analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.litesmed.com/R+-l++/O7xu/g--F+++/setup.exe

Full analysis: https://app.any.run/tasks/0a8d5e00-ec0d-42bb-8ae3-81bcaf5b06a2
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 21:21:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

88913DD77E70674247132DB871186480

SHA1:

FAC12D9374EB0A9B4B07733457C5E0996D85BFE8

SHA256:

DF99AD182385E1DA18366499C048327BC5D3623D03340EFDCAA04500A8718507

SSDEEP:

3:N1KJS4Sz2TK31SSKLRcW7L4A:Cc462TKISKn7L4A

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3276)
      • setup_0824817211.exe (PID: 2448)
      • avastfreeantivirussetuponline.m.exe (PID: 1944)

    • Application was dropped or rewritten from another process

      • setup_0824817211.exe (PID: 2192)
      • setup_0824817211.exe (PID: 2448)
      • avastfreeantivirussetuponline.m.exe (PID: 1944)
      • setup.exe (PID: 3016)
      • avast_free_antivirus_setup_online.exe (PID: 4004)
      • instup.exe (PID: 2900)

    • Loads dropped or rewritten executable

      • setup_0824817211.exe (PID: 2448)
      • instup.exe (PID: 2900)
      • setup.exe (PID: 3016)

    • Changes settings of System certificates

      • instup.exe (PID: 2900)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3276)
      • iexplore.exe (PID: 2856)
      • setup_0824817211.exe (PID: 2448)
      • avastfreeantivirussetuponline.m.exe (PID: 1944)
      • avast_free_antivirus_setup_online.exe (PID: 4004)
      • setup.exe (PID: 3016)

    • Reads internet explorer settings

      • setup_0824817211.exe (PID: 2448)

    • Application launched itself

      • setup_0824817211.exe (PID: 2192)

    • Cleans NTFS data-stream (Zone Identifier)

      • setup_0824817211.exe (PID: 2192)

    • Creates files in the user directory

      • setup_0824817211.exe (PID: 2448)

    • Creates files in the Windows directory

      • avastfreeantivirussetuponline.m.exe (PID: 1944)
      • avast_free_antivirus_setup_online.exe (PID: 4004)

    • Reads Environment values

      • setup_0824817211.exe (PID: 2448)

    • Low-level read access rights to disk partition

      • avastfreeantivirussetuponline.m.exe (PID: 1944)
      • avast_free_antivirus_setup_online.exe (PID: 4004)
      • instup.exe (PID: 2900)

    • Creates files in the program directory

      • avast_free_antivirus_setup_online.exe (PID: 4004)

    • Starts Internet Explorer

      • setup_0824817211.exe (PID: 2448)

    • Creates or modifies windows services

      • instup.exe (PID: 2900)

    • Adds / modifies Windows certificates

      • instup.exe (PID: 2900)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2856)
      • iexplore.exe (PID: 3276)
      • IEXPLORE.EXE (PID: 2852)
      • IEXPLORE.EXE (PID: 2660)

    • Changes internet zones settings

      • iexplore.exe (PID: 2856)
      • IEXPLORE.EXE (PID: 2852)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2856)

