Malware analysis d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2 Malicious activity

analyze malware

Huge database of samples and IOCs
Custom VM setup
Unlimited submissions
Interactive approach

Add for printing

File name:	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2
Full analysis:	https://app.any.run/tasks/dd0a94ba-4271-4ae0-9474-6abfe2745228
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	March 14, 2019, 14:40:26
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware adload loader pup trojan
Indicators:
MIME:	application/x-dosexec
File info:	PE32 executable (GUI) Intel 80386, for MS Windows
MD5:	379ED04EC69BBDB50C19038E757A28E8
SHA1:	22296564D28F226435B08059A1526BCAB60AF3A4
SHA256:	D0DF51BCA3719E4352F382B8D9B3A6D2A654FBF7A4186C162DF3FF5F10F465F2
SSDEEP:	49152:cfKk+wEyCXcHubb0MiPn1+dPc6V62ILb5UcpXONo0ZHYd0U8b3qJ7sK1o7VKECiq:Jk+nXd2v1CkVb5RpH0ZHM0e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- ADLOAD was detected
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
- Connects to CnC server
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - MailRuUpdater.exe (PID: 2788)
- Application was dropped or rewritten from another process
  - 412076AD-CD08-4F14-99EA-8629F29A6063.exe (PID: 2124)
  - E3B87877-10F6-4536-9523-42DAE1F68021.exe (PID: 2428)
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe (PID: 3032)
  - smappscontroller.exe (PID: 3756)
  - na_runner.exe (PID: 1416)
  - MailRuUpdater.exe (PID: 3724)
  - MailRuUpdater.exe (PID: 2788)
  - MailRuUpdater.exe (PID: 4064)
  - 047b-1a0a-326d-bfac (PID: 2472)
  - MailRuUpdater.exe (PID: 2892)
  - mrupdsrv.exe (PID: 3356)
  - MailRuUpdater.exe (PID: 1156)
  - MailRuUpdater.exe (PID: 3092)
- Loads dropped or rewritten executable
  - E3B87877-10F6-4536-9523-42DAE1F68021.exe (PID: 2428)
  - regsvr32.exe (PID: 2716)
- Downloads executable files from the Internet
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
- Uses Task Scheduler to run other applications
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Loads the Task Scheduler COM API
  - schtasks.exe (PID: 2168)
  - schtasks.exe (PID: 2256)
  - schtasks.exe (PID: 2580)
  - na_runner.exe (PID: 1416)
  - MailRuUpdater.exe (PID: 4064)
- MAILRU was detected
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - MailRuUpdater.exe (PID: 2788)
- Changes the autorun value in the registry
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - na_runner.exe (PID: 1416)
  - MailRuUpdater.exe (PID: 4064)
- Changes Windows auto-update feature
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
- Registers / Runs the DLL via REGSVR32.EXE
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
SUSPICIOUS
- Creates files in the user directory
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
  - E3B87877-10F6-4536-9523-42DAE1F68021.exe (PID: 2428)
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - MailRuUpdater.exe (PID: 3724)
- Executable content was dropped or overwritten
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
  - E3B87877-10F6-4536-9523-42DAE1F68021.exe (PID: 2428)
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe (PID: 3032)
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - na_runner.exe (PID: 1416)
  - 047b-1a0a-326d-bfac (PID: 2472)
  - MailRuUpdater.exe (PID: 2788)
  - MailRuUpdater.exe (PID: 4064)
  - regsvr32.exe (PID: 2716)
  - MailRuUpdater.exe (PID: 3724)
- Changes tracing settings of the file or console
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
- Creates files in the program directory
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - na_runner.exe (PID: 1416)
  - MailRuUpdater.exe (PID: 3724)
  - 047b-1a0a-326d-bfac (PID: 2472)
- Reads Windows owner or organization settings
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Reads the cookies of Mozilla Firefox
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
- Reads the cookies of Google Chrome
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
- Reads the Windows organization settings
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Uses TASKKILL.EXE to kill process
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Searches for installed software
  - d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe (PID: 3780)
  - smappscontroller.exe (PID: 3756)
- Starts itself from another location
  - na_runner.exe (PID: 1416)
  - MailRuUpdater.exe (PID: 4064)
- Creates a software uninstall entry
  - na_runner.exe (PID: 1416)
  - MailRuUpdater.exe (PID: 4064)
- Creates files in the Windows directory
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
  - MailRuUpdater.exe (PID: 2788)
  - mrupdsrv.exe (PID: 3356)
- Starts application with an unusual extension
  - MailRuUpdater.exe (PID: 2788)
- Removes files from Windows directory
  - MailRuUpdater.exe (PID: 2788)
  - MailRuUpdater.exe (PID: 2892)
- Creates COM task schedule object
  - regsvr32.exe (PID: 2716)
- Changes the started page of IE
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
INFO
- Application was dropped or rewritten from another process
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Creates files in the program directory
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Loads dropped or rewritten executable
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Creates a software uninstall entry
  - DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp (PID: 2928)
- Dropped object may contain Bitcoin addresses
  - 854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe (PID: 3560)
- Reads settings of System Certificates
  - MailRuUpdater.exe (PID: 3724)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win32 Executable (generic) (52.9)
.exe	\|	Generic Win/DOS Executable (23.5)
.exe	\|	DOS Executable Generic (23.5)

