| File name: | merda.zip |
| Full analysis: | https://app.any.run/tasks/5c93a914-98c2-4676-ba06-2edaea2a567e |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | March 19, 2019, 14:33:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 000D571285CFBA32EF70CEE9426916AB |
| SHA1: | A77BDF2A829EAEF8D4AB178EDA7FECE694394FB5 |
| SHA256: | D9A2D0CA8DC71DCDDBEE54309B163D256ED7F46EE49FEAC51141625C98137DF2 |
| SSDEEP: | 393216:PCiS85PLArJyUCvuR4sTHkohBaHRVIL76p6/GbHFOjsj3JvkK:PCi69yA5zThBm70GbHOs3D |
MALICIOUS
Uses Task Scheduler to run other applications
- cmd.exe (PID: 2432)
- cmd.exe (PID: 3572)
Loads dropped or rewritten executable
- Microsoft Toolkit Final.exe (PID: 2528)
- Microsoft Toolkit Final.exe (PID: 3056)
Application was dropped or rewritten from another process
- Microsoft Toolkit Final.exe (PID: 2528)
- Microsoft Toolkit Final.exe (PID: 4036)
- Setup activation.exe (PID: 3752)
- Microsoft Toolkit Final.exe (PID: 3336)
- Microsoft Toolkit Final.exe (PID: 3056)
- Setup activation.exe (PID: 3912)
Connects to CnC server
- Setup activation.exe (PID: 3752)
- Setup activation.exe (PID: 3912)
PREPSCRAM was detected
- Setup activation.exe (PID: 3752)
- Setup activation.exe (PID: 3912)
Loads the Task Scheduler COM API
- schtasks.exe (PID: 2980)
- schtasks.exe (PID: 2156)
- schtasks.exe (PID: 3964)
- schtasks.exe (PID: 3236)
SUSPICIOUS
Reads Windows owner or organization settings
- Microsoft Toolkit Final.exe (PID: 2528)
- Microsoft Toolkit Final.exe (PID: 3056)
Starts CMD.EXE for commands execution
- Microsoft Toolkit Final.exe (PID: 2528)
- Microsoft Toolkit Final.exe (PID: 3056)
Application launched itself
- WinRAR.exe (PID: 3836)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 4092)
- Microsoft Toolkit Final.exe (PID: 2528)
- WinRAR.exe (PID: 3516)
- Microsoft Toolkit Final.exe (PID: 3056)
Reads the Windows organization settings
- Microsoft Toolkit Final.exe (PID: 2528)
- Microsoft Toolkit Final.exe (PID: 3056)
Creates files in the program directory
- Microsoft Toolkit Final.exe (PID: 2528)
Starts Internet Explorer
- explorer.exe (PID: 3340)
- explorer.exe (PID: 2648)
Uses TASKKILL.EXE to kill Browsers
- cmd.exe (PID: 2432)
- cmd.exe (PID: 3572)
INFO
Application launched itself
- iexplore.exe (PID: 3716)
Changes internet zones settings
- iexplore.exe (PID: 3716)
- iexplore.exe (PID: 2520)
Reads internet explorer settings
- iexplore.exe (PID: 2328)
- iexplore.exe (PID: 2352)
Creates files in the user directory
- iexplore.exe (PID: 3716)
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4012)
- iexplore.exe (PID: 2328)
- iexplore.exe (PID: 2352)
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 308)
Reads Internet Cache Settings
- iexplore.exe (PID: 2328)
- iexplore.exe (PID: 2352)
Reads settings of System Certificates
- iexplore.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .xpi | | | Mozilla Firefox browser extension (66.6) |
|---|---|---|
| .zip | | | ZIP compressed archive (33.3) |
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2019:03:16 21:23:06 |
| ZipCRC: | 0x60bb80c7 |
| ZipCompressedSize: | 14186527 |
| ZipUncompressedSize: | 14182197 |
| ZipFileName: | Microsoft toolkit 2.6.7 pass 123.rar |
Total processes
77
Monitored processes
34
Malicious processes
9
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 308 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 Modules
| |||||||||||||||
| 1712 | taskkill /f /IM chrome.exe | C:\Windows\system32\taskkill.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Terminates Processes Exit code: 128 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2156 | schtasks /Run /TN "KMSActivate" | C:\Windows\system32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2328 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3716 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2352 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2432 | cmd /c ""C:\Program Files\Microsoft Toolkit Final\MicrosoftToolkitInstall.bat"" | C:\Windows\system32\cmd.exe | — | Microsoft Toolkit Final.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2520 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2528 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb4092.7219\Microsoft Toolkit Final.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb4092.7219\Microsoft Toolkit Final.exe | WinRAR.exe | ||||||||||||
User: admin Integrity Level: HIGH Exit code: 0 Modules
| |||||||||||||||
| 2648 | C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | C:\Windows\explorer.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2652 | C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503} | C:\Windows\system32\DllHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: COM Surrogate Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
3 410
Read events
3 143
Write events
259
Delete events
8
Modification events
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtBMP |
Value: | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes |
| Operation: | write | Name: | ShellExtIcon |
Value: | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\AppData\Local\Temp\merda.zip | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (3836) WinRAR.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
