analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.ttyplus.com/download/mtputty.zip

Full analysis: https://app.any.run/tasks/84df45f6-635d-405d-9e83-c424743193d6
Verdict: Malicious activity
Analysis date: September 11, 2019, 10:23:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

02A5D9545865F7A397F61F8E71239127

SHA1:

4CDBEFDC49031E4A691E253C4B32A7E0DEEC6754

SHA256:

FFF6856F8084C693615CE38D826B8036D5EF95FA8F2BCC3FE749D7A79A57178E

SSDEEP:

3:N1KJS4sVJyWKLs6RcYV:Cc4Dlf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MTPuTTY_setup.exe (PID: 2628)
      • MTPuTTY_setup.exe (PID: 2736)
      • mtputty.exe (PID: 2568)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2368)
      • MTPuTTY_setup.exe (PID: 2628)
      • MTPuTTY_setup.exe (PID: 2736)
      • MTPuTTY_setup.tmp (PID: 3088)

    • Creates files in the user directory

      • MTPuTTY_setup.tmp (PID: 3088)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2396)

  • INFO

    • Creates files in the user directory

      • opera.exe (PID: 2784)

    • Reads Internet Cache Settings

      • opera.exe (PID: 2784)

    • Manual execution by user

      • MTPuTTY_setup.exe (PID: 2736)
      • WinRAR.exe (PID: 2368)
      • mtputty.exe (PID: 2568)
      • chrome.exe (PID: 2396)

    • Application was dropped or rewritten from another process

      • MTPuTTY_setup.tmp (PID: 3088)
      • MTPuTTY_setup.tmp (PID: 3504)

    • Creates files in the program directory

      • MTPuTTY_setup.tmp (PID: 3088)

    • Loads dropped or rewritten executable

      • MTPuTTY_setup.tmp (PID: 3088)

    • Creates a software uninstall entry

      • MTPuTTY_setup.tmp (PID: 3088)

    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 2396)

    • Reads settings of System Certificates

      • chrome.exe (PID: 2092)

    • Reads the hosts file

      • chrome.exe (PID: 2396)
      • chrome.exe (PID: 2092)

    • Application launched itself

      • chrome.exe (PID: 2396)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
82
Monitored processes
41
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start drop and start opera.exe winrar.exe mtputty_setup.exe mtputty_setup.tmp no specs mtputty_setup.exe mtputty_setup.tmp mtputty.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2784"C:\Program Files\Opera\opera.exe" "http://www.ttyplus.com/download/mtputty.zip"C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
2368"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\mtputty.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2736"C:\Users\admin\Desktop\MTPuTTY_setup.exe" C:\Users\admin\Desktop\MTPuTTY_setup.exe
explorer.exe
User:
admin
Company:
TTYPlus
Integrity Level:
MEDIUM
Description:
MTPuTTY Setup
Exit code:
0
Version:
1.6
3504"C:\Users\admin\AppData\Local\Temp\is-4T8B5.tmp\MTPuTTY_setup.tmp" /SL5="$2D013C,768749,54272,C:\Users\admin\Desktop\MTPuTTY_setup.exe" C:\Users\admin\AppData\Local\Temp\is-4T8B5.tmp\MTPuTTY_setup.tmpMTPuTTY_setup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
2628"C:\Users\admin\Desktop\MTPuTTY_setup.exe" /SPAWNWND=$301B0 /NOTIFYWND=$2D013C C:\Users\admin\Desktop\MTPuTTY_setup.exe
MTPuTTY_setup.tmp
User:
admin
Company:
TTYPlus
Integrity Level:
HIGH
Description:
MTPuTTY Setup
Exit code:
0
Version:
1.6
3088"C:\Users\admin\AppData\Local\Temp\is-2NU2P.tmp\MTPuTTY_setup.tmp" /SL5="$401C8,768749,54272,C:\Users\admin\Desktop\MTPuTTY_setup.exe" /SPAWNWND=$301B0 /NOTIFYWND=$2D013C C:\Users\admin\AppData\Local\Temp\is-2NU2P.tmp\MTPuTTY_setup.tmp
MTPuTTY_setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.52.0.0
2568"C:\Program Files\MTPuTTY\mtputty.exe" C:\Program Files\MTPuTTY\mtputty.exeexplorer.exe
User:
admin
Company:
TTYPlus
Integrity Level:
MEDIUM
Description:
Multi-Tabbed PuTTY
Version:
1.6.0.176
2396"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d2da9d0,0x6d2da9e0,0x6d2da9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2448"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2416 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
Total events
2 679
Read events
2 313
Write events
0
Delete events
0