EXIF

EXE

ProductVersion:	Version 8.0
ProductName:	World of Warcraft
OriginalFileName:	WowVoiceProxy.exe
LegalCopyright:	Copyright © 2018 Blizzard Entertainment
InternalName:	WowVoiceProxy.exe
FileVersion:	8, 0, 1, 28153
FileDescription:	World of Warcraft Voice Proxy
CompanyName:	Blizzard Entertainment
CharacterSet:	Unicode
LanguageCode:	Neutral
FileSubtype:	-
ObjectFileType:	Executable application
FileOS:	Windows NT 32-bit
FileFlags:	Pre-release
FileFlagsMask:	0x003f
ProductVersionNumber:	8.0.0.0
FileVersionNumber:	8.0.1.28153
Subsystem:	Windows GUI
SubsystemVersion:	5
ImageVersion:	-
OSVersion:	5.1
EntryPoint:	0x255da
UninitializedDataSize:	-
InitializedDataSize:	6119424
CodeSize:	294400
LinkerVersion:	12
PEType:	PE32
TimeStamp:	2016:03:21 13:44:17+01:00
MachineType:	Intel 386 or later, and compatibles

Summary

Architecture:	IMAGE_FILE_MACHINE_I386
Subsystem:	IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date:	21-Mar-2016 12:44:17
Detected languages:	English - United States
CompanyName:	Blizzard Entertainment
FileDescription:	World of Warcraft Voice Proxy
FileVersion:	8, 0, 1, 28153
InternalName:	WowVoiceProxy.exe
LegalCopyright:	Copyright © 2018 Blizzard Entertainment
OriginalFilename:	WowVoiceProxy.exe
ProductName:	World of Warcraft
ProductVersion:	Version 8.0

DOS Header

Magic number:	MZ
Bytes on last page of file:	0x0090
Pages in file:	0x0003
Relocations:	0x0000
Size of header:	0x0004
Min extra paragraphs:	0x0000
Max extra paragraphs:	0xFFFF
Initial SS value:	0x0000
Initial SP value:	0x00B8
Checksum:	0x0000
Initial IP value:	0x0000
Initial CS value:	0x0000
Overlay number:	0x0000
OEM identifier:	0x0000
OEM information:	0x0000
Address of NE header:	0x000000E8

PE Headers

Signature:	PE
Machine:	IMAGE_FILE_MACHINE_I386
Number of sections:	9
Time date stamp:	21-Mar-2016 12:44:17
Pointer to Symbol Table:	0x00000000
Number of symbols:	0
Size of Optional Header:	0x00E0
Characteristics:	IMAGE_FILE_32BIT_MACHINE IMAGE_FILE_EXECUTABLE_IMAGE IMAGE_FILE_LINE_NUMS_STRIPPED IMAGE_FILE_LOCAL_SYMS_STRIPPED IMAGE_FILE_RELOCS_STRIPPED

