Edit tour
Windows
Analysis Report
http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cmwiO3M6NTA6Imh0dHA6Ly93d3cub2xkdmVyc2lvbi5jb20vd2luZG93cy9wZGZjcmVhdG9yLTEtNi0yIjtzOjQ6InBhc3MiO3M6Mz
Overview
General Information
| Sample URL: | http://software.oldversion.com/download.php?f=YTo1OntzOjQ6InRpbWUiO2k6MTczMTQ4OTAwMjtzOjI6ImlkIjtpOjEzODk4O3M6NDoiZmlsZSI7czo0MzoicGRmY3JlYXRvci0xLTYtMi1QREZDcmVhdG9yLTFfNl8yX3NldHVwLmV4ZSI7czozOiJ1cm |
| Analysis ID: | 1555221 |
| Infos: | |
 | |
Detection
| Score: | 56 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for dropped file
HTML page contains suspicious onload / onerror event
Suspicious execution chain found
Connects to several IPs in different countries
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Found dropped PE file which has not been started or loaded
HTML page contains hidden javascript code
HTML page contains string obfuscation
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Registers a DLL
Stores files to the Windows start menu directory
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Classification
- System is w10x64_ra
chrome.exe (PID: 6240 cmdline: "C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed "about :blank" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 4188 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2172 --fi eld-trial- handle=173 6,i,169803 8350045694 038,109132 7134323308 7969,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 6868 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= chrome.moj om.UtilRea dIcon --la ng=en-US - -service-s andbox-typ e=icon_rea der --mojo -platform- channel-ha ndle=4452 --field-tr ial-handle =1736,i,16 9803835004 5694038,10 9132713432 33087969,2 62144 --di sable-feat ures=Optim izationGui deModelDow nloading,O ptimizatio nHints,Opt imizationH intsFetchi ng,Optimiz ationTarge tPredictio n /prefetc h:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) 
pdfcreator-1-6-2-PDFCreator-1_6_2_setup.exe (PID: 2184 cmdline: "C:\Users\ user\Downl oads\pdfcr eator-1-6- 2-PDFCreat or-1_6_2_s etup.exe" MD5: AABD219B8604A1258D1BFD94154319CF) - pdfcreator-1-6-2-PDFCreator-1_6_2_setup.tmp (PID: 3080 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-OCN FT.tmp\pdf creator-1- 6-2-PDFCre ator-1_6_2 _setup.tmp " /SL5="$4 032E,16929 848,54272, C:\Users\u ser\Downlo ads\pdfcre ator-1-6-2 -PDFCreato r-1_6_2_se tup.exe" MD5: 15430669556C2062CEADD5B125E8CEA7) - DownloadUpdateInfo.exe (PID: 4844 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-59P R7.tmp\Dow nloadUpdat eInfo.exe" /verysile nt /URL=ht tp://updat e.pdfforge .org/pdfcr eator/upda te-info.tx t /Filenam e="C:\User s\user\App Data\Local \Temp\is-5 9PR7.tmp\u pdate-info .txt" /Tim eOut=7000 MD5: 20152BF45DE34391E0CBFBB533B1BD63) - DownloadUpdateInfo.tmp (PID: 1392 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-7RE 49.tmp\Dow nloadUpdat eInfo.tmp" /SL5="$60 2D4,259588 ,54272,C:\ Users\user \AppData\L ocal\Temp\ is-59PR7.t mp\Downloa dUpdateInf o.exe" /ve rysilent / URL=http:/ /update.pd fforge.org /pdfcreato r/update-i nfo.txt /F ilename="C :\Users\us er\AppData \Local\Tem p\is-59PR7 .tmp\updat e-info.txt " /TimeOut =7000 MD5: 15430669556C2062CEADD5B125E8CEA7) 
rundll32.exe (PID: 1280 cmdline: RunDll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\is- 59PR7.tmp\ OCSetupHlp .dll",_OCP RD68OpenCa ndy2@16 30 80,C7E337D 01987456CB 2DEEBF3331 DFBF1,7779 6C64D81041 E9BD380D5D 23571076 MD5: 889B99C52A60DD49227C5E485A016679) - rundll32.exe (PID: 4060 cmdline:
RunDll32.e xe "C:\Use rs\user\Ap pData\Loca l\Temp\is- 59PR7.tmp\ OCSetupHlp .dll",_OCP RD68OpenCa ndy2@16 30 80,F626BBA DED6942A9A 9B032075D5 E2FE6,8AB4 3B5E98014C C39B6961D0 B89FD081 MD5: 889B99C52A60DD49227C5E485A016679) 
