analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://feauhueudughuurk.top/

Full analysis: https://app.any.run/tasks/34787bec-4301-413e-afa5-62f57dc43ff1
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:19:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

B24E951A86FBC4F8975B307198B349E9

SHA1:

36257D876E0612E7023D87403478D275D2C147AE

SHA256:

087FE2C08DAC460EB96136D78E2AB747BADEFA8A41AA69BCBC4D33A566FAF688

SSDEEP:

3:N1KYGCLdtg:CYGAU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2920)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2920)
      • iexplore.exe (PID: 2520)
      • opera.exe (PID: 3016)
    • Reads the computer name

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2920)
      • opera.exe (PID: 3016)
    • Application launched itself

      • iexplore.exe (PID: 2520)
    • Changes internet zones settings

      • iexplore.exe (PID: 2520)
    • Check for Java to be installed

      • opera.exe (PID: 3016)
    • Reads the date of Windows installation

      • opera.exe (PID: 3016)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2520)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2920)
    • Manual execution by user

      • opera.exe (PID: 3016)
    • Creates files in the user directory

      • opera.exe (PID: 3016)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\Internet Explorer\iexplore.exe" "http://feauhueudughuurk.top/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2920"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3016"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
Explorer.EXE
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
Modules
Images
c:\program files\opera\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wintrust.dll
c:\windows\system32\psapi.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msasn1.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
Total events
8 515
Read events
8 352
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
22
Text files
17
Unknown types
3

Dropped files

PID
Process
Filename
Type
3016opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1TQ73Z2N41A4MO70A1BF.tempbinary
MD5:3F7590FD56AC999E0289444034C9CC80
SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.initext
MD5:541CB6762AD6E018389519561E12B93C
SHA256:BAF65F1426F313D5E39F3D2FD6C595BA0BC3A15554CBEBA6B8890DD68C61C53F
3016opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-msbinary
MD5:3F7590FD56AC999E0289444034C9CC80
SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprB118.tmpxml
MD5:142A840D7051A1A09E0930E06928E720
SHA256:AC10709968EA8D5651DF269D937F62063BAE78B2EEA0469B8F44B31AE1D229A7
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xmlxml
MD5:142A840D7051A1A09E0930E06928E720
SHA256:AC10709968EA8D5651DF269D937F62063BAE78B2EEA0469B8F44B31AE1D229A7
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\oprB0B9.tmptext
MD5:541CB6762AD6E018389519561E12B93C
SHA256:BAF65F1426F313D5E39F3D2FD6C595BA0BC3A15554CBEBA6B8890DD68C61C53F
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprB946.tmptext
MD5:3F5281B948860E52FE0E440FA12BE986
SHA256:DD343F8DEFAFCF2E27B3EF50EDB66A7821A4B219A0D326E1373355C02E5289AF
3016opera.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms~RFfb944.TMPbinary
MD5:DBC8C3C79F0DFF4745A5E25E13611AEF
SHA256:70C54F2C53CF246603B8DE4755D95C5AA51BF4B232340BEA5879724A1F84F675
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\webserver\users.xmlxml
MD5:8F9BC25082526679D20832E134280689
SHA256:0FEDE19A884E68AF700217770D350B22BFE9CEE4CF87BA9438D50F2341A85B2C
3016opera.exeC:\Users\admin\AppData\Roaming\Opera\Opera\sessions\autosave.wintext
MD5:3F5281B948860E52FE0E440FA12BE986
SHA256:DD343F8DEFAFCF2E27B3EF50EDB66A7821A4B219A0D326E1373355C02E5289AF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
19
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2520
iexplore.exe
GET
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3d4cb99fff548bcc
US
whitelisted
2520
iexplore.exe
GET
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f10da25d0f0151c8
US
whitelisted
2920
iexplore.exe
GET
404
208.100.26.245:80
http://feauhueudughuurk.top/
US
html
141 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3016
opera.exe
185.26.182.93:443
certs.opera.com
Opera Software AS
whitelisted
3016
opera.exe
185.26.182.94:443
certs.opera.com
Opera Software AS
whitelisted
2920
iexplore.exe
208.100.26.245:80
feauhueudughuurk.top
Steadfast
US
malicious
2520
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
192.168.100.2:53
whitelisted
2520
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2520
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2520
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2520
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
feauhueudughuurk.top
  • 208.100.26.245
malicious
www.microsoft.com
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
certs.opera.com
  • 185.26.182.93
  • 185.26.182.94
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2920
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info