Sections

Name	Virtual Address	Virtual Size	Raw Size	Charateristics	Entropy
.text	0x00001000	0x00047D11	0x00047E00	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ	6.52305
.rdata	0x00049000	0x0000AE84	0x0000B000	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.7263
.data	0x00054000	0x059A9CEC	0x0009CC00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.51993
.y0e19	0x059FE000	0x000C88C0	0x000C8A00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.02616
.6thocl	0x05AC7000	0x00202A38	0x00202C00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.91526
.6e7r	0x05CCA000	0x000B6358	0x000B6400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.04734
.5ch39	0x05D81000	0x0013E3F0	0x0013E400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	4.27886
.e6n954	0x05EC0000	0x00049160	0x00049200	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	3.90839
.rsrc	0x05F0A000	0x00025323	0x00025400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ	5.0826

Resources

Title	Entropy	Size	Codepage	Language	Type
1	5.07794	1223	Latin 1 / Western European	English - United States	RT_MANIFEST
2	6.40819	4264	Latin 1 / Western European	English - United States	RT_ICON
3	6.40407	2440	Latin 1 / Western European	English - United States	RT_ICON
4	6.35288	1128	Latin 1 / Western European	English - United States	RT_ICON
5	4.16493	67624	Latin 1 / Western European	English - United States	RT_ICON
6	4.38871	16936	Latin 1 / Western European	English - United States	RT_ICON
7	4.84	16936	UNKNOWN	UNKNOWN	RT_ICON
8	5.04366	4264	UNKNOWN	UNKNOWN	RT_ICON
9	5.52458	1128	UNKNOWN	UNKNOWN	RT_ICON

Imports


KERNEL32.dll
WININET.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

3268

"C:\Users\admin\AppData\Local\Temp\d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe"

C:\Users\admin\AppData\Local\Temp\d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe

—

explorer.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

MEDIUM

Description:

World of Warcraft Voice Proxy

Exit code:

3221226540

Version:

8, 0, 1, 28153

Modules

Images
c:\users\admin\appdata\local\temp\d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe
c:\systemroot\system32\ntdll.dll

3780

"C:\Users\admin\AppData\Local\Temp\d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe"

C:\Users\admin\AppData\Local\Temp\d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe

explorer.exe

User:

admin

Company:

Blizzard Entertainment

Integrity Level:

HIGH

Description:

World of Warcraft Voice Proxy

Version:

8, 0, 1, 28153

Modules

Images
c:\users\admin\appdata\local\temp\d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wininet.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2124

"C:\Users\admin\AppData\Local\Temp\412076AD-CD08-4F14-99EA-8629F29A6063\412076AD-CD08-4F14-99EA-8629F29A6063.exe" mode=s siteid=12257 campaignid=1 sourceid=112

C:\Users\admin\AppData\Local\Temp\412076AD-CD08-4F14-99EA-8629F29A6063\412076AD-CD08-4F14-99EA-8629F29A6063.exe

d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe

User:

admin

Company:

"My Web Shield"

Integrity Level:

HIGH

Description:

My Web Shield Installation File

Exit code:

Version:

3.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\412076ad-cd08-4f14-99ea-8629f29a6063\412076ad-cd08-4f14-99ea-8629f29a6063.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

2428

"C:\Users\admin\AppData\Local\Temp\E3B87877-10F6-4536-9523-42DAE1F68021\E3B87877-10F6-4536-9523-42DAE1F68021.exe" /sid=4 /pid=550612257

C:\Users\admin\AppData\Local\Temp\E3B87877-10F6-4536-9523-42DAE1F68021\E3B87877-10F6-4536-9523-42DAE1F68021.exe

d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe

User:

admin

Integrity Level:

HIGH

Modules

Images
c:\users\admin\appdata\local\temp\e3b87877-10f6-4536-9523-42dae1f68021\e3b87877-10f6-4536-9523-42dae1f68021.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shell32.dll

