| File name: | archiveYTcheats.zip |
| Full analysis: | https://app.any.run/tasks/726ef41d-af19-4c28-aa7d-bff255235105 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 22, 2020, 13:58:01 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 7F7F47898E7191608635E5CCB1516C9F |
| SHA1: | E1D64D0D887A9FD1450690F629F93485BAC8DA74 |
| SHA256: | C801803521B81CE62028D081A0ECD0EC3DC580661C11B1225BA5FA281A5276A9 |
| SSDEEP: | 98304:t0xIgwVlHN8tp0wCilsx7u6e+IoaYUdSGchwpBpk6AP7n:ixjilt8tpnCi6U6e+IOUdOhwp/k627n |
MALICIOUS
Application was dropped or rewritten from another process
- xCoreManagment.exe (PID: 2532)
- launcher.exe (PID: 2072)
- lr.exe (PID: 2880)
- ApplicationsFrameHost.exe (PID: 272)
- sr.exe (PID: 3568)
- RealtekSb.exe (PID: 2120)
- cr.exe (PID: 880)
Writes to a start menu file
- cr.exe (PID: 880)
Downloads executable files from the Internet
- lr.exe (PID: 2880)
- xCoreManagment.exe (PID: 2532)
Downloads executable files from IP
- lr.exe (PID: 2880)
- xCoreManagment.exe (PID: 2532)
Runs PING.EXE for delay simulation
- cmd.exe (PID: 1232)
Changes the autorun value in the registry
- xCoreManagment.exe (PID: 2532)
Loads the Task Scheduler COM API
- cr.exe (PID: 880)
SUSPICIOUS
Creates files in the program directory
- lr.exe (PID: 2880)
- cmd.exe (PID: 820)
- xCoreManagment.exe (PID: 2532)
- cmd.exe (PID: 2940)
Creates files in the user directory
- cr.exe (PID: 880)
- sr.exe (PID: 3568)
Starts itself from another location
- cr.exe (PID: 880)
Reads Internet Cache Settings
- lr.exe (PID: 2880)
- xCoreManagment.exe (PID: 2532)
- sr.exe (PID: 3568)
Executable content was dropped or overwritten
- lr.exe (PID: 2880)
- WinRAR.exe (PID: 660)
- cr.exe (PID: 880)
- xCoreManagment.exe (PID: 2532)
Starts CMD.EXE for commands execution
- lr.exe (PID: 2880)
- xCoreManagment.exe (PID: 2532)
- sr.exe (PID: 3568)
Reads the cookies of Mozilla Firefox
- sr.exe (PID: 3568)
Starts CMD.EXE for self-deleting
- lr.exe (PID: 2880)
- sr.exe (PID: 3568)
Searches for installed software
- sr.exe (PID: 3568)
Uses WMIC.EXE to obtain a list of video controllers
- cmd.exe (PID: 2940)
Uses WMIC.EXE to obtain a system information
- cmd.exe (PID: 2940)
- cmd.exe (PID: 820)
Reads the cookies of Google Chrome
- sr.exe (PID: 3568)
Uses ICACLS.EXE to modify access control list
- cmd.exe (PID: 3100)
- cmd.exe (PID: 3640)
- cmd.exe (PID: 3092)
- cmd.exe (PID: 2940)
- cmd.exe (PID: 2600)
- cmd.exe (PID: 3880)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2019:12:04 14:21:17 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | files/ |
Total processes
75
Monitored processes
29
Malicious processes
6
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 272 | C:\ProgramData\IntelCore\ApplicationsFrameHost.exe | C:\ProgramData\IntelCore\ApplicationsFrameHost.exe | — | xCoreManagment.exe | |||||||||||
User: admin Company: www.xmrig.com Integrity Level: MEDIUM Description: XMRig miner Exit code: 0 Version: 5.0.1 Modules
| |||||||||||||||
| 348 | wmic path win32_VideoController get name | C:\Windows\System32\Wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 604 | ping 127.0.0.1 | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 660 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\archiveYTcheats.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.60.0 Modules
| |||||||||||||||
| 680 | icacls C:\ProgramData\SystemNetwork /deny "Administrators:(R,REA,RA))" | C:\Windows\system32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 87 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 816 | ping -n 5 localhost | C:\Windows\system32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 820 | C:\Windows\system32\cmd.exe /c WMIC OS get osarchitecture >C:\ProgramData\SystemNetwork\arch.txt | C:\Windows\system32\cmd.exe | — | xCoreManagment.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 880 | C:\ProgramData\cr.exe | C:\ProgramData\cr.exe | lr.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Exit code: 0 Modules
| |||||||||||||||
| 1196 | icacls C:\ProgramData\IntelCore /deny "Administrators:(R,REA,RA))" | C:\Windows\system32\icacls.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 87 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1232 | "C:\Windows\System32\cmd.exe" /k ping -n 5 localhost < nul & del /F /Q "C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\files\lr.exe" | C:\Windows\System32\cmd.exe | — | lr.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
