analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://workupload.com/start/JFGtDndxLHp

Full analysis: https://app.any.run/tasks/da712d4e-31da-499f-9422-4adab1e0169b
Verdict: Malicious activity
Analysis date: May 20, 2022, 23:44:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

A540F23DAE58AA1F5A977905C40B72F9

SHA1:

F90F01000B8A4F53F62DAA728AE4C223688F9F9E

SHA256:

12DBC9209E87F7DE939A4CF8B1C9BF6C1232BC480DA36E93C30AD41317A4B179

SSDEEP:

3:N8bXOrZDJiRDdJ:2itDJyBJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 736)
      • Kyanite.exe (PID: 3264)
    • Application was dropped or rewritten from another process

      • Kyanite.exe (PID: 3264)
    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3636)
      • Kyanite.exe (PID: 3264)
    • Starts Visual C# compiler

      • Kyanite.exe (PID: 3264)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 932)
    • Reads the computer name

      • WinRAR.exe (PID: 736)
      • Kyanite.exe (PID: 3264)
    • Checks supported languages

      • WinRAR.exe (PID: 736)
      • Kyanite.exe (PID: 3264)
      • csc.exe (PID: 3912)
      • csc.exe (PID: 2516)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 736)
      • Kyanite.exe (PID: 3264)
    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 736)
      • Kyanite.exe (PID: 3264)
    • Reads Environment values

      • Kyanite.exe (PID: 3264)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 760)
      • iexplore.exe (PID: 932)
    • Checks supported languages

      • iexplore.exe (PID: 760)
      • iexplore.exe (PID: 932)
    • Application launched itself

      • iexplore.exe (PID: 760)
    • Changes internet zones settings

      • iexplore.exe (PID: 760)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 932)
      • iexplore.exe (PID: 760)
    • Creates files in the user directory

      • iexplore.exe (PID: 932)
      • iexplore.exe (PID: 760)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 760)
      • iexplore.exe (PID: 932)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 760)
    • Changes settings of System certificates

      • iexplore.exe (PID: 760)
    • Manual execution by user

      • WinRAR.exe (PID: 736)
      • Kyanite.exe (PID: 3264)
    • Reads internet explorer settings

      • iexplore.exe (PID: 932)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 760)
    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe searchprotocolhost.exe no specs kyanite.exe csc.exe no specs csc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
760"C:\Program Files\Internet Explorer\iexplore.exe" "https://workupload.com/start/JFGtDndxLHp"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
932"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:760 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
736"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\BlitzedGrabber6969.rar"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3636"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\system32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211)
3264"C:\Users\admin\Desktop\BlitzedGrabber6969\Kyanite.exe" C:\Users\admin\Desktop\BlitzedGrabber6969\Kyanite.exe
Explorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Kyanite
Version:
1.0.0.0
3912"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\yempkxu1.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKyanite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
1
Version:
4.0.30319.34209 built by: FX452RTMGDR
2516"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\tgphx2cy.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exeKyanite.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
1
Version:
4.0.30319.34209 built by: FX452RTMGDR
Total events
14 844
Read events
14 652
Write events
0
Delete events
0

Modification events

No data
Executable files
20
Suspicious files
21
Text files
39
Unknown types
18

Dropped files

PID
Process
Filename
Type
932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\15D6CD41EC127C739654F6DCE221B581der
MD5:6E4373CCE4A362B2174E34D1CC326AC2
SHA256:7D79EDBD54E91E3DA420C8FBB29229C3259519C8B789F359F57E923AD11E9B68
932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:381A5FB3A26701743DF78064742875A3
SHA256:6609F4CE7D86E6576A2A43A503B3375727B95B82995F866C2BDFD804A8B3BAB0
760iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
932iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabE064.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
932iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\790Q91CU.txttext
MD5:C979D08DE3421FCB235B95767015D103
SHA256:0C852982C72CBD35BBD190C1C32065167AB5F41D0A4400F5ED990A4057E58F90
932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4C0440F1F6117667D3AE87F5A435E360
SHA256:E47F261A38CA11D5918A355961446DF1F3B8C8571972A5B1ACE382DCCA730738
932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
932iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarE075.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\15D6CD41EC127C739654F6DCE221B581binary
MD5:08D415E65D950EC21106E0452C321391
SHA256:DD73183A4EF90EC8983439EA79267F24A7BCF1634EF69BDC546C93D21C4633BC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
43
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
932
iexplore.exe
GET
200
104.90.178.254:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
932
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG3aTvFLTYzNCmxS2fUJutw%3D
US
der
471 b
whitelisted
932
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDwQ9JNOs3IcArkp%2FBu7NbU
US
der
472 b
whitelisted
760
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
760
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
932
iexplore.exe
GET
200
92.123.195.28:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgPJRD8gx2YU%2FI6sdUU76qBCNQ%3D%3D
unknown
der
503 b
shared
932
iexplore.exe
GET
200
178.79.242.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?6973aa0a37a4c3a8
DE
compressed
60.0 Kb
whitelisted
760
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
932
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
932
iexplore.exe
GET
200
142.250.184.227:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEFsL8ccV6MRJElibH7RYju4%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
760
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
760
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
932
iexplore.exe
142.132.152.244:443
workupload.com
MRNet
CA
unknown
932
iexplore.exe
142.250.185.228:443
www.google.com
Google Inc.
US
whitelisted
932
iexplore.exe
178.79.242.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
malicious
932
iexplore.exe
92.123.195.28:80
r3.o.lencr.org
Akamai International B.V.
suspicious
932
iexplore.exe
104.90.178.254:80
x1.c.lencr.org
Akamai Technologies, Inc.
NL
unknown
760
iexplore.exe
142.132.152.244:443
workupload.com
MRNet
CA
unknown
760
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
932
iexplore.exe
142.250.184.227:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
workupload.com
  • 142.132.152.244
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.128
  • 95.140.236.0
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
x1.c.lencr.org
  • 104.90.178.254
whitelisted
r3.o.lencr.org
  • 92.123.195.28
  • 92.123.195.35
shared
www.google.com
  • 142.250.185.228
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.pki.goog
  • 142.250.184.227
whitelisted
www.google-analytics.com
  • 142.250.186.142
whitelisted

Threats

No threats detected
No debug info