Executable files
9
Suspicious files
12
Text files
44
Unknown types
10
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 3836 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3836.5949\Microsoft toolkit 2.6.7 pass 123.rar | — | |
MD5:— | SHA256:— | |||
| 3836 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3836.6157\Microsoft toolkit 2.6.7 pass 123.rar | — | |
MD5:— | SHA256:— | |||
| 4092 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXb4092.7219\Pass - 123 | — | |
MD5:— | SHA256:— | |||
| 3716 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 3716 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\download[1].php | — | |
MD5:— | SHA256:— | |||
| 2328 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@ceesty[2].txt | — | |
MD5:— | SHA256:— | |||
| 2328 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\wV6s9W[1].txt | — | |
MD5:— | SHA256:— | |||
| 2528 | Microsoft Toolkit Final.exe | C:\Program Files\Microsoft Toolkit Final\MicrosoftToolkitInstall.bat | text | |
MD5:— | SHA256:— | |||
| 2528 | Microsoft Toolkit Final.exe | C:\Program Files\Microsoft Toolkit Final\KnownGameList.bin | binary | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
32
DNS requests
18
Threats
9
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3752 | Setup activation.exe | GET | 200 | 13.32.222.86:80 | http://one.mountaincanvas.pw/offer.php?affId=3182&trackingId=407584611&instId=3937&ho_trackingid=HO407584611&cc=LK&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=530&kid=hqmrb21b33r71epffu2 | US | — | — | whitelisted |
3912 | Setup activation.exe | GET | 200 | 13.32.222.86:80 | http://one.mountaincanvas.pw/offer.php?affId=3182&trackingId=407584611&instId=3937&ho_trackingid=HO407584611&cc=LK&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5d979308c3b6ea5ad7e984e628c8cac1&v=3&net=4.6.01055&ie=8%2e0%2e7601%2e17514&res=1280x720&osd=530&kid=hqmrb21b33r71epffu2 | US | — | — | whitelisted |
2328 | iexplore.exe | GET | 200 | 143.95.237.92:80 | http://mstoolkitfiles.xyz/warning/download.php?mn=7788 | US | html | 273 b | malicious |
2328 | iexplore.exe | POST | 200 | 143.95.237.92:80 | http://mstoolkitfiles.xyz/warning/download.php | US | html | 275 b | malicious |
2328 | iexplore.exe | GET | 200 | 185.66.120.52:80 | http://ceesty.com/wV6s9W | PL | html | 28.6 Kb | whitelisted |
2328 | iexplore.exe | POST | 302 | 143.95.237.92:80 | http://mstoolkitfiles.xyz/warning/download.php | US | compressed | 275 b | malicious |
2328 | iexplore.exe | GET | 200 | 78.140.188.190:80 | http://static.sh.st/js/packed/interstitial-page.js?2018-12-20.1 | NL | text | 24.6 Kb | unknown |
2328 | iexplore.exe | GET | 200 | 185.66.120.52:80 | http://ceesty.com/bundles/smeweb/js/xvideos.js | PL | text | 6.13 Kb | whitelisted |
2328 | iexplore.exe | GET | 200 | 185.66.120.52:80 | http://ceesty.com/bundles/advertisement/img/tracking.gif?test=592313ed1e09aa2fcfd372e8f9e3260c72050154 | PL | compressed | 28.6 Kb | whitelisted |
2328 | iexplore.exe | GET | 200 | 13.32.222.2:80 | http://d3ud741uvs727m.cloudfront.net/?vudud=716233 | US | text | 38.8 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3752 | Setup activation.exe | 13.32.222.86:80 | one.mountaincanvas.pw | Amazon.com, Inc. | US | suspicious |
3716 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2328 | iexplore.exe | 143.95.237.92:80 | mstoolkitfiles.xyz | Colo4, LLC | US | malicious |
2328 | iexplore.exe | 185.66.120.52:80 | ceesty.com | Grey Wizard Sp. z o.o. | PL | malicious |
2328 | iexplore.exe | 172.217.23.138:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2328 | iexplore.exe | 216.58.207.78:80 | www.google-analytics.com | Google Inc. | US | whitelisted |
2328 | iexplore.exe | 172.217.22.8:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
2328 | iexplore.exe | 172.217.16.131:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
2328 | iexplore.exe | 78.140.188.190:80 | static.sh.st | Webzilla B.V. | NL | unknown |
2328 | iexplore.exe | 188.42.162.154:80 | go.onclasrv.com | Webzilla B.V. | NL | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
one.mountaincanvas.pw |
| whitelisted |
www.bing.com |
| whitelisted |
mstoolkitfiles.xyz |
| malicious |
ceesty.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.google-analytics.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
static.sh.st |
| unknown |
go.onclasrv.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1056 | svchost.exe | Potentially Bad Traffic | ET DNS Query to a *.pw domain - Likely Hostile |
3752 | Setup activation.exe | A Network Trojan was detected | ET MALWARE Suspicious User-Agent (1 space) |
3752 | Setup activation.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.pw domain |
3752 | Setup activation.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
3912 | Setup activation.exe | A Network Trojan was detected | ET MALWARE Suspicious User-Agent (1 space) |
3912 | Setup activation.exe | Potentially Bad Traffic | ET INFO HTTP Request to a *.pw domain |
3912 | Setup activation.exe | Misc activity | ADWARE [PTsecurity] SoftwareBundler:Win32/Prepscram |
2 ETPRO signatures available at the full report