analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://pine-kko.com/sp.php?utm_medium=14187&file_name=mbox-1-driver&utm_source=AA1qYVtrNwAArLgBAEpQFwAmAJMX4MAA

Full analysis: https://app.any.run/tasks/06f8e847-b13e-45d1-959b-ab2027f61bcf
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: November 08, 2018, 06:52:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
icloader
opendir
Indicators:
MD5:

7DBBF9766B096C24DFA8072C758A4EBD

SHA1:

2476338DB02C30AB18C3B895F9DD031E7C438F86

SHA256:

0F4EFCEFD9C3D1665A64AB01129FA0A87708C12183EF250BA2DF5F2C140BA50B

SSDEEP:

3:N1KOMLAMHhNVauBRIY+DDzIqHG2XzLKQWzUpxGlpaZ9R6n:COoHbVapfPIqHG2XbWz8AG9R6n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • File269879.exe (PID: 2996)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 1752)
    • ICLOADER was detected

      • File269879.exe (PID: 2996)
  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • File269879.exe (PID: 2996)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1752)
      • iexplore.exe (PID: 3588)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3588)
      • iexplore.exe (PID: 2172)
      • chrome.exe (PID: 2452)
      • firefox.exe (PID: 2320)
      • chrome.exe (PID: 3256)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1752)
      • iexplore.exe (PID: 2752)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1752)
      • iexplore.exe (PID: 2752)
    • Creates files in the user directory

      • iexplore.exe (PID: 1752)
      • iexplore.exe (PID: 3588)
      • iexplore.exe (PID: 2752)
      • firefox.exe (PID: 2320)
      • iexplore.exe (PID: 2172)
      • WINWORD.EXE (PID: 324)
    • Changes internet zones settings

      • iexplore.exe (PID: 3588)
      • iexplore.exe (PID: 2172)
    • Reads CPU info

      • firefox.exe (PID: 2320)
      • firefox.exe (PID: 3164)
      • firefox.exe (PID: 3740)
      • firefox.exe (PID: 3516)
    • Modifies the open verb of a shell class

      • chrome.exe (PID: 2452)
    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 324)
    • Reads settings of System Certificates

      • chrome.exe (PID: 3256)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
72
Monitored processes
29
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe #ICLOADER file269879.exe cmd.exe no specs timeout.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe chrome.exe no specs chrome.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe pingsender.exe winword.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3588"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1752"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3588 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2996"C:\Users\admin\Downloads\File269879.exe" C:\Users\admin\Downloads\File269879.exe
explorer.exe
User:
admin
Company:
MODJC
Integrity Level:
HIGH
Description:
MODJC Internet Security
Exit code:
0
Version:
10.2.1.2347
3560cmd.exe /C timeout 3 > Nul & Del "C:\Users\admin\Downloads\File269879.exe"C:\Windows\system32\cmd.exeFile269879.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2580timeout 3 C:\Windows\system32\timeout.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
timeout - pauses command processing
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2452"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
68.0.3440.106
2088"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=68.0.3440.106 --initial-client-data=0x78,0x7c,0x80,0x74,0x84,0x701100b0,0x701100c0,0x701100ccC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3596"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=280 --on-initialized-event-handle=304 --parent-handle=308 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3568"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=912,6651931031602149882,3278699734082133080,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAEAAAAAAAAAAAAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=07E85C0757024AFF26558652FCF2DC85 --mojo-platform-channel-handle=884 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
3228"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=912,6651931031602149882,3278699734082133080,131072 --enable-features=PasswordImport --service-pipe-token=E485307C2A11E5137236C08881A6C205 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=E485307C2A11E5137236C08881A6C205 --renderer-client-id=5 --mojo-platform-channel-handle=1812 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
68.0.3440.106
Total events
3 444
Read events
3 045
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
176
Text files
195
Unknown types
60

