analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

LBMLv1.0.5.0.zip

Full analysis: https://app.any.run/tasks/8c34464e-c86c-4e68-a213-ef12ed90efe8
Verdict: Malicious activity
Analysis date: January 18, 2020, 12:48:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6BAD8156568AE3F2E3450C360C4B22D4

SHA1:

ABD9C63A64C557E9ACEF9BC485AFE0747E8F6D07

SHA256:

F525700272B9587C519791C0D25F613BDDCF993D635B274BE7CEF2D148EAB832

SSDEEP:

393216:nRrJ/F0glYrj7GCfmciD9DJj4ZfAEY8QAyWp6Qei1H:n1xF0g+n7GCe5D9cfVQe61ix

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3476)
      • explorer.exe (PID: 352)
      • LittleBigMiningLog.exe (PID: 3468)
      • LbmlTessaServer.exe (PID: 2876)
      • LbmlTessaServer.exe (PID: 520)
      • LittleBigMiningLog.exe (PID: 2564)
      • LbmlTessaServer.exe (PID: 2472)
      • LittleBigMiningLog.exe (PID: 2208)
      • LbmlTessaServer.exe (PID: 2576)
      • LbmlTessaServer.exe (PID: 3016)
      • LbmlTessaServer.exe (PID: 2532)

    • Application was dropped or rewritten from another process

      • LbmlTessaServer.exe (PID: 520)
      • LittleBigMiningLog.exe (PID: 3468)
      • LbmlTessaServer.exe (PID: 2876)
      • LbmlUpdater_tmp.exe (PID: 3976)
      • LbmlUpdater.exe (PID: 2252)
      • LbmlTessaServer.exe (PID: 2576)
      • LbmlUpdater_tmp.exe (PID: 2608)
      • LBMLUpdater.exe (PID: 1448)
      • LbmlTessaServer.exe (PID: 2472)
      • LittleBigMiningLog.exe (PID: 2564)
      • LbmlTessaServer.exe (PID: 2532)
      • LbmlTessaServer.exe (PID: 3016)
      • LittleBigMiningLog.exe (PID: 2208)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3140)
      • explorer.exe (PID: 352)
      • LbmlUpdater_tmp.exe (PID: 3976)
      • LbmlUpdater.exe (PID: 2252)
      • LBMLUpdater.exe (PID: 1448)
      • LbmlUpdater_tmp.exe (PID: 2608)

    • Creates files in the user directory

      • explorer.exe (PID: 352)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 352)

    • Starts itself from another location

      • LbmlUpdater.exe (PID: 2252)
      • LBMLUpdater.exe (PID: 1448)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2344)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2018:11:26 22:24:12
ZipCRC: 0x32924ca6
ZipCompressedSize: 78300
ZipUncompressedSize: 158208
ZipFileName: DirectXMap.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
15
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe searchprotocolhost.exe no specs explorer.exe no specs explorer.exe littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs dw20.exe no specs lbmlupdater.exe lbmlupdater_tmp.exe lbmlupdater.exe lbmlupdater_tmp.exe littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3140"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\LBMLv1.0.5.0.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3476"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2344"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
352C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3468"C:\Users\admin\Downloads\LBMLv1.0.5.0\LittleBigMiningLog.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\LittleBigMiningLog.exe
explorer.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LittleBigMiningLog
Exit code:
3762507597
Version:
1.0.5.0
520"C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exe" 0C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exeLittleBigMiningLog.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Tessa Server
Exit code:
0
Version:
1.0.0.0
2876"C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exe" 1C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exeLittleBigMiningLog.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Tessa Server
Exit code:
0
Version:
1.0.0.0
1268dw20.exe -x -s 1300C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeLittleBigMiningLog.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.4927 (NetFXspW7.050727-4900)
2252"C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlUpdater.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlUpdater.exe
explorer.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Updater
Exit code:
0
Version:
1.0.1.1
3976"C:\Users\admin\Downloads\LBMLv1.0.5.0\updates\tmp_updater\LbmlUpdater_tmp.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\updates\tmp_updater\LbmlUpdater_tmp.exe
LbmlUpdater.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Updater
Exit code:
0
Version:
1.0.1.1
Total events
4 466
Read events
4 095
Write events
0
Delete events
0

Modification events

No data
Executable files
49
Suspicious files
3
Text files
8
Unknown types
5

Dropped files

PID
Process
Filename
Type
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\LittleBigMiningLog.exe
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\LittleBigMiningLog.exe.config
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\Microsoft.DirectX.Direct3D.dll
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\Microsoft.DirectX.Direct3DX.dll
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\Microsoft.DirectX.dll
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\RemoteObjects.dll
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\System.Data.SQLite.dll
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\tessnet2_32.dll
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\Maps\claim.dds
MD5:
SHA256:
3140WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa3140.26524\Maps\claiminfo2.dds
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
6
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3468
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
2608
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/client2/LBMLv1.0.5.2.zip
US
compressed
3.19 Mb
suspicious
2608
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
3976
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
3976
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/client2/LBMLv1.0.5.1.zip
US
compressed
3.27 Mb
suspicious
2564
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
2208
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
2208
LittleBigMiningLog.exe
POST
200
132.148.61.1:80
http://www.mininglog.com/toolcomm3.php
US
text
361 b
suspicious
2208
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/getcertificate3.php
US
text
1016 b
suspicious
2564
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/getcertificate3.php
US
text
1016 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3468
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
2608
LbmlUpdater_tmp.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
2208
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
3976
LbmlUpdater_tmp.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
2564
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
www.mininglog.com
  • 132.148.61.1
suspicious

Threats

PID
Process
Class
Message
2208
LittleBigMiningLog.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
LBMLv1.0.5.0.zip