analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://newdw1.akf2oq8sbnzzph4.sporttech.pk/?rarara=bWljaGFsLmphcmVzQHV2bi5jeg==

Full analysis: https://app.any.run/tasks/109b72e9-c5b7-4f1a-a30d-46cb5eebc7b9
Verdict: Malicious activity
Analysis date: November 29, 2020, 18:18:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3C36948A79A6862123FC3D233F2E8325

SHA1:

0C4F3BDF589D3567448504CEE9229B10BD4F7536

SHA256:

0F1DFD9156E9E86D53BC425045A766F657398517140AFCA25346D59299C2134D

SSDEEP:

3:N1KQ3BM3VNRtgO+EYklAXx4C1n:CQ32lJn+EvlAXt1

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4076)
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2604)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2604)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 4076)
      • iexplore.exe (PID: 2520)
    • Changes internet zones settings

      • iexplore.exe (PID: 2604)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2520)
    • Application launched itself

      • iexplore.exe (PID: 2604)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2604"C:\Program Files\Internet Explorer\iexplore.exe" http://newdw1.akf2oq8sbnzzph4.sporttech.pk/?rarara=bWljaGFsLmphcmVzQHV2bi5jeg==C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2520"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2604 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4076C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
847
Read events
749
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
76
Text files
75
Unknown types
67

Dropped files

PID
Process
Filename
Type
2604iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2520iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabFD76.tmp
MD5:
SHA256:
2520iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarFD77.tmp
MD5:
SHA256:
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\67F6625BC22310D5C99DDE12020DBD90der
MD5:907989E2E5AEDF092A53F8596376BA76
SHA256:D557E2E91A4571B04A89EA7422C920B7577B685DD58080D22C77325CC94A7AF5
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:D9A7C71F2455317845563B02C39B84C8
SHA256:C5B24A2E28E55081E315826ED0127557077434F24D5C3EFF803C45AA4EF1B827
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:817E18D8D94D304F2C6CEC013D494648
SHA256:8CD90D719CBF82C1FCF2D47855D652F9989A13B6FFF5B5DA8E3FBDDAB6E5418B
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:16986898F5EB5B997247119BD7AB7899
SHA256:E6E2A5E9BEA4E7A7D6F6C928581842631741905B7F4ABEE95EBC77C274CC4787
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\676B6AD67A9F0A41F20B667D1A469D81der
MD5:204A1D07B95D06FE53E3A0C819D5A30D
SHA256:E8B7354A84DEC4810364C1866ED097672B4F7C2AFDFFD38731807AB8BBA194A3
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:CA57489FA2F5B061504F0D1F9DB09E44
SHA256:862EA67B7FEA748A32F4AACB82523A4243B6911AAD51EF8FDD80D742FE31ACA6
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\676B6AD67A9F0A41F20B667D1A469D81binary
MD5:B899047985DE6973D0E0AAC73B3A8186
SHA256:789114FAF70DDB3965886D812BC516FF8ED0121354AFF5F78463636F3DB0AAD1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
118
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2520
iexplore.exe
GET
200
192.124.249.36:80
http://crl.godaddy.com/gdroot-g2.crl
US
der
462 b
whitelisted
2520
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2520
iexplore.exe
GET
301
184.170.255.202:80
http://newdw1.akf2oq8sbnzzph4.sporttech.pk/?rarara=bWljaGFsLmphcmVzQHV2bi5jeg==
US
html
277 b
suspicious
2520
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDDCp%2BiAKlAlQIAAAAAgFRY
US
der
472 b
whitelisted
2520
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECMV6OzFoHDAfztRr3CGwpk%3D
US
der
471 b
whitelisted
2520
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECED%2FzUI3tAun7U7CGnHDWrvg%3D
US
der
471 b
whitelisted
2520
iexplore.exe
GET
200
2.18.215.91:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQOuAAqpw5dv6FDZJRrJgkupg%3D%3D
unknown
der
527 b
whitelisted
2520
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2520
iexplore.exe
GET
200
2.18.213.113:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
2520
iexplore.exe
GET
200
172.217.16.131:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2520
iexplore.exe
192.124.249.23:80
ocsp.godaddy.com
Sucuri
US
suspicious
2520
iexplore.exe
192.124.249.36:80
ocsp.godaddy.com
Sucuri
US
suspicious
2520
iexplore.exe
184.170.255.202:80
newdw1.akf2oq8sbnzzph4.sporttech.pk
Total Server Solutions L.L.C.
US
suspicious
2604
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2520
iexplore.exe
195.149.84.100:443
reported.com
World News PTE. LTD
GB
malicious
2520
iexplore.exe
160.153.131.148:443
leshauteursdeblida.com
GoDaddy.com, LLC
US
suspicious
2520
iexplore.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
2520
iexplore.exe
2.18.213.113:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
unknown
2520
iexplore.exe
192.229.133.115:443
ecdn9.wn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
suspicious
2520
iexplore.exe
2.18.215.91:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
unknown

DNS requests

Domain
IP
Reputation
newdw1.akf2oq8sbnzzph4.sporttech.pk
  • 184.170.255.202
suspicious
leshauteursdeblida.com
  • 160.153.131.148
unknown
ocsp.godaddy.com
  • 192.124.249.23
  • 192.124.249.22
  • 192.124.249.24
  • 192.124.249.41
  • 192.124.249.36
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
  • 172.217.16.131
whitelisted
crl.godaddy.com
  • 192.124.249.36
  • 192.124.249.31
  • 192.124.249.41
whitelisted
reported.com
  • 195.149.84.100
  • 195.149.84.101
unknown
isrg.trustid.ocsp.identrust.com
  • 2.18.213.113
  • 2.18.213.105
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.18.215.91
  • 2.18.215.73
  • 2.18.215.58
  • 2.18.215.50
  • 2.18.213.121
  • 2.18.215.82
whitelisted
wn.com
  • 195.149.84.100
  • 195.149.84.101
whitelisted

Threats

No threats detected
No debug info