URL:

http://www.ikat.kronicd.net/

Full analysis: https://app.any.run/tasks/c213ef47-56d3-4614-976f-e8d657fb3da4
Verdict: Suspicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 02, 2019, 17:41:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

6028C4DA54A3EAC34095106E1E4D8377

SHA1:

7ABC19B2DE0575C0EF7548C861004285047FCDDF

SHA256:

175BD97772FDD89B0ACD6852ED8FC2E76FCBD6EAD07A176A39716F0245810555

SSDEEP:

3:N1KJS4A8K9z:Cc4ARz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Downloads executable files from the Internet

      • dfsvc.exe (PID: 1456)
    • Application was dropped or rewritten from another process

      • Ikat ClickOnce Executor.exe (PID: 2132)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 1456)
    • Creates files in the user directory

      • dfsvc.exe (PID: 1456)
    • Reads Environment values

      • dfsvc.exe (PID: 1456)
    • Reads internet explorer settings

      • dfsvc.exe (PID: 1456)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2164)
      • iexplore.exe (PID: 2180)
      • iexplore.exe (PID: 3848)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2164)
      • iexplore.exe (PID: 2180)
    • Application launched itself

      • iexplore.exe (PID: 3848)
    • Changes internet zones settings

      • iexplore.exe (PID: 3848)
    • Creates files in the user directory

      • iexplore.exe (PID: 2164)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
6
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe iexplore.exe no specs dfsvc.exe no specs dfsvc.exe ikat clickonce executor.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1456"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\dfsvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2132"C:\Users\admin\AppData\Local\Apps\2.0\42PYRCWV.1KY\PK8MV1PH.TBQ\ikat..tion_8560db2566987a29_0001.0000_c8fe114d81e48a5c\Ikat ClickOnce Executor.exe"C:\Users\admin\AppData\Local\Apps\2.0\42PYRCWV.1KY\PK8MV1PH.TBQ\ikat..tion_8560db2566987a29_0001.0000_c8fe114d81e48a5c\Ikat ClickOnce Executor.exedfsvc.exe
User:
admin
Integrity Level:
MEDIUM
Description:
WindowsFormsApplication1
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\apps\2.0\42pyrcwv.1ky\pk8mv1ph.tbq\ikat..tion_8560db2566987a29_0001.0000_c8fe114d81e48a5c\ikat clickonce executor.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
2164"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3848 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2180"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3848 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2360"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
ClickOnce
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\dfsvc.exe
c:\systemroot\system32\ntdll.dll
3848"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
831
Read events
644
Write events
180
Delete events
7

Modification events

(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{9D583C95-6D01-11E9-A370-5254004A04AF}
Value:
0
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(3848) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30705000400020011002A000C007C02
Executable files
2
Suspicious files
7
Text files
42
Unknown types
8

Dropped files

PID
Process
Filename
Type
3848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3848iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UZJ4CGQG\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9ZCGZBOG\favcenter[1]image
MD5:25D76EE5FB5B890F2CC022D94A42FE19
SHA256:07D07A467E4988D3C377ACD6DC9E53ABCA6B64E8FBF70F6BE19D795A1619289B
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XP3OXSV2\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9ZCGZBOG\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UZJ4CGQG\tools[1]image
MD5:6F20BA58551E13CFD87EC059327EFFD0
SHA256:62A7038CC42C1482D70465192318F21FC1CE0F0C737CB8804137F38A1F9D680B
2164iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
14
DNS requests
5
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3848
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/favicon.ico
US
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/
US
html
809 b
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/
US
html
676 b
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/style.css
US
text
1.05 Kb
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/overlib.js
US
text
8.64 Kb
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/office-info.html
US
html
500 b
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/ikatclickonce-info.html
US
html
1.09 Kb
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/nav.html
US
html
1.37 Kb
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/clickonce/executor/Ikat%20ClickOnce%20Executor.application
US
xml
5.28 Kb
suspicious
2164
iexplore.exe
GET
200
64.90.41.174:80
http://www.ikat.kronicd.net/Windows/blank.html
US
text
128 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2164
iexplore.exe
64.90.41.174:80
www.ikat.kronicd.net
New Dream Network, LLC
US
suspicious
1456
dfsvc.exe
64.90.41.174:80
www.ikat.kronicd.net
New Dream Network, LLC
US
suspicious
1456
dfsvc.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3848
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
64.90.41.174:80
www.ikat.kronicd.net
New Dream Network, LLC
US
suspicious
3848
iexplore.exe
64.90.41.174:80
www.ikat.kronicd.net
New Dream Network, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.ikat.kronicd.net
  • 64.90.41.174
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

PID
Process
Class
Message
1456
dfsvc.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status Originated: -1073741772 *** Source File: d:\iso_whid\x86fre\base\isolation\win32\isoreg_direct.cpp, line 1127