analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

LBMLv1.0.5.0.zip

Full analysis: https://app.any.run/tasks/eabbbf4c-f90b-4d59-98ca-6b601dc24819
Verdict: Malicious activity
Analysis date: January 18, 2020, 12:56:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

6BAD8156568AE3F2E3450C360C4B22D4

SHA1:

ABD9C63A64C557E9ACEF9BC485AFE0747E8F6D07

SHA256:

F525700272B9587C519791C0D25F613BDDCF993D635B274BE7CEF2D148EAB832

SSDEEP:

393216:nRrJ/F0glYrj7GCfmciD9DJj4ZfAEY8QAyWp6Qei1H:n1xF0g+n7GCe5D9cfVQe61ix

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3488)
      • LbmlTessaServer.exe (PID: 2764)
      • LittleBigMiningLog.exe (PID: 3176)
      • LbmlTessaServer.exe (PID: 1560)
      • LittleBigMiningLog.exe (PID: 1160)
      • LbmlTessaServer.exe (PID: 1976)
      • LbmlTessaServer.exe (PID: 3776)
      • LbmlTessaServer.exe (PID: 328)
      • LittleBigMiningLog.exe (PID: 408)
      • LbmlTessaServer.exe (PID: 1928)
      • SearchProtocolHost.exe (PID: 2580)
      • LbmlTessaServer.exe (PID: 3416)
      • LittleBigMiningLog.exe (PID: 2780)
      • LbmlTessaServer.exe (PID: 3260)

    • Application was dropped or rewritten from another process

      • LittleBigMiningLog.exe (PID: 3176)
      • LbmlTessaServer.exe (PID: 2764)
      • LbmlUpdater.exe (PID: 4092)
      • LbmlTessaServer.exe (PID: 1560)
      • LBMLUpdater.exe (PID: 1412)
      • LbmlUpdater_tmp.exe (PID: 2684)
      • LbmlUpdater_tmp.exe (PID: 1820)
      • LbmlTessaServer.exe (PID: 1976)
      • LbmlTessaServer.exe (PID: 3776)
      • LittleBigMiningLog.exe (PID: 1160)
      • LbmlTessaServer.exe (PID: 328)
      • LittleBigMiningLog.exe (PID: 408)
      • LbmlTessaServer.exe (PID: 1928)
      • LittleBigMiningLog.exe (PID: 3268)
      • LbmlTessaServer.exe (PID: 3416)
      • LbmlTessaServer.exe (PID: 3260)
      • LittleBigMiningLog.exe (PID: 2780)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2332)
      • LBMLUpdater.exe (PID: 1412)
      • LbmlUpdater.exe (PID: 4092)
      • LbmlUpdater_tmp.exe (PID: 2684)
      • LbmlUpdater_tmp.exe (PID: 1820)

    • Starts itself from another location

      • LbmlUpdater.exe (PID: 4092)
      • LBMLUpdater.exe (PID: 1412)

    • Creates files in the user directory

      • LittleBigMiningLog.exe (PID: 1160)

    • Starts Internet Explorer

      • LittleBigMiningLog.exe (PID: 408)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1596)

  • INFO

    • Manual execution by user

      • explorer.exe (PID: 2176)
      • LittleBigMiningLog.exe (PID: 3176)
      • LittleBigMiningLog.exe (PID: 408)
      • LittleBigMiningLog.exe (PID: 3268)
      • LittleBigMiningLog.exe (PID: 2780)

    • Application launched itself

      • iexplore.exe (PID: 2264)

    • Changes internet zones settings

      • iexplore.exe (PID: 2264)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1596)
      • iexplore.exe (PID: 388)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 388)

    • Reads internet explorer settings

      • iexplore.exe (PID: 388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: DirectXMap.dll
ZipUncompressedSize: 158208
ZipCompressedSize: 78300
ZipCRC: 0x32924ca6
ZipModifyDate: 2018:11:26 22:24:12
ZipCompression: Deflated
ZipBitFlag: -
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
25
Malicious processes
17
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start winrar.exe explorer.exe no specs searchprotocolhost.exe no specs littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs dw20.exe no specs lbmlupdater.exe lbmlupdater_tmp.exe lbmlupdater.exe lbmlupdater_tmp.exe littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs littlebigmininglog.exe no specs searchprotocolhost.exe no specs littlebigmininglog.exe lbmltessaserver.exe no specs lbmltessaserver.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2332"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\LBMLv1.0.5.0.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2176"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3488"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3176"C:\Users\admin\Downloads\LBMLv1.0.5.0\LittleBigMiningLog.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\LittleBigMiningLog.exe
explorer.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LittleBigMiningLog
Exit code:
0
Version:
1.0.5.0
2764"C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exe" 0C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exeLittleBigMiningLog.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Tessa Server
Exit code:
0
Version:
1.0.0.0
1560"C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exe" 1C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exeLittleBigMiningLog.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Tessa Server
Exit code:
0
Version:
1.0.0.0
2492dw20.exe -x -s 1296C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exeLittleBigMiningLog.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Error Reporting Shim
Exit code:
0
Version:
2.0.50727.4927 (NetFXspW7.050727-4900)
4092"C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlUpdater.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlUpdater.exe
LittleBigMiningLog.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Updater
Exit code:
0
Version:
1.0.1.1
2684"C:\Users\admin\Downloads\LBMLv1.0.5.0\updates\tmp_updater\LbmlUpdater_tmp.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\updates\tmp_updater\LbmlUpdater_tmp.exe
LbmlUpdater.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Updater
Exit code:
0
Version:
1.0.1.1
1412"C:\Users\admin\Downloads\LBMLv1.0.5.0\LBMLUpdater.exe" C:\Users\admin\Downloads\LBMLv1.0.5.0\LBMLUpdater.exe
LbmlUpdater_tmp.exe
User:
admin
Company:
Digital Envision - www.digital-envision.com
Integrity Level:
MEDIUM
Description:
LBML Updater
Exit code:
0
Version:
1.0.1.1
Total events
4 380
Read events
4 219
Write events
0
Delete events
0

