analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://mega.nz/#!yq4FgapS!t1RinzzZoEyas1hjT_QrnQBJ_1iHD183jdh49F9CWgc

Full analysis: https://app.any.run/tasks/e26e4a83-d5d8-4ca6-ac45-5d5f6451ca36
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: February 21, 2020, 16:37:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

854433F4EA7748E3F70FD865952D5086

SHA1:

448D2DD93FD763042EB012AB0DE586BD663EF69E

SHA256:

E25B115A35072E47D10A653FAEF3A9B8C5399EA386F6FF55E3E5FB529262C44D

SSDEEP:

3:N8X/iGELRtX3gUPxfQnvEhUUdcjiFn:29OnQUN8IUzQn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • AntiPublic Updater.exe (PID: 1196)
      • ConsoleRegChecker.exe (PID: 2820)
      • AntiPublic.exe (PID: 2680)
      • AntiPublic.exe (PID: 1500)
      • AntiPublic Updater.exe (PID: 3088)
      • AntiPublic.exe (PID: 3032)
      • AntiPublic Updater.exe (PID: 2208)
      • AntiPublic.exe (PID: 2796)
      • ConsoleRegChecker.exe (PID: 1016)
    • Loads dropped or rewritten executable

      • AntiPublic Updater.exe (PID: 1196)
      • ConsoleRegChecker.exe (PID: 2820)
      • AntiPublic.exe (PID: 2680)
      • AntiPublic Updater.exe (PID: 3088)
      • AntiPublic.exe (PID: 1500)
      • AntiPublic.exe (PID: 3032)
      • AntiPublic Updater.exe (PID: 2208)
      • ConsoleRegChecker.exe (PID: 1016)
      • AntiPublic.exe (PID: 2796)
    • Downloads executable files from the Internet

      • AntiPublic Updater.exe (PID: 1196)
      • AntiPublic Updater.exe (PID: 3088)
      • AntiPublic Updater.exe (PID: 2208)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4048)
      • WinRAR.exe (PID: 3944)
      • AntiPublic Updater.exe (PID: 1196)
      • AntiPublic Updater.exe (PID: 3088)
      • AntiPublic Updater.exe (PID: 2208)
    • Reads Environment values

      • AntiPublic.exe (PID: 2680)
      • AntiPublic.exe (PID: 1500)
      • AntiPublic.exe (PID: 3032)
      • AntiPublic.exe (PID: 2796)
    • Uses RUNDLL32.EXE to load library

      • WinRAR.exe (PID: 3944)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2524)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 2856)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2524)
      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 2856)
    • Application launched itself

      • AcroRd32.exe (PID: 780)
      • iexplore.exe (PID: 2524)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2524)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2524)
      • iexplore.exe (PID: 2620)
      • iexplore.exe (PID: 3244)
      • iexplore.exe (PID: 2856)
    • Creates files in the user directory

      • iexplore.exe (PID: 2524)
      • iexplore.exe (PID: 2856)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2524)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2524)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
20
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe acrord32.exe no specs acrord32.exe no specs acrord32.exe no specs winrar.exe antipublic updater.exe iexplore.exe winrar.exe consoleregchecker.exe no specs antipublic.exe antipublic.exe antipublic updater.exe antipublic.exe rundll32.exe no specs iexplore.exe consoleregchecker.exe no specs antipublic updater.exe antipublic.exe rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\Internet Explorer\iexplore.exe" "https://mega.nz/#!yq4FgapS!t1RinzzZoEyas1hjT_QrnQBJ_1iHD183jdh49F9CWgc"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2620"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2524 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3952"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 2620C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
780"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 2620C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
4040"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 2620C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
4048"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\Myrz AntiPublic.rar"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1196"C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.11179\Myrz AntiPublic\AntiPublic Updater.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa4048.11179\Myrz AntiPublic\AntiPublic Updater.exe
WinRAR.exe
User:
admin
Company:
Newtonsoft
Integrity Level:
MEDIUM
Description:
Json.NET
Exit code:
0
Version:
9.0.1.19813
3244"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2524 CREDAT:464143 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3944"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\AntiPublic.zip"C:\Program Files\WinRAR\WinRAR.exe
iexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2820"C:\Users\admin\AppData\Local\Temp\Rar$EXa3944.14116\ConsoleRegChecker.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa3944.14116\ConsoleRegChecker.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ConsoleRegChecker
Exit code:
0
Version:
1.0.0.0
Total events
8 914
Read events
4 445
Write events
0
Delete events
0

