analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/704113aa-4480-4e94-8289-03f404864eff
Verdict: Malicious activity
Analysis date: August 18, 2019, 06:29:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines
MD5:

38BA37386419FDB1FC3B93E7CBBAC543

SHA1:

45D49C96782861161650AB2B5071D8EFC8897A23

SHA256:

2DBC51E3CFC77B35AA6EFB705394F2DE9FE199D0B0BCDE2751F05266A8759712

SSDEEP:

768:wPYhgn/DX3PLCj5qZMgGXbr+v65ntYQlV7UVBTz5Klp0z7Ha8KaVHNTPE+VQbx2:wPzn/DX3PLCdbr+v6oY4zIlp0X68KajT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • wishmaster.exe (PID: 1584)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1524)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2824)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3352)

    • Creates files in the user directory

      • iexplore.exe (PID: 3820)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 1524)
      • iexplore.exe (PID: 2400)
      • iexplore.exe (PID: 3280)

    • Application launched itself

      • iexplore.exe (PID: 3352)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 3820)
      • iexplore.exe (PID: 2400)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 3352)
      • iexplore.exe (PID: 3820)
      • iexplore.exe (PID: 2400)

    • Manual execution by user

      • taskmgr.exe (PID: 3476)
      • control.exe (PID: 4060)
      • rundll32.exe (PID: 4036)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3280)
      • iexplore.exe (PID: 2400)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2400)
      • iexplore.exe (PID: 3280)

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 4036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: Lurkmore
Generator: MediaWiki 1.19.24
Description: Здравствуйте. Это Луркоморье — русский луркмоар. Вы можете редактировать любую статью, так же как и в Википедии. Но, в отличие от википедии, мы не ставим своей целью написать обо всем на свете сразу и не руководствуемся мифическими критериями «значимости» и «энциклопедичности». Само получается.
ResourceLoaderDynamicStyles: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
56
Monitored processes
11
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe no specs iexplore.exe taskmgr.exe no specs control.exe no specs flashutil32_26_0_0_131_activex.exe no specs iexplore.exe rundll32.exe no specs winrar.exe wishmaster.exe no specs shutdown.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3352"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1073807364
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3820"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3352 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3280"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3352 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3476"C:\Windows\system32\taskmgr.exe" /4C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4060"C:\Windows\System32\control.exe" SYSTEMC:\Windows\System32\control.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1524C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
1073807364
Version:
26,0,0,131
2400"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3352 CREDAT:6422C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4036"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Wishmaster.jpgC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2824"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\Wishmaster.jpg"C:\Program Files\WinRAR\WinRAR.exe
rundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
1073807364
Version:
5.60.0
1584"C:\Users\admin\AppData\Local\Temp\Rar$EXa2824.5104\wishmaster.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2824.5104\wishmaster.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
3 001
Read events
2 468
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
4
Text files
235
Unknown types
13