Modification events

No data
Executable files
35
Suspicious files
8
Text files
30
Unknown types
72

Dropped files

PID
Process
Filename
Type
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\Interop.SpeechLib.dllexecutable
MD5:CE16ACC302A4735C901B242922D45943
SHA256:3E286B391EAAA2EABC29B3A3C8FB784058A1F2B73459EB9060402D986C214A6F
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlUpdater.exeexecutable
MD5:D763573CC0D36D08BDCB03E6C92E27E2
SHA256:2B804407685EFFF3DEC18FDF6C37D505377F748F9C51F74D48404F194442D171
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\LittleBigMiningLog.exeexecutable
MD5:D1B251A6287F3E72F5D2362A3382406F
SHA256:93E5C2E17C9026C84214E85B1EC19261031D9AA779C673CC15EFBFBE7A00CB4D
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\LbmlTessaServer.exeexecutable
MD5:18F5D3F888FBCF8E60C25B71212BB37B
SHA256:CF558A7CF31EF435393C86E4FB9281C5E748594B565986B4FBB3802A72A8029C
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\Maps\drop.ddsdds
MD5:96134963E2A6C1FAB9143DA57689D2BC
SHA256:3B81604D14A1E0B73ACFE40641068F01A8E587B4474E0A80288376984DF3D476
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\LittleBigMiningLog.exe.configxml
MD5:9E1ABE8AEE5AB9E602928AAD14D2E96D
SHA256:413DF44234B39D16D98DBFBA3A217AA9C67A5C4522C68522BB9C39EBD486988F
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\DirectXMap.dllexecutable
MD5:7B203EA547DCF56DD1701DB64E8A2C42
SHA256:FC9CA2D7767FB5B52057A88ADF5D93004919349259C5E1BDA23E542170E011BB
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\Maps\map_ark_0.ddsdds
MD5:D9CD2B727C6F7E014D04052C332DC8A2
SHA256:26E8941CF0934A9AA4CFB7C0B320ED7E1269CEAC19D2D520E60684D241D2CDA5
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\Maps\claim.ddsdds
MD5:8CD07FDB7E91C230B87F553DFD2F0B6D
SHA256:BEB566B76B030AAC96FFE2F78258EA02C1C9BECFAA1BE1DC2E2AF61124A7F5D8
2332WinRAR.exeC:\Users\admin\Downloads\LBMLv1.0.5.0\filelist.dattext
MD5:5795E1E28EE8E2AB0342100FB2DDCA5C
SHA256:C14DF4E60D095773347475302E5795447722B6F5B3EDFBC65DFA3BA2EC7FC99D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
22
TCP/UDP connections
13
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1160
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
3176
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
408
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/getcertificate3.php
US
text
1016 b
suspicious
1820
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/client2/LBMLv1.0.5.2.zip
US
compressed
3.19 Mb
suspicious
2684
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/client2/LBMLv1.0.5.1.zip
US
compressed
3.27 Mb
suspicious
1160
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/getcertificate3.php
US
text
1016 b
suspicious
408
LittleBigMiningLog.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
388
iexplore.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/account_create.php
US
html
1.72 Kb
suspicious
2684
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
1820
LbmlUpdater_tmp.exe
GET
200
132.148.61.1:80
http://www.mininglog.com/downloads/version2.php
US
text
242 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2264
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3176
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
408
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
1820
LbmlUpdater_tmp.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
2684
LbmlUpdater_tmp.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
1160
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
388
iexplore.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
2780
LittleBigMiningLog.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious
388
iexplore.exe
172.217.16.206:80
www.google-analytics.com
Google Inc.
US
whitelisted
2264
iexplore.exe
132.148.61.1:80
www.mininglog.com
GoDaddy.com, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
www.mininglog.com
  • 132.148.61.1
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google-analytics.com
  • 172.217.16.206
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
2780
LittleBigMiningLog.exe
Potential Corporate Privacy Violation
ET POLICY Unsupported/Fake Windows NT Version 5.0
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
LBMLv1.0.5.0.zip