3560

"C:\Users\admin\AppData\Local\Temp\854A0F92-0841-4F1D-A5E6-8850A44A9C19\854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe" --silent --install_browser_class=0 --pay_browser_class=0 "--rfr=hp.1:834408,dse.1:811570,vbm.1:811580,pult.1:811580,hp.2:834423,dse.2:811610,vbm.2:811620,pult.2:811620,any:811550,any.2:811590" "--install_callback=http://orienteering.site/api_v2/callback/?guid={guid}&br={browser}&comp={component}&paid={paid}&pb={paidBrowser}&pa={paidAction}&ibc={installBrowserClass}&pbc={payBrowserClass}&ur={unpaidActionReason}&browserclass1={browserClass1}&browserclass2={browserClass2}&rfr={rfr}&clid=205694811&dlid=323571615"

C:\Users\admin\AppData\Local\Temp\854A0F92-0841-4F1D-A5E6-8850A44A9C19\854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe

d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe

User:

admin

Integrity Level:

HIGH

Description:

sputnik

Exit code:

Version:

5.1.0.194

Modules

Images
c:\users\admin\appdata\local\temp\854a0f92-0841-4f1d-a5e6-8850a44a9c19\854a0f92-0841-4f1d-a5e6-8850a44a9c19.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll

3032

"C:\Users\admin\AppData\Local\Temp\DB85F1CD-00D2-462D-AAB4-FB49190C4608\DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe" /VERYSILENT /SUPPRESSMESSAGES

C:\Users\admin\AppData\Local\Temp\DB85F1CD-00D2-462D-AAB4-FB49190C4608\DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe

d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe

User:

admin

Company:

Smart Application Controller

Integrity Level:

HIGH

Description:

Smart Application Controller

Exit code:

Version:

1.00

Modules

Images
c:\users\admin\appdata\local\temp\db85f1cd-00d2-462d-aab4-fb49190c4608\db85f1cd-00d2-462d-aab4-fb49190c4608.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2928

"C:\Users\admin\AppData\Local\Temp\is-CVPSH.tmp\DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp" /SL5="$10174,2554955,467456,C:\Users\admin\AppData\Local\Temp\DB85F1CD-00D2-462D-AAB4-FB49190C4608\DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe" /VERYSILENT /SUPPRESSMESSAGES

C:\Users\admin\AppData\Local\Temp\is-CVPSH.tmp\DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp

DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe

User:

admin

Integrity Level:

HIGH

Description:

Setup/Uninstall

Exit code:

Version:

51.1052.0.0

Modules

Images
c:\users\admin\appdata\local\temp\is-cvpsh.tmp\db85f1cd-00d2-462d-aab4-fb49190c4608.tmp
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

3900

"C:\Windows\System32\taskkill.exe" /F /IM smappscontroller.exe

C:\Windows\System32\taskkill.exe

—

DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Terminates Processes

Exit code:

128

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\taskkill.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll

3756

"C:\Program Files\Smart Application Controller\smappscontroller.exe" -frominstaller -silent

C:\Program Files\Smart Application Controller\smappscontroller.exe

DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp

User:

admin

Company:

Smart Application Controller

Integrity Level:

HIGH

Description:

Smart Application Controller

Exit code:

Version:

1.0.0.0

Modules

Images
c:\program files\smart application controller\smappscontroller.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll

2168

"C:\Windows\System32\schtasks.exe" /delete /f /tn "CheckControllerUpdatesCore"

C:\Windows\System32\schtasks.exe

—

DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Manages scheduled tasks

Exit code:

Version:

6.1.7600.16385 (win7_rtm.090713-1255)

Modules

Images
c:\windows\system32\schtasks.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

3 878

Read events

2 940

Write events

816

Delete events

122

Modification events


(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_CURRENT_USER\Software\Downloader
Operation:	write	Name:	quarantine
Value:
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileTracingMask
Value: 4294901760
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	ConsoleTracingMask
Value: 4294901760
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	MaxFileSize
Value: 1048576
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASAPI32
Operation:	write	Name:	FileDirectory
Value: %windir%\tracing
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableFileTracing
Value: 0
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	EnableConsoleTracing
Value: 0
(PID) Process:	(3780) d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\RASMANCS
Operation:	write	Name:	FileTracingMask
Value: 4294901760