Dropped files

PID
Process
Filename
Type
3588iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1752iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\file[1].txt
MD5:
SHA256:
1752iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\File269879[1].exe
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6FD06D293A4D41C6.TMP
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8FAE398E81DD3321.TMP
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFEA88053064CCFC86.TMP
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6COKLKV24AYH8EE6KS26.temp
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB7519161CC96E06E.TMP
MD5:
SHA256:
3588iexplore.exeC:\Users\admin\Downloads\File269879.exeexecutable
MD5:1386F001104592195C985CDFC013B62B
SHA256:F722AA58B37EF85672BD806089705A7453DB8D5CA40F87898B710FD9AFD54D77
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
46
TCP/UDP connections
64
DNS requests
97
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1752
iexplore.exe
GET
159.69.101.21:80
http://static.21.101.69.159.clients.your-server.de/find/7ba7f465bb5a2521a77d5c02e3cc74fb/result-550394667.dl?source=direct&return_url=http%3A%2F%2Fwww.getgosoft.com%2Fgetgodm%2Fthankyou
US
suspicious
1752
iexplore.exe
GET
200
159.69.101.21:80
http://static.21.101.69.159.clients.your-server.de/find/7ba7f465bb5a2521a77d5c02e3cc74fb/result-550394667.dl?source=direct&return_url=http%3A%2F%2Fwww.getgosoft.com%2Fgetgodm%2Fthankyou
US
executable
3.89 Mb
suspicious
1752
iexplore.exe
GET
200
159.69.101.21:80
http://static.21.101.69.159.clients.your-server.de/media/handler/images/simple-arrow-down.png
US
image
7.09 Kb
suspicious
1752
iexplore.exe
GET
200
159.69.101.21:80
http://static.21.101.69.159.clients.your-server.de/file?f=c76f40e44fa691fa681153ff71ab07f45fc2f5077aa777b6b93943bafdc7c877e28841ef2c19a697b67031a0a36fb4db273c20b70dcdd54b329d7bef6052b3bcc37f06defa61ede67eef998fc557a0d39f7ca053b0061652aa804c5a442d1a5100b1c84e80f423fb7f5587edda4ee7a965ef537519edc8309565b28f331da55627f204fdc2744289cc806f1da781c9930efce929ad218389c58d0648d9244817670eb4f905a8e0f204473abbb6c94629406e9beae125d6929b1f140b569c1892f954d700ce5af4ea495b80704c94451ca5152bf50ce834631030f4715af9a0bb1c5332c7dcbba59daf9d01&utm_source=datacash&utm_medium=default&utm_campaign=default
US
html
2.57 Kb
suspicious
1752
iexplore.exe
GET
200
159.69.101.21:80
http://static.21.101.69.159.clients.your-server.de/media/handler/css/download-arrow-simple.css
US
text
4.03 Kb
suspicious
1752
iexplore.exe
GET
200
159.69.101.21:80
http://static.21.101.69.159.clients.your-server.de/media/handler/css/main.css?b=20160408b
US
text
130 b
suspicious
2996
File269879.exe
POST
200
195.201.249.17:80
http://static.17.249.201.195.clients.your-server.de/request/autok?user=luxsoft&ver=10&key=a8d588afe11b4f83598303abd1b1afc3
RU
text
140 b
malicious
1752
iexplore.exe
GET
302
88.85.69.166:80
http://pine-kko.com/sp.php?utm_medium=14187&file_name=mbox-1-driver&utm_source=AA1qYVtrNwAArLgBAEpQFwAmAJMX4MAA
NL
suspicious
2996
File269879.exe
GET
200
162.144.221.178:80
http://www.getgosoft.com/getgodm/thankyou
US
html
12.2 Kb
suspicious
2752
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/14/cj,nj/1b7dfb88/cc8437ad.js?bu=DikuWWltcWVdYaoBrgEungEu
US
text
7.54 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3588
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2172
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2452
chrome.exe
172.217.168.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2452
chrome.exe
74.125.133.147:443
www.google.com
Google Inc.
US
whitelisted
1752
iexplore.exe
88.85.69.166:80
pine-kko.com
Webzilla B.V.
NL
suspicious
1752
iexplore.exe
159.69.101.21:80
static.21.101.69.159.clients.your-server.de
US
suspicious
2452
chrome.exe
172.217.168.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2996
File269879.exe
162.144.221.178:80
www.getgosoft.com
Unified Layer
US
suspicious
2752
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2996
File269879.exe
195.201.249.17:80
static.17.249.201.195.clients.your-server.de
Awanti Ltd.
RU
malicious

DNS requests

Domain
IP
Reputation
pine-kko.com
  • 88.85.69.166
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
static.21.101.69.159.clients.your-server.de
  • 159.69.101.21
suspicious
static.17.249.201.195.clients.your-server.de
  • 195.201.249.17
malicious
www.getgosoft.com
  • 162.144.221.178
unknown
www.google.de
  • 172.217.168.3
whitelisted
www.gstatic.com
  • 216.58.215.227
whitelisted
clientservices.googleapis.com
  • 108.177.15.94
whitelisted
safebrowsing.googleapis.com
  • 172.217.168.10
whitelisted
accounts.google.com
  • 172.217.168.77
shared

Threats

PID
Process
Class
Message
1752
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1752
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1752
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
1752
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2996
File269879.exe
A Network Trojan was detected
ET MALWARE Luxsoft Win32/ICLoader User-Agent
2996
File269879.exe
Misc activity
ADWARE [PTsecurity] Application.Bundler.ICLoader Response
2996
File269879.exe
A Network Trojan was detected
ET MALWARE Luxsoft Win32/ICLoader User-Agent
2996
File269879.exe
A Network Trojan was detected
SC ADWARE SoftwareBundler:Win32/ICLoader
No debug info