analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn.discordapp.com/attachments/644441640345403413/652043766257156096/TT_SWIFT_COPY_pdf_____________________________________________________________.r00

Full analysis: https://app.any.run/tasks/8481fa85-91b2-4868-9b42-3142d0a2f95b
Verdict: Malicious activity
Analysis date: December 06, 2019, 12:59:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MD5:

466996E0CE8D20BDE892F1F81783C31F

SHA1:

1EC9265143F651A68E0550CA6A1C001652C1F25B

SHA256:

2FD057BC22CB6648D9A7CA82C6C736D6601222D124CDADD015FF6651FCEA83CD

SSDEEP:

3:N8cCWdy6//dR5rUNcFT1iTKKGjx6M+C666uv:2cry6XdR5rXT1itGon6jv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 2352)
      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 996)

    • Changes the autorun value in the registry

      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 2352)

    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 2444)
      • InstallUtil.exe (PID: 2392)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4052)
      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 2352)

    • Creates files in the user directory

      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 2352)

    • Checks for external IP

      • InstallUtil.exe (PID: 2444)
      • InstallUtil.exe (PID: 2392)

    • Loads DLL from Mozilla Firefox

      • InstallUtil.exe (PID: 2444)
      • InstallUtil.exe (PID: 2392)

    • Connects to SMTP port

      • InstallUtil.exe (PID: 2444)
      • InstallUtil.exe (PID: 2392)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3728)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3728)
      • iexplore.exe (PID: 2524)

    • Changes internet zones settings

      • iexplore.exe (PID: 2524)

    • Application launched itself

      • iexplore.exe (PID: 2524)

    • Manual execution by user

      • WinRAR.exe (PID: 4052)
      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 996)
      • TT SWIFT COPY_pdf_____________________________________________________________.exe (PID: 2352)

    • Reads settings of System Certificates

      • InstallUtil.exe (PID: 2444)
      • InstallUtil.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe tt swift copy_pdf_____________________________________________________________.exe tt swift copy_pdf_____________________________________________________________.exe installutil.exe installutil.exe

Process information

PID
CMD
Path
Indicators
Parent process
2524"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn.discordapp.com/attachments/644441640345403413/652043766257156096/TT_SWIFT_COPY_pdf_____________________________________________________________.r00"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3728"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2524 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4052"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\TT_SWIFT_COPY_pdf_____________________________________________________________.r00" C:\Users\admin\Downloads\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2352"C:\Users\admin\Downloads\TT SWIFT COPY_pdf_____________________________________________________________.exe" C:\Users\admin\Downloads\TT SWIFT COPY_pdf_____________________________________________________________.exe
explorer.exe
User:
admin
Company:
Atilla Best!
Integrity Level:
MEDIUM
Description:
Exit code:
1
Version:
1.1.1.1
996"C:\Users\admin\Downloads\TT SWIFT COPY_pdf_____________________________________________________________.exe" C:\Users\admin\Downloads\TT SWIFT COPY_pdf_____________________________________________________________.exe
explorer.exe
User:
admin
Company:
Atilla Best!
Integrity Level:
HIGH
Description:
Exit code:
1
Version:
1.1.1.1
2444"C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
TT SWIFT COPY_pdf_____________________________________________________________.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Version:
4.7.3062.0 built by: NET472REL1
2392"C:\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
TT SWIFT COPY_pdf_____________________________________________________________.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
.NET Framework installation utility
Version:
4.7.3062.0 built by: NET472REL1
Total events
1 008
Read events
877
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
9
Unknown types
4

Dropped files

PID
Process
Filename
Type
2524iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2524iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2524iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF2DB977C10048C38.TMP
MD5:
SHA256:
2524iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFC7A7576DC85614A9.TMP
MD5:
SHA256:
2524iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{54B51157-1828-11EA-AB41-5254004A04AF}.dat
MD5:
SHA256:
3728iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D806B9356AECCE2518F0C6CE2E3B7A40
SHA256:6FE3629737F2AEC17FDA0662AC1B57DF494DE4650382ED632BD2112A2F7D0433
2524iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{54B51158-1828-11EA-AB41-5254004A04AF}.datbinary
MD5:91C7F40DA25B92B8F604DE9C36C3DD28
SHA256:590E05E8CDAE06A8AC6B39EC158F6062829B92409277D6DF47B74D76AC54A1B0
3728iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:BB24514440A428A21BF6EAB854A52E5D
SHA256:7FFD3DA4388B7D3C2BB2289D549B354DA15B87AFE2B0651AED3A5D8C3ECF044D
3728iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@discordapp[1].txttext
MD5:3B2B849C59385789C76A1BDA18656A4D
SHA256:39B6D5729D566C372C8B9DF5B4AED5DC5D252A78CE2257F1EF73971C6DDE8169
2524iexplore.exeC:\Users\admin\Downloads\TT_SWIFT_COPY_pdf_____________________________________________________________.r00compressed
MD5:0A8AF9ABE3ED37BD86BCF85C8535A29B
SHA256:68051BDBF30EC27221587D6F56D7D0BCE5708BD5E78A8077F4D2CDC1CEB77B41
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2392
InstallUtil.exe
GET
200
216.146.43.70:80
http://checkip.dyndns.org/
US
html
104 b
shared
2444
InstallUtil.exe
GET
200
216.146.43.70:80
http://checkip.dyndns.org/
US
html
104 b
shared
2524
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2524
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3728
iexplore.exe
162.159.135.233:443
cdn.discordapp.com
Cloudflare Inc
shared
2444
InstallUtil.exe
199.193.7.228:587
smtp.privateemail.com
Namecheap, Inc.
US
unknown
2392
InstallUtil.exe
216.146.43.70:80
checkip.dyndns.org
Dynamic Network Services, Inc.
US
shared
2444
InstallUtil.exe
216.146.43.70:80
checkip.dyndns.org
Dynamic Network Services, Inc.
US
shared
2392
InstallUtil.exe
199.193.7.228:587
smtp.privateemail.com
Namecheap, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
cdn.discordapp.com
  • 162.159.135.233
  • 162.159.134.233
  • 162.159.129.233
  • 162.159.133.233
  • 162.159.130.233
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
checkip.dyndns.org
  • 216.146.43.70
  • 216.146.43.71
  • 162.88.193.70
  • 131.186.161.70
  • 131.186.113.70
shared
smtp.privateemail.com
  • 199.193.7.228
malicious
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Misc activity
ET INFO DYNAMIC_DNS Query to *.dyndns. Domain
Misc activity
AV INFO Query to checkip.dyndns. Domain
2444
InstallUtil.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
2444
InstallUtil.exe
Potentially Bad Traffic
ET POLICY DynDNS CheckIp External IP Address Server Response
2444
InstallUtil.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
2392
InstallUtil.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup - checkip.dyndns.org
2392
InstallUtil.exe
Potentially Bad Traffic
ET POLICY DynDNS CheckIp External IP Address Server Response
2392
InstallUtil.exe
Generic Protocol Command Decode
SURICATA Applayer Detect protocol only one direction
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cdn.discordapp.com/attachments/644441640345403413/652043766257156096/TT_SWIFT_COPY_pdf_____________________________________________________________.r00