analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cfbeta.razersynapse.com/1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00.exe

Full analysis: https://app.any.run/tasks/a49096ba-6086-48be-99db-67524da1695a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 15, 2019, 18:20:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

FF9307ACD6D86AD828E9E074D7DD2A2D

SHA1:

BACA3A65B9265C83657D2D4E39F53BF4F68354F4

SHA256:

D4EFCDBB74484C47D0991F32C734A347ED7D9150E54E67B471CF411AC04ACDEE

SSDEEP:

3:N1KdDg1cw8hKIBEfAf8WkF5YB9:CG1vkpBEWkF5I

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3376)
    • Application was dropped or rewritten from another process

      • 1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exe (PID: 2920)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 2820)
      • 1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exe (PID: 2920)
    • Creates files in the program directory

      • 1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exe (PID: 2920)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3620)
  • INFO

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 2820)
    • Application launched itself

      • iexplore.exe (PID: 2820)
      • chrome.exe (PID: 3792)
      • chrome.exe (PID: 3620)
    • Creates files in the user directory

      • iexplore.exe (PID: 3376)
    • Changes internet zones settings

      • iexplore.exe (PID: 2820)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 2820)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
38
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe 1477469955rzrmodrazer_abyssusv2_config_v1.02.00[1].exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs explorer.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2820"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3376"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2820 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2920"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3792"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
2536"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6cd70f18,0x6cd70f28,0x6cd70f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
416"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3740 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2908"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=940,4807505649175280461,2820547059839402924,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=15727031540879632576 --mojo-platform-channel-handle=948 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2364"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,4807505649175280461,2820547059839402924,131072 --enable-features=PasswordImport --service-pipe-token=9051934666349186432 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9051934666349186432 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1976 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3428"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,4807505649175280461,2820547059839402924,131072 --enable-features=PasswordImport --service-pipe-token=504519380798466002 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=504519380798466002 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3524"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=940,4807505649175280461,2820547059839402924,131072 --enable-features=PasswordImport --service-pipe-token=10820638592123114247 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10820638592123114247 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2232 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
1 350
Read events
1 153
Write events
185
Delete events
12

Modification events

(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{31824753-773E-11E9-B63D-5254004A04AF}
Value:
0
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2820) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307050003000F001200150002000303
Executable files
3
Suspicious files
92
Text files
160
Unknown types
16

Dropped files

PID
Process
Filename
Type
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2820iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2820iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB16E0897EDCDAA3C.TMP
MD5:
SHA256:
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019051520190516\index.datdat
MD5:C8A996FE59010D07FB415D8B57A0AE84
SHA256:E3AC5C76E455F9F4117F536A2138A35126EE0E7676E22C5BBB3F4C359DE72EC8
29201477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exeC:\ProgramData\Razer\Synapse\Devices\Abyssus V2\lang\ChineseTraditional.txtbinary
MD5:5B8CE5D499D5DD734D566207AF76F2B1
SHA256:48ACC641BEFDB9817248A6146C3C746FDDC75CCD2AA1FB0BAFB0FE7511E31028
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:0B77AAC00878F9E9C4B90D1B586CCF9D
SHA256:A630B4E7A9783BCD28EE21C6A66BE843F87E578FA066BD9F13CB91D2CEBBDE5B
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\48TDNB4N\1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00[1].exeexecutable
MD5:BAEE880EE5CA0014232669AB094A2E82
SHA256:FD5DE0BBB55ACF519F87D06DB7D7A2E8A501C32342354308206DA6A0E7390B82
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{31824754-773E-11E9-B63D-5254004A04AF}.datbinary
MD5:1F9EF9EED983A15E5AD66732C8CB7E15
SHA256:A0F664223BE2D8B37C1F3AFFB6C35C5243366804128144FE918FB13878480139
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:67464AA19B8CB48FF9BEB2348F5B7509
SHA256:4587F04BD59ACA16B8220F2B24AEAC4675C13185D7A9B4D129083F477C5CC816
2820iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
31
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3376
iexplore.exe
GET
200
104.111.214.92:80
http://cfbeta.razersynapse.com/1477469955rzrmodRazer_AbyssusV2_Config_v1.02.00.exe
NL
executable
208 Kb
suspicious
3792
chrome.exe
GET
302
64.233.184.198:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
502 b
whitelisted
2820
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3792
chrome.exe
GET
200
217.146.165.206:80
http://r3---sn-oun-1gie.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=136.0.0.108&mm=28&mn=sn-oun-1gie&ms=nvh&mt=1557944427&mv=m&pl=27&shardbypass=yes
CH
crx
842 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2820
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3792
chrome.exe
216.58.208.35:443
www.google.com.ua
Google Inc.
US
whitelisted
3792
chrome.exe
172.217.16.131:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3376
iexplore.exe
104.111.214.92:80
cfbeta.razersynapse.com
Akamai International B.V.
NL
whitelisted
3792
chrome.exe
172.217.22.78:443
clients1.google.com
Google Inc.
US
whitelisted
3792
chrome.exe
172.217.21.206:443
clients2.google.com
Google Inc.
US
whitelisted
3792
chrome.exe
172.217.22.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3792
chrome.exe
172.217.18.163:443
www.gstatic.com
Google Inc.
US
whitelisted
3792
chrome.exe
172.217.21.205:443
accounts.google.com
Google Inc.
US
whitelisted
3792
chrome.exe
172.217.22.67:443
www.google.ch
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cfbeta.razersynapse.com
  • 104.111.214.92
suspicious
clientservices.googleapis.com
  • 172.217.22.35
whitelisted
www.google.com.ua
  • 216.58.208.35
whitelisted
accounts.google.com
  • 172.217.21.205
shared
clients1.google.com
  • 172.217.22.78
  • 172.217.22.110
whitelisted
ssl.gstatic.com
  • 172.217.16.131
whitelisted
clients2.google.com
  • 172.217.21.206
whitelisted
clients2.googleusercontent.com
  • 172.217.21.193
whitelisted
www.gstatic.com
  • 172.217.18.163
whitelisted

Threats

PID
Process
Class
Message
3376
iexplore.exe
Potentially Bad Traffic
ET POLICY Executable served from Amazon S3
3376
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info