URL: | https://www.udrop.com/6h5s/broken.rar |
Full analysis: | https://app.any.run/tasks/13986140-e7da-4ce4-a2d9-9189df8f36f9 |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 22:44:43 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 09DF7BC55A422C5C4FF0E20BE0CF08AE |
SHA1: | 21930A763C8DCDB6F20F9E46FB2653DD2B80DF3E |
SHA256: | 170FD4943C30B0ACADE916287D79B60FDBF21E7929D3B7295220FCF4D4C8A6A7 |
SSDEEP: | 3:N8DSLzGTKh9v/On:2OLzKKh9v/O |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3276 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://www.udrop.com/6h5s/broken.rar" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3856 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3276 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
120 | "C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\broken.rar" C:\Users\admin\Downloads\broken\ | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
1128 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\system32\SearchProtocolHost.exe | — | SearchIndexer.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Version: 7.00.7601.24542 (win7sp1_ldr_escrow.191209-2211) Modules
| |||||||||||||||
3168 | "C:\Users\admin\Downloads\broken\Gold Dork Parser.exe" | C:\Users\admin\Downloads\broken\Gold Dork Parser.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Gold Dork Parser Version: 1.0.0.0 Modules
|
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30935448 | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30935448 | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (3276) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | der | |
MD5:248A15EAB7A08CD58CC410F5EFA90565 | SHA256:64CD13EDB138E022BCFAA6F2F65A44A40E12A7BC8E889062C8167A066F6D1EA6 | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | der | |
MD5:9049DD95B5F6FCA24CEEE4C6B3E6A5E8 | SHA256:694B2C932E123D40BB3786CE92F9F36AEE9F476089628034C28ECE87EBFDC10A | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:391C26D780B5B40E25081C5EADC0E2A9 | SHA256:13B8CFB216F5CEA17E788A2A6EC52B6A97275CF8E9D7F8D89761C06E48A4AE38 | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2D | binary | |
MD5:3B9DFBC9CA900953F714B3D1688A87BA | SHA256:C711306D976280B99C5A01449519C7FB34F1180CD4EB6234AF5B54A18F011184 | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\broken[1].htm | html | |
MD5:4601F9025FBD03B18FE287F29506ECF3 | SHA256:6ED2AC65B31C533BCDFCFE0282BED7817160EB74E73C190D292B64023D41DDA8 | |||
3856 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\72SSBRVM.txt | text | |
MD5:81845FFB0434B3A46EF864B21F1945BC | SHA256:04A038321D3ED3FBE8F64412E40B7815BE3BC7FA533B2D525429B88E4746FFAA | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5BC0F345944148EB6CA31E060E457F9D_DEFB822B92348051F4B31FFEA0106719 | binary | |
MD5:DC214BA030F917B47AE30FD41D7BFCC6 | SHA256:7AB864ABDF3D9635A2E8BB345C39E86E7850FB83C000BC008B19C3CC795948D2 | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771 | binary | |
MD5:2132F4F75B821B742D380E55F4FD503E | SHA256:32FC6EA752DB874A99C2BA00CA4847DC5A08428630F60976684F93E920231B9D | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5BC0F345944148EB6CA31E060E457F9D_DEFB822B92348051F4B31FFEA0106719 | der | |
MD5:843C8C14177006BD471A60146021D8F2 | SHA256:76AAFC8DF5A1B3E9D1E316BF24A2E7D97C74CA2983F7F364ABD8F32130782007 | |||
3856 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3276 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.php%2f%252FOrder%252FBasket%3d57&first=0&last=50&count=50 | US | — | — | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.php%2f%252FOrder%3d112&first=0&last=50&count=50 | US | — | — | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.php%2f5%26order_type%3d456&first=0&last=50&count=50 | US | — | — | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.aps%2fordering%2ffl%2fmetrodeli%2findex.php%3froute%3d68&first=0&last=50&count=50 | US | — | — | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.aps%2f2694%253Apayments-to-201213-europa-league-clubs%26Itemid%3d584&first=0&last=50&count=50 | US | — | — | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.aps%2fpay%3fproduct%3d140&first=0&last=50&count=50 | US | — | — | whitelisted |
3168 | Gold Dork Parser.exe | GET | — | 204.79.197.200:80 | http://www.bing.com/search?q=.aps%2fsupplemental-training%2fmake-payment.php%3fpkIDm%3d863&first=0&last=50&count=50 | US | — | — | whitelisted |
3856 | iexplore.exe | GET | 200 | 192.124.249.24:80 | http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCCLq8nM%2BZiyj | US | der | 1.74 Kb | whitelisted |
3168 | Gold Dork Parser.exe | GET | 302 | 204.79.197.200:80 | http://www.bing.com/search?q=.aps%2f%252FMyAccount%252FIndex%253FstrJsonDtm%253D%25257B%252522isFromRegistration%252522%25253Atrue%25252C%252522YOB%252522%25253A1964%25252C%252522Paperless%252522%25253Atrue%25252C%252522confirmPaymentProcessed%252522%25253Atrue%25252C%252522confirmPaymentDue10Days%252522%25253Afalse%25252C%252522confirmAccountPastDue%252522%25253Afalse%25252C%252522confirmStatementAvailableOnline%252522%25253Afalse%25257D%26strJsonDtm%3d482&first=0&last=50&count=50 | US | html | 384 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3276 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3276 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3856 | iexplore.exe | 2.16.106.186:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
3856 | iexplore.exe | 65.103.40.169:443 | www.udrop.com | Qwest Communications Company, LLC | US | suspicious |
— | — | 192.168.100.2:53 | — | — | — | whitelisted |
3856 | iexplore.exe | 192.124.249.24:80 | ocsp.godaddy.com | Sucuri | US | suspicious |
— | — | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3276 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
— | — | 65.103.40.169:443 | www.udrop.com | Qwest Communications Company, LLC | US | suspicious |
3276 | iexplore.exe | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.microsoft.com |
| whitelisted |
www.udrop.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.godaddy.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |
3168 | Gold Dork Parser.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 URI M1 |