analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://google.com

Full analysis: https://app.any.run/tasks/ada98101-e42c-4fef-9f63-5120c35d6d16
Verdict: Malicious activity
Analysis date: March 30, 2020, 19:18:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

99999EBCFDB78DF077AD2727FD00969F

SHA1:

72FE95C5576EC634E214814A32AB785568EDA76A

SHA256:

05046F26C83E8C88B3DDAB2EAB63D0D16224AC1E564535FC75CDCEEE47A0938D

SSDEEP:

3:N8r3uK:2LuK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MEMZ-Destructive.exe (PID: 3960)
      • MEMZ-Destructive.exe (PID: 2628)
      • MEMZ-Destructive.exe (PID: 2952)
      • MEMZ-Destructive.exe (PID: 912)
      • MEMZ-Destructive.exe (PID: 2440)
      • MEMZ-Destructive.exe (PID: 2296)
      • MEMZ-Destructive.exe (PID: 2932)
      • MEMZ-Destructive.exe (PID: 580)

    • Low-level write access rights to disk partition

      • MEMZ-Destructive.exe (PID: 580)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3012)
      • iexplore.exe (PID: 3044)

    • Application launched itself

      • MEMZ-Destructive.exe (PID: 3960)

    • Low-level read access rights to disk partition

      • MEMZ-Destructive.exe (PID: 580)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3044)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 3012)
      • iexplore.exe (PID: 1248)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3012)
      • iexplore.exe (PID: 1248)

    • Creates files in the user directory

      • iexplore.exe (PID: 3012)
      • iexplore.exe (PID: 1248)
      • iexplore.exe (PID: 3044)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3012)

    • Application launched itself

      • iexplore.exe (PID: 3044)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1248)
      • iexplore.exe (PID: 3012)
      • iexplore.exe (PID: 3044)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3044)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3044)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
12
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start iexplore.exe iexplore.exe iexplore.exe memz-destructive.exe no specs memz-destructive.exe memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe no specs memz-destructive.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\Internet Explorer\iexplore.exe" https://google.comC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3012"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3044 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1248"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3044 CREDAT:3544352 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2440"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
3960"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
912"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
2628"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
2952"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
2296"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
2932"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exe" /watchdogC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\MEMZ-Destructive.exeMEMZ-Destructive.exe
User:
admin
Integrity Level:
HIGH
Total events
10 572
Read events
2 124
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
78
Text files
179
Unknown types
36

Dropped files

PID
Process
Filename
Type
3044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PGXAICWX.txt
MD5:
SHA256:
3012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3PCSQWH5.txt
MD5:
SHA256:
3012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BFNULQTW.txt
MD5:
SHA256:
3012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\X7GO6VZI.txt
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:2F26266DE5B18C05B562AEDDCC78D0AC
SHA256:939354967BAB9B50AE662741DC4B87D9D8D7F9E81C68BF7DE2C0C6F167039292
3012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GLHEW2DI.txttext
MD5:1D3634793C1775577E7A75577E7FD779
SHA256:3783033035C7D34C9D6E633A49C6A0284A073AC18AD2CB7F39F5DB2DFD724820
3012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\jkkMLrYXQVEFzxKwxLIvF320v4s[1].jstext
MD5:0FD0568E7B5068E209AC15210AE56FF2
SHA256:B87A66DF064550755C00F605C7463007675490E64346A26DD60246D00E8A09DE
3012iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\search[1].htmhtml
MD5:1626794EE09A5BCFDCF104EBBDCF7E6F
SHA256:CF43F7F25D3E8B1CAAF1C2046887F7823B069D7C083A454854D4D44030DA6C68
3012iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ZMCKX417.txttext
MD5:6AF6AE071FD3F11AC980C527C31A64B1
SHA256:5D932D5207351E98A4110524F6559FA1EBDD60BB6F961314319EABBBB1946076
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
97
TCP/UDP connections
121
DNS requests
51
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/th?id=OVP.UvZbuPsrMHy2ot4cPrExJQEsDh:OVP.vHzB4B2sHjfLgaSlueoSygHgFo&w=197&h=110&c=7&rs=1&qlt=90&pid=1.7&bw=3&bc=ffffff
US
image
16.2 Kb
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rs/2Z/2c/cj,nj/jkkMLrYXQVEFzxKwxLIvF320v4s.js
US
text
773 b
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rs/5g/Tw/ic/ZricD7XDh2XWjN68qgUU8lqqArQ.png
US
image
609 b
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rs/2Z/2J/cj,nj/An1tNZ4R1OYfUeOwo-Esq_D6kC8.js
US
text
181 b
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rb/5g/cj,nj/D8nShhiaHwwY7S6Dowtg0f0NCMg.js?bu=EpMhqyHMINcgqQXrIO0guyHcIPYg-iClIakhnCH6H5gfmh-JIA
US
text
5.38 Kb
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rs/47/m/cj,nj/uUsVn8GRk0BAxdg7i_rj3QicKuc.js
US
text
354 b
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/search?q=memz+download+exe&src=IE-TopResult&FORM=IE11TR&conversationid=
US
html
67.1 Kb
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rs/2Z/2Q/cj,nj/zqF1NsFR7vS1hEarPv8Ova9tpdA.js
US
text
177 b
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rs/6g/16F/cj,nj/JOVKK9CwtlLttGBW-c2T2aVxX_U.js
US
text
297 b
whitelisted
3012
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/rb/14/cj,nj/-nK5HAtc03YD_-fIE4Q-t8DnnZY.js?bu=DiovZHR5fHFnarMBtQEvoAEv
US
text
7.65 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3044
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3012
iexplore.exe
172.217.21.238:443
google.com
Google Inc.
US
whitelisted
3012
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3012
iexplore.exe
13.107.5.80:80
api.bing.com
Microsoft Corporation
US
whitelisted
13.107.5.80:80
api.bing.com
Microsoft Corporation
US
whitelisted
3012
iexplore.exe
40.126.1.130:443
login.microsoftonline.com
Microsoft Corporation
US
malicious
3012
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3012
iexplore.exe
172.217.18.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3012
iexplore.exe
40.90.137.120:443
login.live.com
Microsoft Corporation
US
unknown
3012
iexplore.exe
172.217.16.206:443
www.youtube.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.21.238
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.microsoftonline.com
  • 40.126.1.130
  • 20.190.129.130
  • 20.190.129.128
  • 20.190.129.17
  • 20.190.129.160
  • 20.190.129.2
  • 40.126.1.128
  • 40.126.1.166
whitelisted
login.live.com
  • 40.90.137.120
  • 40.90.23.208
  • 40.90.137.127
whitelisted
www2.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
a4.bing.com
  • 2.20.191.18
  • 2.20.189.59
whitelisted
www.youtube.com
  • 172.217.16.206
  • 172.217.23.110
  • 216.58.210.14
  • 172.217.22.46
  • 172.217.22.78
  • 172.217.22.110
  • 172.217.21.206
  • 172.217.16.142
  • 172.217.23.174
  • 216.58.205.238
  • 172.217.22.14
  • 216.58.206.14
  • 172.217.18.110
  • 172.217.18.174
  • 216.58.207.46
whitelisted
ocsp.pki.goog
  • 172.217.18.163
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
3012
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://google.com