Windows Analysis Report
http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-Bottom_Third_Icon_One_Button_updated__2_.zip

Overview

General Information

Sample URL: http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-Bottom_Third_Icon_One_Button_updated__2_.zip
Analysis ID: 1540591
Infos:

Detection

Score: 2
Range: 0 - 100
Whitelisted: false
Confidence: 60%

Signatures

Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Usage Of Web Request Commands And Cmdlets
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Source: unknown DNS traffic detected: query: assets.localytics.com replaycode: Name error (3)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic DNS traffic detected: DNS query: assets.localytics.com
Source: wget.exe, 00000002.00000002.2016071791.0000000000B97000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e955
Source: wget.exe, 00000002.00000002.2015880634.0000000000100000.00000004.00000020.00020000.00000000.sdmp, cmdline.out.0.dr String found in binary or memory: http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/24
Source: classification engine Classification label: clean2.win@4/1@1/0
Source: C:\Windows\SysWOW64\cmd.exe File created: C:\Users\user\Desktop\cmdline.out Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5972:120:WilError_03
Source: C:\Windows\SysWOW64\wget.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-Bottom_Third_Icon_One_Button_updated__2_.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-Bottom_Third_Icon_One_Button_updated__2_.zip"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P "C:\Users\user\Desktop\download" --no-check-certificate --content-disposition --user-agent="Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko" "http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-Bottom_Third_Icon_One_Button_updated__2_.zip" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wget.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: wget.exe, 00000002.00000002.2016071791.0000000000B97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe c:\windows\system32\cmd.exe /c wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-bottom_third_icon_one_button_updated__2_.zip" > cmdline.out 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-bottom_third_icon_one_button_updated__2_.zip"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -t 60 -p "c:\users\user\desktop\download" --no-check-certificate --content-disposition --user-agent="mozilla/5.0 (windows nt 6.1; wow64; trident/7.0; as; rv:11.0) like gecko" "http://assets.localytics.com/amp/customer_upload/ee9c12e9b59bfdc6191f0f183e9554f70db56883/1606877/2420136/phone-bottom_third_icon_one_button_updated__2_.zip" Jump to behavior
No contacted IP infos