    • Application launched itself

      • iexplore.exe (PID: 2856)
      • IEXPLORE.EXE (PID: 2852)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2856)
      • instup.exe (PID: 2900)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2856)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
10
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe setup_0824817211.exe no specs setup_0824817211.exe avastfreeantivirussetuponline.m.exe avast_free_antivirus_setup_online.exe setup.exe instup.exe iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2856"C:\Program Files\Internet Explorer\iexplore.exe" http://www.litesmed.com/R+-l++/O7xu/g--F+++/setup.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3276"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2192"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exeiexplore.exe
User:
admin
Company:
Komona
Integrity Level:
MEDIUM
Description:
Daforu Setup
Exit code:
0
Version:
5.0.2.7
2448"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exe" RSF /ppn:YWV4dQ0KChAjb3J1FQUI /ads:1 /mnlC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exe
setup_0824817211.exe
User:
admin
Company:
Komona
Integrity Level:
HIGH
Description:
Daforu Setup
Version:
5.0.2.7
1944"C:\Users\admin\AppData\Local\Temp\in1A1AEB34\41861BD4_stp\avastfreeantivirussetuponline.m.exe" /silent /psh:b1dKdi8MG38qDhoKKgpvDSkIGnw8TUo/JwweeSoOHHkrDB95KA0ZeSIOCCR8WEs5J394CklqCChoXR15Jw8beigNGHIiCh/+RwAAABo+Lks= /wsC:\Users\admin\AppData\Local\Temp\in1A1AEB34\41861BD4_stp\avastfreeantivirussetuponline.m.exe
setup_0824817211.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
2.1.1252.0
4004"C:\Windows\Temp\asw.e59ee47f9a2c3ecb\avast_free_antivirus_setup_online.exe" /silent /psh:b1dKdi8MG38qDhoKKgpvDSkIGnw8TUo/JwweeSoOHHkrDB95KA0ZeSIOCCR8WEs5J394CklqCChoXR15Jw8beigNGHIiCh/+RwAAABo+Lks= /ws /ga_clientid:f7cb6f37-37ae-4ef3-b9f5-3514b83c8e4a /edat_dir:C:\Windows\Temp\asw.e59ee47f9a2c3ecbC:\Windows\Temp\asw.e59ee47f9a2c3ecb\avast_free_antivirus_setup_online.exe
avastfreeantivirussetuponline.m.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
19.8.4793.0
3016"C:\Users\admin\Downloads\setup.exe" C:\Users\admin\Downloads\setup.exe
setup_0824817211.exe
User:
admin
Company:
AIMP DevTeam
Integrity Level:
HIGH
Description:
AIMP Classic
Version:
1.77.9
2900"C:\Windows\Temp\asw.dfb0b662f72864a8\instup.exe" /cookie:mmm_irs_ppi_002_451_m /edition:1 /ga_clientid:f7cb6f37-37ae-4ef3-b9f5-3514b83c8e4a /guid:bd336164-2bed-423e-b679-9a4aa83c037f /prod:ais /sfx:lite /sfxstorage:C:\Windows\Temp\asw.dfb0b662f72864a8 /silent /psh:b1dKdi8MG38qDhoKKgpvDSkIGnw8TUo/JwweeSoOHHkrDB95KA0ZeSIOCCR8WEs5J394CklqCChoXR15Jw8beigNGHIiCh/+RwAAABo+Lks= /ws /ga_clientid:f7cb6f37-37ae-4ef3-b9f5-3514b83c8e4a /edat_dir:C:\Windows\Temp\asw.e59ee47f9a2c3ecbC:\Windows\Temp\asw.dfb0b662f72864a8\instup.exe
avast_free_antivirus_setup_online.exe
User:
admin
Company:
AVAST Software
Integrity Level:
HIGH
Description:
Avast Antivirus Installer
Version:
19.8.4793.0
2852"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://ic-dc.bestapplicationgift.com/pr/c118a262-a58e-11e6-96e8-02d572c616f1/typ_1.html?exld=101&exlg=884C:\Program Files\Internet Explorer\IEXPLORE.EXEsetup_0824817211.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2660"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2852 CREDAT:275457 /prefetch:2C:\Program Files\Internet Explorer\IEXPLORE.EXEIEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
5 670
Read events
1 869
Write events
0
Delete events
0