Add for printing

Executable files

Suspicious files

Text files

253

Unknown types

Dropped files

PID	Process	Filename		Type
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	C:\Users\admin\AppData\Local\Temp\Downloader\tempicon.ico		—
		MD5:—	SHA256:—
3560	854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe	C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm		—
		MD5:—	SHA256:—
3560	854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe	C:\Users\admin\AppData\Local\Temp\6ff0-d12c-897b-c76b\MailRu.ico		—
		MD5:—	SHA256:—
3560	854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe	C:\Users\admin\AppData\Local\Temp\2760-a1b0-6adc-c76d\GoMailRu.ico		—
		MD5:—	SHA256:—
2928	DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp	C:\Program Files\Smart Application Controller\is-08JED.tmp		—
		MD5:—	SHA256:—
2928	DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp	C:\Program Files\Smart Application Controller\is-AIA88.tmp		—
		MD5:—	SHA256:—
2928	DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp	C:\Program Files\Smart Application Controller\is-H8CIN.tmp		—
		MD5:—	SHA256:—
2928	DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp	C:\Users\admin\AppData\Local\Temp\is-MVQNM.tmp\is-03HLB.tmp		—
		MD5:—	SHA256:—
3032	DB85F1CD-00D2-462D-AAB4-FB49190C4608.exe	C:\Users\admin\AppData\Local\Temp\is-CVPSH.tmp\DB85F1CD-00D2-462D-AAB4-FB49190C4608.tmp		executable
		MD5:31D0B20289F542A33D197CFA7CDF4E4B	SHA256:80A958710EF3ECD3C416F2A66AF356070FCAB5E63D3EBAF33FB574AA1B7F92C3
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@file-5[1].txt		text
		MD5:EAE691689BA6018AB49E95B7E18BB02B	SHA256:A12F5BB4D3A379BA7BFFA88D2761AA9532830B644AAACF8502C8266AB934C77D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

114

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	GET	200	88.208.33.140:80	http://orienteering.site/upload/4b3fedd488b3a4b8fe830cd8f107158b.exe	NL	executable	2.84 Mb	malicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	GET	—	104.18.52.15:80	http://file-5.ru/go/191ba1835937e6e940db234a643090ed/x9wvglua	US	—	—	suspicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	GET	200	88.208.33.140:80	http://orienteering.site/upload/9b33448929168974fa305a0ec4a35bc9.exe	NL	executable	623 Kb	malicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	HEAD	200	104.18.53.15:80	http://file-5.ru/go/191ba1835937e6e940db234a643090ed/x9wvglua	US	—	—	suspicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	HEAD	200	104.18.53.15:80	http://file-5.ru/go/191ba1835937e6e940db234a643090ed/x9wvglua	US	—	—	suspicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	POST	—	88.208.33.140:80	http://orienteering.site/api_v2/json/send/analyticsreport	NL	—	—	malicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	GET	—	104.18.52.15:80	http://file-5.ru/go/191ba1835937e6e940db234a643090ed/x9wvglua	US	—	—	suspicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	POST	—	88.208.33.140:80	http://orienteering.site/api_v2/json/get/initialization	NL	—	—	malicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	GET	200	88.208.33.140:80	http://orienteering.site/upload/782dccef73fe0e874161e3f64594a42d.exe	NL	executable	228 Kb	malicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	POST	—	88.208.33.140:80	http://orienteering.site/api_v2/json/send/analyticsreport	NL	—	—	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	104.18.53.15:80	file-5.ru	Cloudflare Inc	US	shared
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	104.18.52.15:80	file-5.ru	Cloudflare Inc	US	shared
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	94.100.180.110:80	sputnikmailru.cdnmail.ru	Limited liability company Mail.Ru	RU	suspicious
2428	E3B87877-10F6-4536-9523-42DAE1F68021.exe	192.133.141.11:80	satysservs.com	Serverel Inc.	US	suspicious
2124	412076AD-CD08-4F14-99EA-8629F29A6063.exe	88.208.5.120:80	mywebshield-ww1.com	DataWeb Global Group B.V.	NL	malicious
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	88.208.33.140:80	orienteering.site	DataWeb Global Group B.V.	NL	malicious
3560	854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe	217.69.139.247:443	xmlbinupdate.mail.ru	Limited liability company Mail.Ru	RU	malicious
3560	854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe	217.69.139.245:443	mrds.mail.ru	Limited liability company Mail.Ru	RU	malicious
3724	MailRuUpdater.exe	217.69.139.245:80	mrds.mail.ru	Limited liability company Mail.Ru	RU	malicious
3560	854A0F92-0841-4F1D-A5E6-8850A44A9C19.exe	217.69.139.122:443	conserv.go.mail.ru	Limited liability company Mail.Ru	RU	unknown

