analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://win-builds.org/1.5.0/win-builds-1.5.0.exe

Full analysis: https://app.any.run/tasks/56037592-6f4a-4faa-bc88-6622622532fd
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: December 06, 2018, 10:12:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

FA243C98AEEF87AA04D1C465CA839743

SHA1:

5DD889CFFD05CC04A011C421AB4CBE165BF5B378

SHA256:

D70422E05B10EB9353C1E63EAE0978F3DFADBF9D79DC3B4A2F5D719CC00F5A7D

SSDEEP:

3:N1KJM8RMKSKUpLIHxPqA:CC8ABWd7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • yypkg.exe (PID: 2752)
    • Application was dropped or rewritten from another process

      • yypkg.exe (PID: 2752)
      • win-builds-1.5.0[1].exe (PID: 2472)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3148)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2832)
      • iexplore.exe (PID: 3148)
      • win-builds-1.5.0[1].exe (PID: 2472)
    • Starts CMD.EXE for commands execution

      • yypkg.exe (PID: 2752)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2832)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 2832)
    • Dropped object may contain Bitcoin addresses

      • win-builds-1.5.0[1].exe (PID: 2472)
    • Changes internet zones settings

      • iexplore.exe (PID: 2832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start iexplore.exe iexplore.exe win-builds-1.5.0[1].exe yypkg.exe cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2472"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\win-builds-1.5.0[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\win-builds-1.5.0[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
2752C:\Users\admin\AppData\Local\Temp\win-builds-1.5.0[1].exe1e8b51\bin\yypkgC:\Users\admin\AppData\Local\Temp\win-builds-1.5.0[1].exe1e8b51\bin\yypkg.exe
win-builds-1.5.0[1].exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1820C:\Windows\system32\cmd.exe /c cscript.exe "C:\\Users\\admin\\AppData\\Local\\Temp\\yy_vb_ui_446ce7.vbs"C:\Windows\system32\cmd.exeyypkg.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Total events
1 090
Read events
1 028
Write events
0
Delete events
0

Modification events

No data
Executable files
51
Suspicious files
9
Text files
65
Unknown types
4

Dropped files

PID
Process
Filename
Type
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFBB10B4CB3E3A8D88.TMP
MD5:
SHA256:
3148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.datdat
MD5:705AAAB9E542A30EB288A34D428AD732
SHA256:86D22584C2A26DF519DA4AAA8539624586B1FCCE53A8FE77EA791F21F055F7EA
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{82373678-F93F-11E8-BAD8-5254004A04AF}.datbinary
MD5:519052597173A97839423485D7B20408
SHA256:F474AA21DBED0ADC29629090E0B598C34FCF346F3CA5B34BD4E20662BCD532D5
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207\index.datdat
MD5:EB07DEED1AF9ACFBF5B6E59474A758C5
SHA256:44AA3C249B8A1B3C0FE1F515039628CD335AE2774562782C29677DAA217CEB41
2472win-builds-1.5.0[1].exeC:\Users\admin\AppData\Local\Temp\win-builds-1.5.0[1].exe1e8b51\bin\libiconv.dllexecutable
MD5:C5EA35CDCAF45C181CC0953E9C2E06AF
SHA256:CAF9B2FAB2F221236ECD1293BFF7BB75D083B204306F882281E53EB5AD80112E
2472win-builds-1.5.0[1].exeC:\Users\admin\AppData\Local\Temp\win-builds-1.5.0[1].exe1e8b51\bin\liblua-51.dllexecutable
MD5:7011C4A655073697618C713A37345944
SHA256:04B73B72C4F34C569C1DA9D27749329BBF40612998E3E9B1F7BD7300F8FBDA57
2472win-builds-1.5.0[1].exeC:\Users\admin\AppData\Local\Temp\win-builds-1.5.0[1].exe1e8b51\bin\libasprintf-0.dllexecutable
MD5:FBE87821CA7E64257354078525A7D90D
SHA256:6211C8AB4362340367535027DDD12DDC97AC6F96D730893C6832CCE5265A4A75
2472win-builds-1.5.0[1].exeC:\Users\admin\AppData\Local\Temp\win-builds-1.5.0[1].exe1e8b51\bin\libz-1.dllexecutable
MD5:5FAC00D26A543FA402EB35AD33110579
SHA256:484284271BBF68D0695EDD6D835A2C4C23DE8AAAC265BD38D5CA1928E63B50A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3148
iexplore.exe
GET
200
91.121.71.147:80
http://win-builds.org/1.5.0/win-builds-1.5.0.exe
FR
executable
7.60 Mb
suspicious
2832
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2832
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3148
iexplore.exe
91.121.71.147:80
win-builds.org
OVH SAS
FR
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
win-builds.org
  • 91.121.71.147
suspicious

Threats

PID
Process
Class
Message
3148
iexplore.exe
Misc activity
ET INFO Packed Executable Download
3148
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
yypkg.exe
Invalid parameter passed to C runtime function.