analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://download.drp.su/17-online/DriverPack-17-Online_1457804287.1545129752.exe

Full analysis: https://app.any.run/tasks/666c0fc4-08bc-448e-8d91-6a86d6c0391c
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: December 18, 2018, 15:44:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
opendir
adware
Indicators:
MD5:

62BBE92321F15EA3D86526AC6135D938

SHA1:

F57E21FD6D154E1DC31D9C403A2EDE90FB1561F3

SHA256:

DEC6A1C78A527BB6D2A762CEBB675A1C7493EC17B261E026089B7E2D56D4C4FF

SSDEEP:

3:N1KaKElHPSIWQbuSdVaCJ:Ca5vS5CJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • DriverPack-17-Online_1457804287.1545129752[1].exe (PID: 2460)
      • DriverPack-17-Online_1457804287.1545129752[1].exe (PID: 3512)
      • driverpack-7za.exe (PID: 2292)
      • aria2c.exe (PID: 3636)
      • driverpack-wget.exe (PID: 3752)

    • Downloads executable files from the Internet

      • wscript.exe (PID: 2536)
      • iexplore.exe (PID: 3104)

    • Executes PowerShell scripts

      • cmd.exe (PID: 3364)

    • Changes internet zones settings

      • mshta.exe (PID: 3308)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2700)
      • iexplore.exe (PID: 3104)
      • wscript.exe (PID: 2536)

    • Executes scripts

      • DriverPack-17-Online_1457804287.1545129752[1].exe (PID: 3512)

    • Uses REG.EXE to modify Windows registry

      • DriverPack-17-Online_1457804287.1545129752[1].exe (PID: 3512)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • DriverPack-17-Online_1457804287.1545129752[1].exe (PID: 3512)

    • Creates files in the user directory

      • cmd.exe (PID: 3364)
      • mshta.exe (PID: 3308)
      • powershell.exe (PID: 3216)
      • cmd.exe (PID: 2572)
      • wscript.exe (PID: 3864)
      • wscript.exe (PID: 3412)
      • wscript.exe (PID: 1792)
      • cmd.exe (PID: 2276)
      • wscript.exe (PID: 3580)
      • driverpack-7za.exe (PID: 2292)
      • cmd.exe (PID: 3660)
      • cmd.exe (PID: 3108)
      • driverpack-wget.exe (PID: 3752)
      • cmd.exe (PID: 2208)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 2276)
      • cmd.exe (PID: 3660)

    • Starts CMD.EXE for commands execution

      • mshta.exe (PID: 3308)

    • Reads Internet Cache Settings

      • mshta.exe (PID: 3308)

    • Uses RUNDLL32.EXE to load library

      • mshta.exe (PID: 3308)

    • Starts application with an unusual extension

      • cmd.exe (PID: 3660)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2700)

    • Creates files in the user directory

      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2700)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3104)

    • Changes internet zones settings

      • iexplore.exe (PID: 2700)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3104)
      • iexplore.exe (PID: 2700)

    • Reads internet explorer settings

      • mshta.exe (PID: 3308)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
74
Monitored processes
31
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start iexplore.exe iexplore.exe driverpack-17-online_1457804287.1545129752[1].exe no specs driverpack-17-online_1457804287.1545129752[1].exe wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe reg.exe no specs mshta.exe cmd.exe no specs powershell.exe no specs cmd.exe no specs netsh.exe no specs csc.exe cmd.exe no specs netsh.exe no specs cvtres.exe no specs driverpack-7za.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs cmd.exe no specs chcp.com no specs netsh.exe no specs cmd.exe no specs driverpack-wget.exe cmd.exe no specs aria2c.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2700"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3104"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2700 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2460"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_1457804287.1545129752[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_1457804287.1545129752[1].exeiexplore.exe
User:
admin
Company:
DriverPack Solution
Integrity Level:
MEDIUM
Description:
DriverPack
Exit code:
3221226540
Version:
17.7.132
3512"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_1457804287.1545129752[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_1457804287.1545129752[1].exe
iexplore.exe
User:
admin
Company:
DriverPack Solution
Integrity Level:
HIGH
Description:
DriverPack
Version:
17.7.132
3412"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" localdiagnosticsC:\Windows\System32\wscript.exeDriverPack-17-Online_1457804287.1545129752[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3580"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" driversC:\Windows\System32\wscript.exeDriverPack-17-Online_1457804287.1545129752[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3864"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" newsoftC:\Windows\System32\wscript.exeDriverPack-17-Online_1457804287.1545129752[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
1792"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" hardwareC:\Windows\System32\wscript.exeDriverPack-17-Online_1457804287.1545129752[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2536"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\prepare.js" binariesC:\Windows\System32\wscript.exe
DriverPack-17-Online_1457804287.1545129752[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
3076"C:\Windows\System32\reg.exe" import "C:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\Tools\patch.reg"C:\Windows\System32\reg.exeDriverPack-17-Online_1457804287.1545129752[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 797
Read events
2 040
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
5
Text files
292
Unknown types
19