1 096
Read events
1 045
Write events
51
Delete events
0
Modification events
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\archiveYTcheats.zip | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface |
| Operation: | write | Name: | ShowPassword |
Value: 0 | |||
| (PID) Process: | (660) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
Executable files
15
Suspicious files
4
Text files
11
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\files\lr.exe | executable | |
MD5:— | SHA256:— | |||
| 660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\qt.conf | text | |
MD5:— | SHA256:— | |||
| 3568 | sr.exe | C:\Users\admin\AppData\Local\Temp\CabCF4.tmp | — | |
MD5:— | SHA256:— | |||
| 3568 | sr.exe | C:\Users\admin\AppData\Local\Temp\TarCF5.tmp | — | |
MD5:— | SHA256:— | |||
| 3568 | sr.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\JX2N06Z7.txt | — | |
MD5:— | SHA256:— | |||
| 660 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb660.41767\files\launcher.exe | executable | |
MD5:— | SHA256:— | |||
| 2880 | lr.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\bt[1].bat | text | |
MD5:— | SHA256:— | |||
| 2880 | lr.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\cr[1].exe | executable | |
MD5:— | SHA256:— | |||
| 2880 | lr.exe | C:\ProgramData\bt.bat | text | |
MD5:— | SHA256:— | |||
| 2880 | lr.exe | C:\ProgramData\cr.exe | executable | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
7
DNS requests
3
Threats
36
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2880 | lr.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/Build2/xCoreManagment.exe | NL | executable | 3.20 Mb | malicious |
2880 | lr.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/lc/sr.exe | NL | executable | 2.71 Mb | malicious |
2880 | lr.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/lc/bt.bat | NL | text | 780 b | malicious |
2532 | xCoreManagment.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/Build2/x32/config.json | NL | text | 1.59 Kb | malicious |
2532 | xCoreManagment.exe | GET | 404 | 185.92.149.29:80 | http://185.92.149.29/Build2/other/other.txt | NL | xml | 1.03 Kb | malicious |
3568 | sr.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D | US | der | 1.47 Kb | whitelisted |
2880 | lr.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/lc/cr.exe | NL | executable | 5.46 Mb | malicious |
2532 | xCoreManagment.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/Build2/server_version.txt? | NL | text | 4 b | malicious |
2532 | xCoreManagment.exe | GET | 404 | 185.92.149.29:80 | http://185.92.149.29/Build2/other/other.txt? | NL | xml | 1.03 Kb | malicious |
2532 | xCoreManagment.exe | GET | 200 | 185.92.149.29:80 | http://185.92.149.29/Build2/server_version.txt | NL | text | 4 b | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2532 | xCoreManagment.exe | 185.92.149.29:80 | 1a3c1a2b.xyz | NovoServe B.V. | NL | malicious |
3568 | sr.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2880 | lr.exe | 185.92.149.29:80 | 1a3c1a2b.xyz | NovoServe B.V. | NL | malicious |
3568 | sr.exe | 104.27.173.77:443 | mytelegramapi.cf | Cloudflare Inc | US | shared |
— | — | 185.92.149.29:88 | 1a3c1a2b.xyz | NovoServe B.V. | NL | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
mytelegramapi.cf |
| suspicious |
ocsp.digicert.com |
| whitelisted |
1a3c1a2b.xyz |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2880 | lr.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2880 | lr.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
2880 | lr.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2880 | lr.exe | A Network Trojan was detected | ET INFO AutoIt User Agent Executable Request |
2880 | lr.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile |
2880 | lr.exe | Misc activity | ET INFO Packed Executable Download |
2880 | lr.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2880 | lr.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |
2880 | lr.exe | Misc activity | ET INFO Packed Executable Download |
2880 | lr.exe | Potential Corporate Privacy Violation | ET POLICY Autoit Windows Automation tool User-Agent in HTTP Request - Possibly Hostile |
5 ETPRO signatures available at the full report