regsvr32.exe (PID: 5564 cmdline: "C:\Window s\system32 \regsvr32. exe" /s "C :\Windows\ system32\M SVBVM60.DL L" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 2872 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Windows\ system32\M SCOMCT2.OC X" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6456 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Windows\ system32\M SCOMCTL.OC X" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) - regsvr32.exe (PID: 6516 cmdline:
"C:\Window s\system32 \regsvr32. exe" /s "C :\Windows\ system32\M SMAPI32.OC X" MD5: 878E47C8656E53AE8A8A21E927C6F7E0) 
PDFCreator.exe (PID: 6384 cmdline: "C:\Progra m Files (x 86)\PDFCre ator\PDFCr eator.exe" /RegServe r MD5: 1187D7EF1998C14CF1F69A393850AE57) - RegAsm.exe (PID: 4788 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v2.0 .50727\Reg Asm.exe" " C:\Program Files (x8 6)\PDFCrea tor\PlugIn s\pdfforge \pdfforge. dll" /code base MD5: A64DACA3CFBCD039DF3EC29D3EDDD001) 
conhost.exe (PID: 6528 cmdline: C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - msiexec.exe (PID: 1940 cmdline:
"C:\Window s\System32 \msiexec.e xe" /i "C: \Users\use r\AppData\ Local\Temp \is-59PR7. tmp\PDFArc hitect_lat est_setup. msi" /quie t CREATE_D ESKTOP_SHO RTCUT=1 AP PLICATION_ LANGUAGE=0 MD5: 9D09DC1EDA745A5F87553048E57620CF) - InstallCheck.exe (PID: 1052 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-59P R7.tmp\Ins tallCheck. exe" /very silent /p= 1 /v=1.6.2 /ud=0 /lc =en /b=6 MD5: 4162EF7B23CBB4A1953F14D99A6E1094) - InstallCheck.tmp (PID: 3996 cmdline:
"C:\Users\ user\AppDa ta\Local\T emp\is-RUH MQ.tmp\Ins tallCheck. tmp" /SL5= "$40378,54 272,54272, C:\Users\u ser\AppDat a\Local\Te mp\is-59PR 7.tmp\Inst allCheck.e xe" /verys ilent /p=1 /v=1.6.2 /ud=0 /lc= en /b=6 MD5: 15430669556C2062CEADD5B125E8CEA7) - chrome.exe (PID: 3968 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --st art-maximi zed --sing le-argumen t http://w ww.pdfforg e.org/pdfc reator/wel come MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA) - chrome.exe (PID: 6544 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" --ty pe=utility --utility -sub-type= network.mo jom.Networ kService - -lang=en-U S --servic e-sandbox- type=none --mojo-pla tform-chan nel-handle =2132 --fi eld-trial- handle=188 8,i,559688 4337790773 879,160641 6022879463 1098,26214 4 --disabl e-features =Optimizat ionGuideMo delDownloa ding,Optim izationHin ts,Optimiz ationHints Fetching,O ptimizatio nTargetPre diction /p refetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
- chrome.exe (PID: 2008 cmdline:
"C:\Progra m Files\Go ogle\Chrom e\Applicat ion\chrome .exe" "htt p://softwa re.oldvers ion.com/do wnload.php ?f=YTo1Ont zOjQ6InRpb WUiO2k6MTc zMTQ4OTAwM jtzOjI6Iml kIjtpOjEzO Dk4O3M6NDo iZmlsZSI7c zo0MzoicGR mY3JlYXRvc i0xLTYtMi1 QREZDcmVhd G9yLTFfNl8 yX3NldHVwL mV4ZSI7czo zOiJ1cmwiO 3M6NTA6Imh 0dHA6Ly93d 3cub2xkdmV yc2lvbi5jb 20vd2luZG9 3cy9wZGZjc mVhdG9yLTE tNi0yIjtzO jQ6InBhc3M iO3M6MzI6I jMwYzExNzY 3MTEwNWY3M jhjYjA0YzU 2ZjkzYTc1Y TRjIjt9" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
- msiexec.exe (PID: 3608 cmdline:
C:\Windows \system32\ msiexec.ex e /V MD5: E5DA170027542E25EDE42FC54C929077)
- cleanup
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |   |
|---|
| Source: | ReversingLabs: | ||
Phishing | |
|---|
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | HTTP Parser: | ||
| Source: | File created: | ||
| Source: | File created: | ||
| Source: | HTTPS traffic detected: | ||
| Source: | HTTPS traffic detected: | ||
Software Vulnerabilities | |
|---|
| Source: | Child: | ||
| Source: | Memory has grown: | ||
| Source: | Network traffic detected: | ||
| Source: | HTTP traffic detected: | ||