Dropped files

PID
Process
Filename
Type
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2700iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA08566CC6757F3D2.TMP
MD5:
SHA256:
3104iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018121820181219\index.datdat
MD5:C8FF812226AD706F4544C17FD58B3F25
SHA256:555138CE4A2FA7287720E630D62610B34AD1D84BB80FFA0C2113B2B785DFCAB0
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{DF18003E-02DB-11E9-BAD8-5254004A04AF}.datbinary
MD5:D3F088C20B28D0D4122D5BE863413A6E
SHA256:E77DB368458646E02265873E5F80A6E5961DDBA820DA5A995C632CEC11FF0E54
3512DriverPack-17-Online_1457804287.1545129752[1].exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\run.htahtml
MD5:2D699AF366A7A46D0032A9DF9BA47AE1
SHA256:2934E32BEA54C8A82C91EF0F1E08EA10DA39BC7FBE4480B0C7C8C1FA372A5778
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018121820181219\index.datdat
MD5:72366B742FFE45F7C5CAE1073061D6DB
SHA256:DF05B3089FFBD03C95B168565675F313DA1B177F9CA731A0412467E453C23DC0
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_1457804287.1545129752[1].exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\DriverPack-17-Online_1457804287.1545129752[1].exeexecutable
MD5:AC1947B6EA18B98871371103F4BD3517
SHA256:46DB9CB9BB6FA6ACBEC33F1EB5BAB365E5667EE179089534FB757DF2732255BD
3512DriverPack-17-Online_1457804287.1545129752[1].exeC:\Users\admin\AppData\Local\Temp\7ZipSfx.000\bin\Tools\img\header\close.pngimage
MD5:CA0CFAC0C0D1D639273167E6A6A9A477
SHA256:4873D5617C63CAC4B820C6D199BE36D111DBA358B5F357455E33AFA74040555E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
151
TCP/UDP connections
66
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/DriverPackSolution.html
GB
html
1.67 Kb
malicious
2536
wscript.exe
GET
200
95.154.237.19:80
http://download.drp.su/updates/beetle/driverpack-7za.exe
GB
executable
716 Kb
whitelisted
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/v2/
GB
text
59.7 Kb
malicious
3104
iexplore.exe
GET
200
95.154.237.19:80
http://download.drp.su/17-online/DriverPack-17-Online_1457804287.1545129752.exe
GB
executable
580 Kb
whitelisted
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/css/roboto.css
GB
text
263 b
malicious
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/css/icons-checkbox.css
GB
text
193 b
malicious
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/drp.css
GB
text
23.3 Kb
malicious
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/css/style.css
GB
text
3.72 Kb
malicious
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/css/normalize.min.css
GB
text
906 b
malicious
3308
mshta.exe
GET
200
82.145.55.124:80
http://update.drp.su/beetle/17.7.133/css/custom-control.css
GB
text
1.87 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3308
mshta.exe
82.145.55.124:80
update.drp.su
iomart Cloud Services Limited.
GB
unknown
2700
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3308
mshta.exe
172.217.168.14:80
www.google-analytics.com
Google Inc.
US
whitelisted
3308
mshta.exe
93.158.134.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
2536
wscript.exe
95.154.237.19:80
download.drp.su
iomart Cloud Services Limited.
GB
malicious
3308
mshta.exe
178.162.204.5:80
auth.drp.su
Leaseweb Deutschland GmbH
DE
suspicious
3104
iexplore.exe
95.154.237.19:80
download.drp.su
iomart Cloud Services Limited.
GB
malicious
95.154.237.19:80
download.drp.su
iomart Cloud Services Limited.
GB
malicious
3308
mshta.exe
95.154.237.19:80
download.drp.su
iomart Cloud Services Limited.
GB
malicious
3752
driverpack-wget.exe
95.154.194.108:80
download-storage.drp.su
iomart Cloud Services Limited.
GB
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
download.drp.su
  • 95.154.237.19
  • 88.150.137.207
  • 87.117.239.150
  • 81.94.205.66
  • 87.117.239.148
  • 87.117.231.157
  • 81.94.192.167
  • 87.117.239.151
whitelisted
update.drp.su
  • 82.145.55.124
  • 87.117.235.116
malicious
www.google-analytics.com
  • 172.217.168.14
whitelisted
auth.drp.su
  • 178.162.204.5
suspicious
mc.yandex.ru
  • 93.158.134.119
  • 77.88.21.119
  • 87.250.250.119
  • 87.250.251.119
whitelisted
download-storage.drp.su
  • 95.154.194.108
unknown

Threats

PID
Process
Class
Message
3104
iexplore.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
3104
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3308
mshta.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2536
wscript.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2536
wscript.exe
Misc activity
ET INFO Packed Executable Download
2536
wscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2536
wscript.exe
A Network Trojan was detected
ET TROJAN HTTP Executable Download from suspicious domain with direct request/fake browser (multiple families)
2536
wscript.exe
A Network Trojan was detected
ET CURRENT_EVENTS WinHttpRequest Downloading EXE
2536
wscript.exe
A Network Trojan was detected
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2536
wscript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://download.drp.su/17-online/DriverPack-17-Online_1457804287.1545129752.exe