Modification events

No data
Executable files
64
Suspicious files
71
Text files
190
Unknown types
48

Dropped files

PID
Process
Filename
Type
2620iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7D85.tmp
MD5:
SHA256:
2620iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7D86.tmp
MD5:
SHA256:
2620iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\WQ37RWQU.htmhtml
MD5:FA6821D8096E6591F386553FD292B9D1
SHA256:BDBFBD837C526CFB7E0B1545C0D635D8BA5C35331F41628D9A738ADCDA8823C8
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4binary
MD5:BF96ECE799D4071165B3AF7D423F5762
SHA256:C1C23659A3FCDE6668604C14FE94C27C2CE942C834D6A2FC0E8D1D444357CD57
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:FE7AF8310471B272C34E46EB8CAFB680
SHA256:8D560BB07A9D568010209DEEBC423D55C373D8A007C669619370A51B0F4D6AA2
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C7DBB7F7DCFB05483EA77D02F0FB338binary
MD5:576089D2A88ABA537CAB067322A26951
SHA256:657B05384F4C2EF6C10C0E414B2DC0D899BFE961DE22605EC14BDF3C50440FEE
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5080DC7A65DB6A5960ECD874088F3328_2908F682DFC81A793BD240CF29711C77der
MD5:F1E7FC51992FE3EF4E01CE2DCE549B73
SHA256:664CC64EF01C949AC2E11FA1D7DF33F69F703D5CAD1CEC8C4FCB26819BB131AA
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C7DBB7F7DCFB05483EA77D02F0FB338der
MD5:DA00AB9D84CA42CC7BCFF965541750CA
SHA256:B3F31AA3B4C5FC4F55ED8CF7285526D5F35295726116F7DD7EC8B85AEAF65526
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CE50F893881D43DC0C815E4D80FAF2B4der
MD5:282D9008EC4C74647B24100E4E77064C
SHA256:22CE16F8B821412E0DAE738C0C6D134352DA0D2F2A0148DD2E0B3DA7A94BF779
2620iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\024823B39FBEACCDB5C06426A8168E99_46A8A073FC9E7825C238E647F1BF0614binary
MD5:D90CDF156B22DDE4DF8CA3DE20017F68
SHA256:779066B0982C202D8050B5A3567789ED70632A3DCAFD3E81EFB0AD9086FABF96
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
68
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2620
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
2620
iexplore.exe
GET
200
2.16.186.9:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2620
iexplore.exe
GET
304
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
US
der
727 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
US
der
471 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCEDaCXn%2B1pIGTfvbRc2u5PKY%3D
US
der
727 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEGan3iXcwakJX6A2HBCC7Jw%3D
US
der
471 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEFqIMDLoe3Fk8%2BTO2VcKXOA%3D
US
der
471 b
whitelisted
2620
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQLqIKj6Gi5thHaqKC1ECU9aXsCRQQUmvMr2s%2BtT7YvuypISCoStxtCwSQCEQCWqo32v01TJjW%2FjQoM7TAf
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2620
iexplore.exe
2.16.186.27:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted
2620
iexplore.exe
31.216.148.10:443
mega.nz
Datacenter Luxembourg S.A.
LU
unknown
2524
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2620
iexplore.exe
2.16.186.9:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
2620
iexplore.exe
31.216.147.136:443
g.api.mega.co.nz
Datacenter Luxembourg S.A.
LU
shared
2620
iexplore.exe
31.216.148.13:443
eu.static.mega.co.nz
Datacenter Luxembourg S.A.
LU
unknown
2524
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2524
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2524
iexplore.exe
31.216.148.10:443
mega.nz
Datacenter Luxembourg S.A.
LU
unknown
2524
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
mega.nz
  • 31.216.148.10
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.16.186.9
  • 2.16.186.11
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.27
  • 2.16.186.11
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
eu.static.mega.co.nz
  • 31.216.148.13
  • 31.216.148.11
  • 89.44.169.134
  • 89.44.169.132
shared
g.api.mega.co.nz
  • 31.216.147.136
  • 31.216.147.133
  • 31.216.147.132
  • 31.216.147.134
  • 31.216.147.135
shared
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
localhost.megasyncloopback.mega.nz
  • 127.0.0.1
unknown

Threats

PID
Process
Class
Message
1196
AntiPublic Updater.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1196
AntiPublic Updater.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3088
AntiPublic Updater.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3088
AntiPublic Updater.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
2208
AntiPublic Updater.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2208
AntiPublic Updater.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
No debug info