DNS requests

Domain	IP	Reputation
orienteering.site	88.208.33.140	malicious
sputnikmailru.cdnmail.ru	94.100.180.110	unknown
file-5.ru	104.18.53.15 104.18.52.15	suspicious
mywebshield-ww1.com	88.208.5.120	malicious
satysservs.com	192.133.141.11	malicious
xmlbinupdate.mail.ru	217.69.139.247	shared
conserv.go.mail.ru	217.69.139.122	unknown
mrds.mail.ru	217.69.139.245	suspicious
client.updsoft.net	109.206.179.254	unknown
mailruupdater.cdnmail.ru	94.100.180.110 217.69.139.110	unknown

Threats

PID	Process	Class	Message
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Misc activity	ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Misc activity	ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Misc activity	ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	A Network Trojan was detected	ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	A Network Trojan was detected	ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Potential Corporate Privacy Violation	ET POLICY PE EXE or DLL Windows file download HTTP
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	A Network Trojan was detected	ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
3780	d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2.exe	Misc activity	ADWARE [PTsecurity] AdLoad CnC Reverse Base64 POST

18 ETPRO signatures available at the full report

Add for printing

Process	Message
MailRuUpdater.exe	RunAsService: Entry
MailRuUpdater.exe	Updater.Mail.Ru: SERVICE_CONTROL_STOP
MailRuUpdater.exe	switches::kUpdateService run to update
MailRuUpdater.exe	Service::Update update operation is proceed
MailRuUpdater.exe	RunAsService: Exit
MailRuUpdater.exe	Service::StopService done
MailRuUpdater.exe	Service::CopyMeTo program files done
MailRuUpdater.exe	RunAsService: Entry
MailRuUpdater.exe	Service::StartService done

General Info

d0df51bca3719e4352f382b8d9b3a6d2a654fbf7a4186c162df3ff5f10f465f2

379ED04EC69BBDB50C19038E757A28E8

22296564D28F226435B08059A1526BCAB60AF3A4

D0DF51BCA3719E4352F382B8D9B3A6D2A654FBF7A4186C162DF3FF5F10F465F2

49152:cfKk+wEyCXcHubb0MiPn1+dPc6V62ILb5UcpXONo0ZHYd0U8b3qJ7sK1o7VKECiq:Jk+nXd2v1CkVb5RpH0ZHM0e

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ADLOAD was detected

Connects to CnC server

Application was dropped or rewritten from another process

Loads dropped or rewritten executable

Downloads executable files from the Internet

Uses Task Scheduler to run other applications

Loads the Task Scheduler COM API

MAILRU was detected

Changes the autorun value in the registry

Changes Windows auto-update feature

Registers / Runs the DLL via REGSVR32.EXE

SUSPICIOUS

Creates files in the user directory

Executable content was dropped or overwritten

Changes tracing settings of the file or console

Creates files in the program directory

Reads Windows owner or organization settings

Reads the cookies of Mozilla Firefox

Reads the cookies of Google Chrome

Reads the Windows organization settings

Uses TASKKILL.EXE to kill process

Searches for installed software

Starts itself from another location

Creates a software uninstall entry

Creates files in the Windows directory

Starts application with an unusual extension

Removes files from Windows directory

Creates COM task schedule object

Changes the started page of IE

INFO

Application was dropped or rewritten from another process

Creates files in the program directory

Loads dropped or rewritten executable

Creates a software uninstall entry

Dropped object may contain Bitcoin addresses

Reads settings of System Certificates

Malware configuration

Static information

TRiD

EXIF

EXE

Summary

DOS Header

PE Headers

Sections

Resources

Imports

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules