analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| download: | consultoriarh |
| Full analysis: | https://app.any.run/tasks/56d00fc2-80e8-4c04-99b3-120ca5739a0d |
| Verdict: | Malicious activity |
| Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
| Analysis date: | July 12, 2020, 17:40:50 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 8105A5957936E19837E0FD86F7C4946E |
| SHA1: | 9E4C06AFC2CDBB8CE7CABCCF08EC1A0589FD5623 |
| SHA256: | E7C6797D06ACC594B9519F3F2617C8408E76611733B90F9E01D4303D97AE37C9 |
| SSDEEP: | 98304:1tjwn4XTZfl6FeV7fTxC0FGCHUQ7Y941DHzth2OSy7tBSNZFDFlf:1RwnKTPV7bU00CN7YW1/tOyhBuF/ |
MALICIOUS
Application was dropped or rewritten from another process
- WindowsAzureNetAgent.exe.exe (PID: 3016)
- W319V8WavesSysSvc64.exe.exe (PID: 3552)
Connects to CnC server
- WindowsAzureNetAgent.exe.exe (PID: 3016)
Loads dropped or rewritten executable
- W319V8WavesSysSvc64.exe.exe (PID: 3552)
Changes the autorun value in the registry
- W319V8WavesSysSvc64.exe.exe (PID: 3552)
SUSPICIOUS
Starts Microsoft Installer
- WinRAR.exe (PID: 2076)
Executable content was dropped or overwritten
- msiexec.exe (PID: 2084)
- WindowsAzureNetAgent.exe.exe (PID: 3016)
Executed as Windows Service
- vssvc.exe (PID: 1376)
Creates files in the program directory
- WindowsAzureNetAgent.exe.exe (PID: 3016)
- W319V8WavesSysSvc64.exe.exe (PID: 3552)
Reads Environment values
- W319V8WavesSysSvc64.exe.exe (PID: 3552)
Reads the BIOS version
- W319V8WavesSysSvc64.exe.exe (PID: 3552)
Modifies files in Chrome extension folder
- chrome.exe (PID: 2676)
INFO
Searches for installed software
- msiexec.exe (PID: 2084)
Low-level read access rights to disk partition
- vssvc.exe (PID: 1376)
Application launched itself
- msiexec.exe (PID: 2084)
- chrome.exe (PID: 2676)
Loads dropped or rewritten executable
- MsiExec.exe (PID: 2728)
Dropped object may contain Bitcoin addresses
- msiexec.exe (PID: 2084)
Reads the hosts file
- chrome.exe (PID: 2676)
- chrome.exe (PID: 1288)
Manual execution by user
- chrome.exe (PID: 2676)
Reads settings of System Certificates
- chrome.exe (PID: 1288)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2020:07:09 22:50:23 |
| ZipCRC: | 0x648d90fd |
| ZipCompressedSize: | 4475434 |
| ZipUncompressedSize: | 6055424 |
| ZipFileName: | Ce97ZN.msi |
Total processes
74
Monitored processes
38
Malicious processes
2
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 2076 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\consultoriarh.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 2744 | "C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa2076.1945\Ce97ZN.msi" | C:\Windows\System32\msiexec.exe | — | WinRAR.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
| 2084 | C:\Windows\system32\msiexec.exe /V | C:\Windows\system32\msiexec.exe | services.exe | |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
| 1376 | C:\Windows\system32\vssvc.exe | C:\Windows\system32\vssvc.exe | — | services.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2728 | C:\Windows\system32\MsiExec.exe -Embedding D9A8DBA333F15E56F51B134771CF5E50 | C:\Windows\system32\MsiExec.exe | — | msiexec.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) | ||||
| 3016 | "C:\Users\admin\AppData\Local\Loard Pronto\WindowsAzureNetAgent.exe.exe" | C:\Users\admin\AppData\Local\Loard Pronto\WindowsAzureNetAgent.exe.exe | msiexec.exe | |
User: admin Integrity Level: MEDIUM Description: NVIDIA Smart Maximise Helper Host Version: 6.14.10.100.03 | ||||
| 3552 | "C:\ProgramData\USOUPrivate\3105BF385CC544618E4B4946D7BEF362\W319V8WavesSysSvc64.exe.exe" | C:\ProgramData\USOUPrivate\3105BF385CC544618E4B4946D7BEF362\W319V8WavesSysSvc64.exe.exe | WindowsAzureNetAgent.exe.exe | |
User: admin Company: Avira Operations GmbH & Co. KG Integrity Level: MEDIUM Description: Avira Version: 1.2.146.25871 | ||||
| 2676 | "C:\Program Files\Google\Chrome\Application\chrome.exe" | C:\Program Files\Google\Chrome\Application\chrome.exe | explorer.exe | |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 3221225547 Version: 75.0.3770.100 | ||||
| 3636 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6b35a9d0,0x6b35a9e0,0x6b35a9ec | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
| 2592 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3776 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe |
