netsim11.exe | US | executable | 296 Mb | shared |
2720 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2720 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2724 | NetSim.exe | 52.224.218.24:80 | services.boson.com | Microsoft Corporation | US | suspicious |
3160 | iexplore.exe | 52.216.145.181:80 | s3.amazonaws.com | Amazon.com, Inc. | US | shared |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
s3.amazonaws.com |
| shared |
services.boson.com |
| suspicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3160 | iexplore.exe | Potentially Bad Traffic | ET POLICY Executable served from Amazon S3 |
3160 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3160 | iexplore.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |
1 ETPRO signatures available at the full report
Process | Message |
|---|---|
NetSim.exe |
%s------------------------------------------------
--- Themida Professional ---
--- (c)2012 Oreans Technologies ---
------------------------------------------------
|
NetSim.exe | log4net:ERROR An exception ocurred while retreiving stack frame information.
|
NetSim.exe | System.NullReferenceException: Object reference not set to an instance of an object.
at log4net.Core.StackFrameItem..ctor(StackFrame frame)
|
NetSim.exe | log4net:ERROR An exception ocurred while retreiving stack frame information.
|
NetSim.exe | System.NullReferenceException: Object reference not set to an instance of an object.
at log4net.Core.StackFrameItem..ctor(StackFrame frame)
|