Dropped files

PID
Process
Filename
Type
3352iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QU1UU192\lurkmore_to[1].txt
MD5:
SHA256:
3352iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:7C62A9C99516C351FA5E04FAAD289BEA
SHA256:66D371B477D712DEA787F07F52599521340432064FAF44D67501DDB7F4AAD2EA
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:B9612A1C3F4670B545B4E73142EDA770
SHA256:F2753699F10A23BC07F81E9E5489D42635E7C1686F57ED3B5BF7A629ABA7BECC
3280iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@rareru[1].txttext
MD5:B3D9F9930086084AF4996D72B379C714
SHA256:8757C6E833679F3A0478A4BB7F5D96B5A1CEE42D3FEB32F856C75305B526D741
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QU71T5GQ\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\M3R401CH\expand_nor[1]image
MD5:897AD8408A1CB6A37F8C8A1756C6E3FA
SHA256:1D0059946A9C05B0747FE7208A96BE14B5EE888F33FBF3EAB2D9A01518EB3569
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:FBF116EC374018F5663473EBC41857FB
SHA256:5984810E0FE5605D8B19F2E6DFCDAA1BF7E5231756E11A0C4FD6A77EBCCD7F4D
3280iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0A7I78I2\f[1].txttext
MD5:0340C49045A23003CE6F672194A5F3EA
SHA256:FEF51D7A7FC11A0D1E061D01EA7A43F41465B33A4720EFFF8CDB6641BC0FB36F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
152
TCP/UDP connections
117
DNS requests
36
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3280
iexplore.exe
GET
200
77.88.21.90:80
http://an.yandex.ru/system/context.js
RU
text
16.3 Kb
whitelisted
3280
iexplore.exe
GET
200
188.42.196.32:80
http://lurkmore.to/
LU
html
13.2 Kb
whitelisted
3280
iexplore.exe
GET
200
188.42.196.32:80
http://lurkmore.to/load.php?debug=false&lang=ru&modules=jquery-new%2Cmediawiki%2Cprettyphoto&only=scripts&skin=ventus&version=20160802T095348Z
LU
html
43.3 Kb
whitelisted
3280
iexplore.exe
GET
200
216.58.205.226:80
http://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js
US
text
34.0 Kb
whitelisted
3280
iexplore.exe
GET
200
188.42.196.32:80
http://lurkmore.to/skins/common/common.css
LU
text
17.7 Kb
whitelisted
3280
iexplore.exe
GET
200
178.154.131.215:80
http://yastatic.net/pcode/adfox/header-bidding.js
RU
text
37.3 Kb
whitelisted
3352
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3280
iexplore.exe
GET
200
188.42.196.32:80
http://lurkmore.to/load.php?debug=false&lang=ru&modules=mediawiki.legacy.commonPrint%2Cshared&only=styles&skin=ventus&*
LU
text
13.0 Kb
whitelisted
3280
iexplore.exe
GET
200
188.42.196.32:80
http://lurkmore.to/skins/ventus/main.css?303
LU
text
16.1 Kb
whitelisted
3280
iexplore.exe
GET
302
188.42.191.196:80
http://ads.betweendigital.com/sspmatch-js?randsalt=3324089784
LU
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
216.58.205.226:139
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
4
System
188.42.196.32:445
lurkmore.to
Servers.com, Inc.
LU
suspicious
3352
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4
System
216.58.205.226:445
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
188.42.196.32:137
lurkmore.to
Servers.com, Inc.
LU
suspicious
3280
iexplore.exe
188.42.196.32:80
lurkmore.to
Servers.com, Inc.
LU
suspicious
3280
iexplore.exe
216.58.205.226:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3280
iexplore.exe
178.154.131.215:80
yastatic.net
YANDEX LLC
RU
whitelisted
3280
iexplore.exe
77.88.21.90:80
an.yandex.ru
YANDEX LLC
RU
whitelisted
4
System
77.88.21.90:445
an.yandex.ru
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
lurkmore.to
  • 188.42.196.32
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
pagead2.googlesyndication.com
  • 216.58.205.226
whitelisted
an.yandex.ru
  • 77.88.21.90
  • 93.158.134.90
  • 213.180.193.90
  • 213.180.204.90
  • 87.250.250.90
whitelisted
yastatic.net
  • 178.154.131.215
  • 178.154.131.217
  • 178.154.131.216
whitelisted
abc.rareru.ru
  • 136.243.73.200
unknown
ax.rareru.ru
  • 136.243.73.200
unknown
ad.mail.ru
  • 94.100.180.197
whitelisted
ads.betweendigital.com
  • 188.42.191.196
  • 188.42.196.115
whitelisted
counter.yadro.ru
  • 88.212.196.123
  • 88.212.196.124
  • 88.212.201.193
  • 88.212.201.194
  • 88.212.201.195
  • 88.212.201.196
  • 88.212.201.197
  • 88.212.201.199
  • 88.212.201.205
  • 88.212.201.207
  • 88.212.201.208
  • 88.212.196.66
  • 88.212.196.69
  • 88.212.196.72
  • 88.212.196.75
  • 88.212.196.77
  • 88.212.196.101
  • 88.212.196.102
  • 88.212.196.103
  • 88.212.196.104
  • 88.212.196.105
  • 88.212.196.122
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
Potentially Bad Traffic
ET DNS Query for .to TLD
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html