Modification events

No data
Executable files
7
Suspicious files
266
Text files
189
Unknown types
12

Dropped files

PID
Process
Filename
Type
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr9177.tmp
MD5:
SHA256:
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr9187.tmp
MD5:
SHA256:
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opr91E6.tmp
MD5:
SHA256:
2784opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\65QPUX0SO85GQT7H1H7U.temp
MD5:
SHA256:
2784opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00003.tmp
MD5:
SHA256:
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprE5F3.tmp
MD5:
SHA256:
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:5047A5CC2CB1D40D8BE2631511437B79
SHA256:78CBD8FB29873CB4ADCDE3FA5AC1DC5BF67656950DD4D53EE72AAE1BF42D8B35
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.datbinary
MD5:66353CFD7291F165C28DBA541510FB77
SHA256:7B9439D7FC99454C6B5280F6B2FF5DD1E11033F0A0838AC56304FB0DA61F26FD
2784opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:5ADE8CB3BB945125100F18B0C90770E8
SHA256:240D35F4BEBD74DCE56087932E896E3D97CA3C7ABCC4CE864ADBCBA6AD6466CF
2784opera.exeC:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmphtml
MD5:7F077F1FCE3D566040B0D69EB1F27D8F
SHA256:487AD0D2CF075F4328A1ADF57EF428759AD4E2C873A8EBD2AD9653990829C9CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
41
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2784
opera.exe
GET
200
168.235.76.235:80
http://www.ttyplus.com/download/mtputty.zip
US
compressed
962 Kb
suspicious
2784
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
528 b
whitelisted
2092
chrome.exe
GET
302
172.217.22.78:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
515 b
whitelisted
2092
chrome.exe
GET
200
74.125.8.140:80
http://r6---sn-5hnednlk.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.104.186.93&mm=28&mn=sn-5hnednlk&ms=nvh&mt=1568197413&mv=m&mvi=5&pl=24&shardbypass=yes
US
crx
862 Kb
whitelisted
2784
opera.exe
GET
400
107.167.110.216:80
http://sitecheck2.opera.com/?host=www.ttyplus.com&hdn=W/TD/0yTrGUuO60TeY/XnA==
US
html
150 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2092
chrome.exe
172.217.21.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2784
opera.exe
93.184.220.29:80
crl4.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2092
chrome.exe
172.217.16.195:443
www.gstatic.com
Google Inc.
US
whitelisted
2784
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
2092
chrome.exe
216.58.207.35:443
www.google.com.ua
Google Inc.
US
whitelisted
2092
chrome.exe
172.217.23.141:443
accounts.google.com
Google Inc.
US
whitelisted
2092
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
2784
opera.exe
107.167.110.216:80
sitecheck2.opera.com
Opera Software Americas LLC
US
malicious
2784
opera.exe
168.235.76.235:80
www.ttyplus.com
RamNode LLC
US
suspicious
2092
chrome.exe
216.58.205.238:443
clients2.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.ttyplus.com
  • 168.235.76.235
suspicious
sitecheck2.opera.com
  • 107.167.110.216
  • 107.167.110.211
whitelisted
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
crl4.digicert.com
  • 93.184.220.29
whitelisted
clientservices.googleapis.com
  • 172.217.18.99
whitelisted
accounts.google.com
  • 172.217.23.141
shared
www.google.com.ua
  • 216.58.207.35
whitelisted
fonts.googleapis.com
  • 172.217.21.234
whitelisted
www.gstatic.com
  • 172.217.16.195
whitelisted
fonts.gstatic.com
  • 172.217.18.99
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.ttyplus.com/download/mtputty.zip