analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://file.zhongdengwang.com/ocx/PBCCRCPassGuardX64.exe

Full analysis: https://app.any.run/tasks/ca1e3a48-e0c2-459c-9a98-03b84c515165
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: July 17, 2019, 10:47:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

F9FE8593843480C76F2217D6CADC0B46

SHA1:

BBE4917D061C67210181B200E333795BC3866648

SHA256:

CA612755296899D557294CA0DD9E417A1911816DBCFBB2E8AB83E06560D3A123

SSDEEP:

3:N1KYL8RddIRGdKtR32J9TtN:CYgjsKKt4v

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • PBCCRCPassGuardX64.exe (PID: 3944)
      • PBCCRCPassGuardX64.exe (PID: 2684)
    • Application was dropped or rewritten from another process

      • PBCCRCPassGuardX64.exe (PID: 2080)
      • PBCCRCPassGuardX64.exe (PID: 3816)
      • PBCCRCPassGuardX64.exe (PID: 3944)
      • PBCCRCPassGuardX64.exe (PID: 2684)
    • Downloads executable files from the Internet

      • opera.exe (PID: 3364)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • PBCCRCPassGuardX64.exe (PID: 3944)
      • opera.exe (PID: 3364)
      • PBCCRCPassGuardX64.exe (PID: 2684)
  • INFO

    • Manual execution by user

      • PBCCRCPassGuardX64.exe (PID: 3944)
      • PBCCRCPassGuardX64.exe (PID: 2684)
      • PBCCRCPassGuardX64.exe (PID: 2080)
      • PBCCRCPassGuardX64.exe (PID: 3816)
    • Creates files in the user directory

      • opera.exe (PID: 3364)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
5
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start opera.exe pbccrcpassguardx64.exe no specs pbccrcpassguardx64.exe pbccrcpassguardx64.exe no specs pbccrcpassguardx64.exe

Process information

PID
CMD
Path
Indicators
Parent process
3364"C:\Program Files\Opera\opera.exe" "http://file.zhongdengwang.com/ocx/PBCCRCPassGuardX64.exe"C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
3816"C:\Users\admin\Desktop\PBCCRCPassGuardX64.exe" C:\Users\admin\Desktop\PBCCRCPassGuardX64.exeexplorer.exe
User:
admin
Company:
中国人民银行征信中心
Integrity Level:
MEDIUM
Description:
人行征信中心密码控件
Exit code:
3221226540
Version:
1.0.0.1
2684"C:\Users\admin\Desktop\PBCCRCPassGuardX64.exe" C:\Users\admin\Desktop\PBCCRCPassGuardX64.exe
explorer.exe
User:
admin
Company:
中国人民银行征信中心
Integrity Level:
HIGH
Description:
人行征信中心密码控件
Exit code:
2
Version:
1.0.0.1
2080"C:\Users\admin\Desktop\PBCCRCPassGuardX64.exe" C:\Users\admin\Desktop\PBCCRCPassGuardX64.exeexplorer.exe
User:
admin
Company:
中国人民银行征信中心
Integrity Level:
MEDIUM
Description:
人行征信中心密码控件
Exit code:
3221226540
Version:
1.0.0.1
3944"C:\Users\admin\Desktop\PBCCRCPassGuardX64.exe" C:\Users\admin\Desktop\PBCCRCPassGuardX64.exe
explorer.exe
User:
admin
Company:
中国人民银行征信中心
Integrity Level:
HIGH
Description:
人行征信中心密码控件
Exit code:
2
Version:
1.0.0.1
Total events
733
Read events
600
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
24
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprD755.tmp
MD5:
SHA256:
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprD765.tmp
MD5:
SHA256:
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprD7A5.tmp
MD5:
SHA256:
3364opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00002.tmp
MD5:
SHA256:
3364opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0AT06UG6EM7GI13RKSY7.temp
MD5:
SHA256:
3364opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\g_0000\opr00001.tmpexecutable
MD5:96F72306C5B384683B4066E0D341557E
SHA256:AE0675D5863154C8D8BFD657EFD1B9CBA417268A98654D12284FA24CD59AD683
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:B6F9C69D75BF713770C43321AD5457D1
SHA256:91945215544967F4712A13020939AD7AB540F3E27371DD7EA6E85473F258CC5D
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:CA14C526A71ECE8260D74EA3BAF7C826
SHA256:9F1BF072D67D0D4BB706383219D54C3CA8795E155BD2B58DCC4E293874623B93
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:560562FF723CCF7AD1922901800B95E0
SHA256:D80964D83047F9E8AD81EF98346B235116382091E1214706BE6F662FD11139C9
3364opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opcacrt6.datbinary
MD5:59761E989F564F76A3A4B778DB7ABCF1
SHA256:AF879942D234D85C0CE75921DBDDA50E2F6D135BD961F259106131751359052B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3364
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
3364
opera.exe
GET
200
150.138.141.75:80
http://file.zhongdengwang.com/ocx/PBCCRCPassGuardX64.exe
CN
executable
2.16 Mb
suspicious
3364
opera.exe
GET
400
185.26.182.93:80
http://sitecheck2.opera.com/?host=file.zhongdengwang.com&hdn=bXE2BqWpBn/bQgYf99VCNw==
unknown
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3364
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
3364
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
3364
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3364
opera.exe
185.26.182.93:80
certs.opera.com
Opera Software AS
whitelisted
3364
opera.exe
150.138.141.75:80
file.zhongdengwang.com
Xiangtan
CN
suspicious

DNS requests

Domain
IP
Reputation
file.zhongdengwang.com
  • 150.138.141.75
  • 113.142.73.75
suspicious
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
sitecheck2.opera.com
  • 185.26.182.93
  • 185.26.182.94
  • 185.26.182.111
  • 185.26.182.112
whitelisted

Threats

PID
Process
Class
Message
3364
opera.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info