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 75.0.3770.100 | ||||
Total events
1 586
Read events
1 311
Write events
0
Delete events
0
Modification events
Executable files
7
Suspicious files
45
Text files
251
Unknown types
16
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2076 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$EXa2076.1945\Ce97ZN.msi | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\Windows\Installer\17154d.msi | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\Windows\Installer\MSI186B.tmp | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DFA95345233A47FC1B.TMP | — | |
MD5:— | SHA256:— | |||
| 1376 | vssvc.exe | C: | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\Users\admin\AppData\Local\Loard Pronto\nvsmartmax.dll | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\Config.Msi\171550.rbs | — | |
MD5:— | SHA256:— | |||
| 2084 | msiexec.exe | C:\Users\admin\AppData\Local\Temp\~DF375E4A1426B23531.TMP | — | |
MD5:— | SHA256:— | |||
| 3016 | WindowsAzureNetAgent.exe.exe | C:\ProgramData\USOUPrivate\W319V8.zip | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
35
DNS requests
24
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3552 | W319V8WavesSysSvc64.exe.exe | POST | 200 | 51.91.138.200:80 | http://premier-nikes.duckdns.org//UP1/toto.php | GB | — | — | malicious |
1288 | chrome.exe | GET | 200 | 159.148.69.143:80 | http://r4---sn-a5uoxu-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=QJ&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1594575254&mv=u&mvi=4&pcm2cms=yes&pl=24&shardbypass=yes | LV | crx | 293 Kb | whitelisted |
1288 | chrome.exe | GET | 302 | 172.217.16.206:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOTRmQUFXVHlhaGJaUTdMLWtCSkNJUl9ZQQ/1.0.0.5_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 543 b | whitelisted |
1288 | chrome.exe | GET | 200 | 159.148.69.141:80 | http://r2---sn-a5uoxu-gpme.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvY2Y1QUFXUjZlVjI5UldyLVpDTFJFcEx6QQ/7719.805.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mh=Nf&mip=159.148.186.246&mm=28&mn=sn-a5uoxu-gpme&ms=nvh&mt=1594575254&mv=u&mvi=2&pl=24&shardbypass=yes | LV | crx | 823 Kb | whitelisted |
1288 | chrome.exe | GET | 302 | 172.217.16.206:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvY2Y1QUFXUjZlVjI5UldyLVpDTFJFcEx6QQ/7719.805.0.2_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 532 b | whitelisted |
1288 | chrome.exe | GET | 301 | 172.217.18.165:80 | http://gmail.com/ | US | html | 226 b | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1288 | chrome.exe | 216.58.206.3:443 | www.google.com.ua | Google Inc. | US | whitelisted |
1288 | chrome.exe | 216.58.207.68:443 | www.google.com | Google Inc. | US | whitelisted |
1288 | chrome.exe | 172.217.23.109:443 | accounts.google.com | Google Inc. | US | suspicious |
3016 | WindowsAzureNetAgent.exe.exe | 108.61.252.156:60004 | — | Choopa, LLC | US | malicious |
— | — | 51.91.138.200:80 | premier-nikes.duckdns.org | — | GB | malicious |
1288 | chrome.exe | 172.217.22.110:443 | ogs.google.com.ua | Google Inc. | US | whitelisted |
1288 | chrome.exe | 216.58.205.234:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
1288 | chrome.exe | 216.58.212.163:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
1288 | chrome.exe | 172.217.18.163:443 | clientservices.googleapis.com | Google Inc. | US | whitelisted |
1288 | chrome.exe | 172.217.22.67:443 | www.gstatic.com | Google Inc. | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
premier-nikes.duckdns.org |
| malicious |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
www.gstatic.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
apis.google.com |
| whitelisted |
ogs.google.com.ua |
| whitelisted |
www.google.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3016 | WindowsAzureNetAgent.exe.exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/Spy.Banker CnC Command (DOWNLOAD) |
3016 | WindowsAzureNetAgent.exe.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload) response |
3016 | WindowsAzureNetAgent.exe.exe | A Network Trojan was detected | MALWARE [PTsecurity] Trojan-Spy.Win32.Delf(Banload) request |
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |