analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://kamlab.fr/Documents/012019

Full analysis: https://app.any.run/tasks/c37f30c2-de93-4268-9989-b45938cdfe37
Verdict: Malicious activity
Analysis date: January 22, 2019, 20:28:23
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

54129E5300F495E2FFB8C344229C3ABE

SHA1:

7738C9D58A7D0F0AE52C177EE0EA980464BB49B0

SHA256:

3F33A8EEF3F09A688D8D77597F1A01D512F06ED2263AEDD6AA8CCE8320D1E7EF

SSDEEP:

3:N1KVE0qqyfc:Cu01Yc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2836)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3216)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3216)
    • Changes internet zones settings

      • iexplore.exe (PID: 2836)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3216)
    • Creates files in the user directory

      • iexplore.exe (PID: 3216)
      • iexplore.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3216"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
401
Read events
335
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
10
Unknown types
2

Dropped files

PID
Process
Filename
Type
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\012019[1].txt
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].htm
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\web[1].config
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Documents[1].txt
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\kamlab_fr[1].txt
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\Documents[1].htmhtml
MD5:075A25A33BAB8922BA9E183F5CEC3D7E
SHA256:006BB1075451252C101D6CD159F0A682CDBD63473C485908279EBD4DE4772569
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019012220190123\index.datdat
MD5:8A977D9FE1F6E0ED7407B76DA8B2A0FB
SHA256:F85BE84BB15A923CDF4BD89875AAFC5F55CAB51BA2DC04F7EAF38B5E0E252A8E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
8
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3216
iexplore.exe
GET
301
87.98.154.146:80
http://kamlab.fr/Documents/012019
FR
html
242 b
malicious
2836
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3216
iexplore.exe
GET
87.98.154.146:80
http://kamlab.fr/Documents/012019/.673845de00f2eecc44f871f4c056edf5879ac23b
FR
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/Documents/012019/
FR
html
454 b
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/Documents/
FR
html
338 b
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/__ovh_icons/blank.gif
FR
image
148 b
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/
FR
text
1.75 Kb
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/Documents/012019/index.php.suspected
FR
text
60.3 Kb
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/__ovh_icons/unknown.gif
FR
image
245 b
malicious
3216
iexplore.exe
GET
200
87.98.154.146:80
http://kamlab.fr/__ovh_icons/back.gif
FR
image
216 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2836
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3216
iexplore.exe
87.98.154.146:80
kamlab.fr
OVH SAS
FR
malicious
2836
iexplore.exe
87.98.154.146:80
kamlab.fr
OVH SAS
FR
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
kamlab.fr
  • 87.98.154.146
malicious

Threats

No threats detected
No debug info