analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://dreamincode.net

Full analysis: https://app.any.run/tasks/a03e94ce-0bf6-4efd-9b03-ed262f4c330b
Verdict: Malicious activity
Analysis date: August 13, 2019, 16:01:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

7AA209CB972797E027A0908DFB2A82D7

SHA1:

350F8716AC75E890710E4C5223B25546DCAB5677

SHA256:

1ABBA88C0B8860700F0163DC043AF0F29EC498969BA9E4198F0D18357BD05511

SSDEEP:

3:N8PAhO:2GO

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2812)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3044)

    • Changes internet zones settings

      • iexplore.exe (PID: 3988)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2812)
      • iexplore.exe (PID: 3044)
      • iexplore.exe (PID: 3988)

    • Dropped object may contain TOR URL's

      • iexplore.exe (PID: 3044)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3988)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3988)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3988)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3988"C:\Program Files\Internet Explorer\iexplore.exe" "https://dreamincode.net"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3044"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3988 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2812C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
489
Read events
405
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
152
Unknown types
13

Dropped files

PID
Process
Filename
Type
3988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3988iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AK0YYL37\thickbox[1].css
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R96VR3X4\dreamincode_net[1].htmhtml
MD5:801D87C364FC804AFB7461C43DA9428B
SHA256:C01A95BEFC86B2C9CA8B41A0170E078F9B6F07212265E7E157163936C6322D2F
3044iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:B795899E37C219F3DCD274AE77DC0377
SHA256:36549E72D74A9F500FA5F30EBACC548E4FB61CC0273A93610055236F8747002B
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R96VR3X4\styles_7[1].csstext
MD5:2FBE8DA2BFF3D1D0A8ABE5D4077D4C78
SHA256:A48B22D2258EBE9E224A74F0AEC87F358D777B59A623508AA062E4766CF83986
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XBTI2I0E\styles_7[1].csstext
MD5:2FBE8DA2BFF3D1D0A8ABE5D4077D4C78
SHA256:A48B22D2258EBE9E224A74F0AEC87F358D777B59A623508AA062E4766CF83986
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:51C2796C30D58D89C837EC05910ADD81
SHA256:2B80FCDA3485E45C4038A049ADD9F289BA7B79A86B16590B632811F7444DC0A5
3044iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@dreamincode[1].txttext
MD5:2C9CAB13AE48241A142C365167E1C007
SHA256:F853F2DC5A41CFB00187ABAA39C862D31FB78A2ADE50B7D3D47229CF58F7FE65
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:C621A4B0C7AD94D096F05F45F05958E6
SHA256:E90FA0A573633CA9470FCC2CBEE9A0D471834E8885EDDF987800AB045787FB0D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
100
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/forums/uploads/av-644550.gif
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/forums/uploads/av-91103.jpg
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/forums/style_images/dic2.1.6b/bf_new.gif
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/forums/uploads/av-696215.jpg
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/home/images/xml.gif
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/forums/uploads/av-662997.jpg
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/home/images/jump.gif
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://cdn.dreamincode.net/forums/uploads/av-146038.jpg
US
whitelisted
3044
iexplore.exe
GET
301
104.25.12.25:80
http://www.dreamincode.net/forums/public/style_images/DIC/book_open.png
US
suspicious
3044
iexplore.exe
GET
301
104.25.12.25:80
http://www.dreamincode.net/forums/public/style_images/master/topic_button_right.png
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3988
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3044
iexplore.exe
104.25.13.25:443
dreamincode.net
Cloudflare Inc
US
shared
3044
iexplore.exe
172.217.18.170:443
ajax.googleapis.com
Google Inc.
US
whitelisted
3044
iexplore.exe
2.19.45.224:443
cdn.nsstatic.net
Akamai International B.V.
whitelisted
3044
iexplore.exe
13.35.253.10:443
quantcast.mgr.consensu.org
US
suspicious
3044
iexplore.exe
104.25.12.25:443
dreamincode.net
Cloudflare Inc
US
shared
3044
iexplore.exe
172.217.18.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
3044
iexplore.exe
104.25.12.25:80
dreamincode.net
Cloudflare Inc
US
shared
3044
iexplore.exe
216.58.206.4:443
www.google.com
Google Inc.
US
whitelisted
3044
iexplore.exe
172.217.22.14:443
feeds.feedburner.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
dreamincode.net
  • 104.25.13.25
  • 104.25.12.25
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.dreamincode.net
  • 104.25.13.25
  • 104.25.12.25
suspicious
ajax.googleapis.com
  • 172.217.18.10
  • 172.217.18.170
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.42
  • 172.217.22.74
  • 172.217.22.106
  • 216.58.210.10
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.23.170
  • 172.217.21.202
whitelisted
cdn.nsstatic.net
  • 2.19.45.224
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
quantcast.mgr.consensu.org
  • 13.35.253.10
  • 13.35.253.100
  • 13.35.253.129
  • 13.35.253.55
whitelisted
cdn.dreamincode.net
  • 104.25.12.25
  • 104.25.13.25
whitelisted
www.google.com
  • 216.58.206.4
whitelisted
edge.quantserve.com
  • 91.228.74.235
  • 91.228.74.212
  • 91.228.74.225
  • 91.228.74.251
  • 91.228.74.228
  • 91.228.74.242
  • 91.228.74.250
  • 91.228.74.209
whitelisted

Threats

PID
Process
Class
Message
3044
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] SocEng SSL Certificate
3044
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] SocEng SSL Certificate
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://dreamincode.net