analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://box2012.temp.domains/~chwsolut/services.html

Full analysis: https://app.any.run/tasks/a8f66ebb-f653-4786-8208-ce967a8ded12
Verdict: Malicious activity
Analysis date: March 14, 2019, 20:25:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

99E91541D62131B85181EF730964DB06

SHA1:

8FA122A5C04B69DC23C980E642F304CA0576DF1C

SHA256:

42A1B5A13BD268ABBE8489088109A1C7B0A5E32ED267476D227435BAF352356A

SSDEEP:

3:N1KcA+KIXKS1aSWS7XAGQn:CcA+KIXx/TAGQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3536)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3692)
      • iexplore.exe (PID: 3536)
    • Application launched itself

      • iexplore.exe (PID: 2980)
    • Changes internet zones settings

      • iexplore.exe (PID: 2980)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3536)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2980"C:\Program Files\Internet Explorer\iexplore.exe" http://box2012.temp.domains/~chwsolut/services.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3536"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2980 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3692C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
451
Read events
381
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
36
Unknown types
5

Dropped files

PID
Process
Filename
Type
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\helper[1].jstext
MD5:0AF11E80E33169AB815F9AB2721C3745
SHA256:F85F1CE135B6810B880273CD052B8A5CC1B4A96936A2AD9D8F0F83A8EE0B0CFA
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\style[1].csstext
MD5:0D3B750FEE57E1A962495944D39755B2
SHA256:31955E986FA380B543ED7171A77AB2E2734150B1A7130C1A5537FCB5B16AE424
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\services[1].htmlhtml
MD5:01750AA5D6F488CA942F80D72B370174
SHA256:DA2F03D5A6505A332A5AEBBF6AC5766C044722C21BB0780316245DB44280D149
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\jssor[1].jstext
MD5:1397A8A69723F763949DE3A6014A85DE
SHA256:504984DF1C171AD985CA44AF299019CB992F679C7CE1CE989E3A45F177142A9F
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\849-layout[1].csstext
MD5:CEE165F8D348BE1DC2557C56434F6BBB
SHA256:EC0909A0A784320EF760F20B25998B9A2C673B8E65CB6F85CCA65FF932A5D464
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\html5shiv.min[1].jshtml
MD5:3044234175AC91F49B03FF999C592B85
SHA256:E0EAC80838C161F29E7C46D54FBC044D12CD164BAAE13255E562C6BE3AA91809
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\wp-api.min[1].jstext
MD5:8CF9672DAECA232B3C1F93B1E8D130B0
SHA256:8EEE3A7A8051FA72DF3A50680C86C633AB465CFC6666AAF042A969F7BEF8F858
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\bootstrap.min[1].jstext
MD5:C5B5B2FA19BD66FF23211D9F844E0131
SHA256:2979F9A6E32FC42C3E7406339EE9FE76B31D1B52059776A02B4A7FA6A4FD280A
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\api-request.min[1].jstext
MD5:B1AE1AA42EAF4DF3FDC59777F5EC7437
SHA256:B5FB36601292E67E640378A8FB54EFFE16945559858910D4B6B771A2666A2E00
3536iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\analytics[1].jstext
MD5:0EA40A4CB2873A89CBE597EAEA860826
SHA256:3E552578C7D450B023F2CD9D28F830BE4335C3ACC6C4AB6DADDA0769F09E5F22
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
49
TCP/UDP connections
14
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/themes/dazzling/style.css?ver=5.1.1
US
text
6.96 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/plugins/slider/js/jssor.js?ver=5.1.1
US
text
32.1 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/uploads/bb-plugin/cache/849-layout.css?ver=1e5128d0462f9a847fa4408c45729b21
US
text
6.10 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/services.html
US
html
7.21 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/plugins/slider/js/helper.js?ver=5.1.1
US
text
2.17 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/themes/dazzling/inc/js/html5shiv.min.js
US
html
1.34 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/themes/dazzling/inc/js/bootstrap.min.js?ver=5.1.1
US
text
11.5 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-includes/js/jquery/jquery.js?ver=1.12.4
US
text
38.4 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-includes/js/wp-emoji-release.min.js?ver=5.1.1
US
text
4.79 Kb
suspicious
3536
iexplore.exe
GET
200
74.220.219.168:80
http://box2012.temp.domains/~chwsolut/wp-content/themes/dazzling/inc/js/respond.min.js
US
html
2.24 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2980
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2980
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3536
iexplore.exe
172.217.18.110:80
www.google-analytics.com
Google Inc.
US
whitelisted
3536
iexplore.exe
2.16.186.49:80
a.vimeocdn.com
Akamai International B.V.
whitelisted
2980
iexplore.exe
74.220.219.168:80
box2012.temp.domains
Unified Layer
US
suspicious
3536
iexplore.exe
74.220.219.168:80
box2012.temp.domains
Unified Layer
US
suspicious

DNS requests

Domain
IP
Reputation
box2012.temp.domains
  • 74.220.219.168
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
a.vimeocdn.com
  • 2.16.186.49
  • 2.16.186.83
whitelisted
www.google-analytics.com
  • 172.217.18.110
whitelisted
chwsolutions.com
  • 74.220.219.168
suspicious

Threats

No threats detected
No debug info