URL: | https://lazovskiphoto.com/ural_zakaz.zip |
Full analysis: | https://app.any.run/tasks/8b770cee-86f2-464d-8ae3-d7dc97791df0 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | May 24, 2019, 05:31:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 24F6F5A73B5D3B1189A8ABB17DEA380F |
SHA1: | 5445B8E426C15BE99E65E7847DCF530B64C479CB |
SHA256: | E5CC500632B2BCFCB874D32E05F782EF353402E97E2CD074D033C6B890C4F682 |
SSDEEP: | 3:N8EfKapNV02YVn:2EjpNV024 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2864 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://lazovskiphoto.com/ural_zakaz.zip | C:\Program Files\Mozilla Firefox\firefox.exe | explorer.exe | |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
4088 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.0.232410091\1637758825" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 1160 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe |
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Version: 65.0.2 | ||||
2856 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.6.1110181118\100154082" -childID 1 -isForBrowser -prefsHandle 1700 -prefMapHandle 1656 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 764 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
3592 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.13.1870370291\892492357" -childID 2 -isForBrowser -prefsHandle 2680 -prefMapHandle 2684 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 2696 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
2620 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2864.20.2065024668\869668342" -childID 3 -isForBrowser -prefsHandle 3372 -prefMapHandle 3584 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2864 "\\.\pipe\gecko-crash-server-pipe.2864" 3572 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | |
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Version: 65.0.2 | ||||
2760 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\ural_zakaz.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | firefox.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
2528 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2760.44107\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3480 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\rad5C1B8.tmp | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2832 | C:\Users\admin\AppData\Local\Temp\rad5C1B8.tmp | C:\Users\admin\AppData\Local\Temp\rad5C1B8.tmp | cmd.exe | |
User: admin Company: Glarysoft Ltd Integrity Level: MEDIUM Description: Registry Defrag Version: 5.0.0.14 | ||||
756 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2760.1291\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash3513 | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.sbstore | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-malware-simple.pset | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.sbstore | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-phish-simple.pset | — | |
MD5:— | SHA256:— | |||
2864 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\test-unwanted-simple.sbstore | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2528 | WScript.exe | GET | 200 | 62.173.145.104:80 | http://www.zagogulina.com/1c.jpg | RU | executable | 1.19 Mb | malicious |
2864 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2864 | firefox.exe | POST | 200 | 2.16.186.11:80 | http://ocsp.int-x3.letsencrypt.org/ | unknown | der | 527 b | whitelisted |
2864 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2864 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2864 | firefox.exe | POST | 200 | 216.58.205.227:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2864 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
2864 | firefox.exe | POST | 200 | 2.16.186.11:80 | http://ocsp.int-x3.letsencrypt.org/ | unknown | der | 527 b | whitelisted |
2864 | firefox.exe | POST | 200 | 216.58.205.227:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 471 b | whitelisted |
2864 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2864 | firefox.exe | 2.16.186.112:80 | detectportal.firefox.com | Akamai International B.V. | — | whitelisted |
2864 | firefox.exe | 216.58.206.14:443 | sb-ssl.google.com | Google Inc. | US | whitelisted |
2864 | firefox.exe | 85.93.145.251:443 | lazovskiphoto.com | JSC Internet-Cosmos | RU | unknown |
2864 | firefox.exe | 216.58.205.234:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
2864 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2864 | firefox.exe | 2.16.186.11:80 | ocsp.int-x3.letsencrypt.org | Akamai International B.V. | — | whitelisted |
2832 | rad5C1B8.tmp | 131.188.40.189:443 | — | Verein zur Foerderung eines Deutschen Forschungsnetzes e.V. | DE | malicious |
2864 | firefox.exe | 52.24.56.107:443 | shavar.services.mozilla.com | Amazon.com, Inc. | US | unknown |
2864 | firefox.exe | 34.218.159.169:443 | aus5.mozilla.org | Amazon.com, Inc. | US | unknown |
2864 | firefox.exe | 216.58.205.227:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
lazovskiphoto.com |
| unknown |
detectportal.firefox.com |
| whitelisted |
aus5.mozilla.org |
| whitelisted |
balrog-aus5.r53-2.services.mozilla.com |
| whitelisted |
a1089.dscd.akamai.net |
| whitelisted |
search.services.mozilla.com |
| whitelisted |
search.r53-2.services.mozilla.com |
| whitelisted |
ocsp.int-x3.letsencrypt.org |
| whitelisted |
a771.dscq.akamai.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2528 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
2528 | WScript.exe | A Network Trojan was detected | ET TROJAN JS/WSF Downloader Dec 08 2016 M4 |
2528 | WScript.exe | Misc activity | SUSPICIOUS [PTsecurity] PE as Image Content type mismatch |
2832 | rad5C1B8.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 120 |
2832 | rad5C1B8.tmp | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |
2832 | rad5C1B8.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 644 |
2832 | rad5C1B8.tmp | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |
2832 | rad5C1B8.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 525 |
2832 | rad5C1B8.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 638 |
2832 | rad5C1B8.tmp | Misc activity | ET POLICY TLS possible TOR SSL traffic |