Modification events

No data
Executable files
13
Suspicious files
25
Text files
82
Unknown types
1

Dropped files

PID
Process
Filename
Type
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exe.7fkn8kj.partial
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF28823633ED911A67.TMP
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exe.7fkn8kj.partial:Zone.Identifier
MD5:
SHA256:
2448setup_0824817211.exeC:\Users\admin\AppData\Local\Temp\00A6C82A.log
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{396BAD89-54F0-11EA-972D-5254004A04AF}.datbinary
MD5:173E4C1C607E5909E4A3CE65FDF9A851
SHA256:CAD3CE583666D2E387285D5430553576FE5FDF9DDF08D673F29866E26FFDDD7D
2856iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\setup_0824817211.exeexecutable
MD5:401CFFF3BF14D5B5146B27E7CCA78C37
SHA256:B8A1A84A47E71045FB84A90C680F276A9B8BD696E55E4264FAC5767FB4C86435
2448setup_0824817211.exeC:\Users\admin\AppData\Local\Temp\inH1093021855948\css\ie6_main.scsstext
MD5:E8C1FFDEC8BFEF529B990390C3754950
SHA256:CA7A913A79CAB828FC37F4732C0E0E7880EE4B3E9CFCE232043BC9B1E5CFD362
2448setup_0824817211.exeC:\Users\admin\AppData\Local\Temp\inH1093021855948\css\main.csstext
MD5:FFD5ABEB37BF5827A0E7BB37B9953A0E
SHA256:DA4F572768663D1347E6114F1810FBFF1E59B22B7E3DC0762D9156763083210F
2448setup_0824817211.exeC:\Users\admin\AppData\Local\Temp\inH1093021855948\css\ie6_main.csstext
MD5:8FAF885636DAFB50EAF69B1716274080
SHA256:CB5DEE76D07126C27F366C3175E3386BBB4DAF2CA241E9EB91443E96296A991D
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\setup_0824817211[1].exeexecutable
MD5:401CFFF3BF14D5B5146B27E7CCA78C37
SHA256:B8A1A84A47E71045FB84A90C680F276A9B8BD696E55E4264FAC5767FB4C86435
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
35
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2448
setup_0824817211.exe
HEAD
200
104.27.179.186:80
http://erewe.host/aimp_210218.exe
US
suspicious
2448
setup_0824817211.exe
HEAD
302
104.27.187.156:80
http://feyd.host/comp/27136/16/Roa4IzvivLaW1aOx7mdPhvlKpDZe0hO_Fsd7PRoje8J5THPnn6U-O-oqTcZJa54_fGWC7PEJLYxVg0gT1KRIAfQulhHFt5nacRjdmMDe9RtFg9j6emXNe6pj9SiTAs7r3CxoLr4BCQ9Lb0uLgON8YLfD7jTraXKNj6OooLr583ue_TLsSp-H1EmmBdC-8Br3gcYWIhgnX9wUmuoxJRoHgveDMSHqIZN208zgRkmBdTCeOv3UVj88EeiGgDkUiLmlts2EknhyZiFMvX4ewZjZRzT4Ii_0Qop6Z5fHf_k7RMM.exe?plataforma=c1&uo=daBVResRoe83FQlhezb0XR-2r71TJuD_jwuiTugTB5-Tr884zfx9Fuw_fT7UaV9IIGqu1AWwVbn0WiMd5dfQFQ&ud=daBVResRoe83FQlhezb0XR-2r71TJuD_jwuiTugTB5-Tr884zfx9Fuw_fT7UaV9IIGqu1AWwVbn0WiMd5dfQFQ
US
suspicious
2856
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2448
setup_0824817211.exe
GET
200
104.27.179.186:80
http://erewe.host/aimp_210218.exe
US
executable
2.48 Mb
suspicious
2856
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2448
setup_0824817211.exe
GET
200
192.96.201.162:80
http://portal.tixarerifhase.com/img/Tavasat/15Feb17/v2/EN.png
US
image
43.9 Kb
malicious
2448
setup_0824817211.exe
GET
200
192.96.201.162:80
http://portal.tixarerifhase.com/img/Sibarasawi/logo_comp.png
US
image
12.4 Kb
malicious
3276
iexplore.exe
GET
200
13.224.96.107:80
http://www.litesmed.com/R+-l++/O7xu/g--F+++/setup.exe
US
executable
2.93 Mb
malicious
2448
setup_0824817211.exe
POST
200
52.16.29.135:80
http://dev.tixarerifhase.com/
IE
text
2.56 Kb
malicious
2448
setup_0824817211.exe
POST
200
52.212.215.62:80
http://www4.tixarerifhase.com/
IE
binary
462 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3276
iexplore.exe
13.224.96.107:80
www.litesmed.com
US
suspicious
2448
setup_0824817211.exe
192.96.201.162:80
portal.tixarerifhase.com
Leaseweb USA, Inc.
US
malicious
2856
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2448
setup_0824817211.exe
52.16.29.135:80
dev.tixarerifhase.com
Amazon.com, Inc.
IE
malicious
2448
setup_0824817211.exe
104.27.179.186:80
erewe.host
Cloudflare Inc
US
suspicious
2856
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2448
setup_0824817211.exe
52.212.215.62:80
www4.tixarerifhase.com
Amazon.com, Inc.
IE
malicious
2856
iexplore.exe
72.21.91.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2448
setup_0824817211.exe
104.27.186.156:80
feyd.host
Cloudflare Inc
US
shared
2448
setup_0824817211.exe
52.215.31.191:80
gw.tixarerifhase.com
Amazon.com, Inc.
IE
malicious

DNS requests

Domain
IP
Reputation
www.litesmed.com
  • 13.224.96.107
  • 13.224.96.37
  • 13.224.96.60
  • 13.224.96.79
malicious
gw.tixarerifhase.com
  • 52.215.31.191
  • 34.246.131.106
malicious
dev.tixarerifhase.com
  • 52.16.29.135
  • 52.19.168.111
  • 54.246.196.116
malicious
feyd.host
  • 104.27.186.156
  • 104.27.187.156
suspicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 72.21.91.29
  • 93.184.220.29
whitelisted
www4.tixarerifhase.com
  • 52.212.215.62
  • 52.50.98.206
  • 52.51.129.59
malicious
portal.tixarerifhase.com
  • 192.96.201.162
malicious
erewe.host
  • 104.27.179.186
  • 104.27.178.186
suspicious

Threats

PID
Process
Class
Message
3276
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3276
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2448
setup_0824817211.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2448
setup_0824817211.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2448
setup_0824817211.exe
A Network Trojan was detected
ET CURRENT_EVENTS SUSPICIOUS Firesale gTLD EXE DL with no Referer June 13 2016
2448
setup_0824817211.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1944
avastfreeantivirussetuponline.m.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.litesmed.com/R+-l++/O7xu/g--F+++/setup.exe