analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.florian.ca/fileadmin/Florian-Live-Support.exe

Full analysis: https://app.any.run/tasks/b8976ed4-98ec-4de5-a6df-dcac2d690c0a
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: May 15, 2019, 10:56:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
loader
Indicators:
MD5:

60466980D3E64616DEB32233CC8F0BDC

SHA1:

0E03D00A9DE4FCC80B1713137597FFEAE9EBB4AB

SHA256:

492FE6370ABBACE57238087D54DB3584296B79061AA39C9C1E04004B845F4365

SSDEEP:

3:N1KJS4VKcELyEKDmBN4JMbMcStAdA:Cc4/ELXKCmMwRAC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Florian-Live-Support[1].exe (PID: 4092)
      • Florian-Live-Support[1].exe (PID: 3224)
      • winvnc.exe (PID: 3780)
    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3508)
      • iexplore.exe (PID: 3956)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2984)
      • iexplore.exe (PID: 3508)
      • Florian-Live-Support[1].exe (PID: 4092)
    • Starts Internet Explorer

      • winvnc.exe (PID: 3780)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2984)
      • iexplore.exe (PID: 3352)
    • Application launched itself

      • iexplore.exe (PID: 2984)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3508)
      • iexplore.exe (PID: 2984)
      • iexplore.exe (PID: 3956)
    • Creates files in the user directory

      • iexplore.exe (PID: 3508)
      • iexplore.exe (PID: 2984)
      • iexplore.exe (PID: 3956)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3956)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3956)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start iexplore.exe iexplore.exe florian-live-support[1].exe no specs florian-live-support[1].exe winvnc.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2984"C:\Program Files\Internet Explorer\iexplore.exe" http://www.florian.ca/fileadmin/Florian-Live-Support.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3508"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2984 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3224"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Florian-Live-Support[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Florian-Live-Support[1].exeiexplore.exe
User:
admin
Company:
UltraVnc
Integrity Level:
MEDIUM
Description:
UltraVnc Self-Extract Setup
Exit code:
3221226540
Version:
4, 10, 0, 1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\florian-live-support[1].exe
c:\systemroot\system32\ntdll.dll
4092"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Florian-Live-Support[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\Florian-Live-Support[1].exe
iexplore.exe
User:
admin
Company:
UltraVnc
Integrity Level:
HIGH
Description:
UltraVnc Self-Extract Setup
Version:
4, 10, 0, 1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\i0488cjo\florian-live-support[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3780.\winvnc.exe C:\Users\admin\AppData\Local\Temp\7zS614.tmp\winvnc.exeFlorian-Live-Support[1].exe
User:
admin
Company:
UltraVNC
Integrity Level:
HIGH
Description:
VNC server for Win32
Version:
1, 1, 0, 0
Modules
Images
c:\users\admin\appdata\local\temp\7zs614.tmp\winvnc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
3352"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
winvnc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3956"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3352 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
1 023
Read events
898
Write events
122
Delete events
3

Modification events

(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{26B2F621-7700-11E9-B3B3-5254004A04AF}
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307050003000F000A0038003700D902
Executable files
6
Suspicious files
2
Text files
48
Unknown types
10

Dropped files

PID
Process
Filename
Type
2984iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFFED2C3DDD380C7FD.TMP
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{26B2F622-7700-11E9-B3B3-5254004A04AF}.datbinary
MD5:8BACB12C0E7D6E383A5DF4CDA288ABC2
SHA256:F532BD2768A7404475A2BD92A22D748F6FD84E54E128072E2F22CD4CAFFA8B82
3508iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@florian[1].txttext
MD5:B479D4C28E3041F0B1798939116EF45E
SHA256:CCC72FAF31E1184165C656AB134F808017707A0E1BB95C39A1825543C6423D5E
3508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1T1Q7MYC\Florian-Live-Support[1].exeexecutable
MD5:DC6B05E2C84CA6EB8B101DEBF9DAE66E
SHA256:C89FDFAFED661F37B7CFE658A200C5AC7736EA544F365EB9251364F6BDF2C359
3508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:427ED7494B8E2F9F228C3C05D1673B4C
SHA256:47AED5E9E7285D995ABA0346F5902B49D98DBF148C502C286E3E755175B5C9E5
2984iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019051520190516\index.datdat
MD5:CD388AE0C0F5586259D693C50E1AC3D7
SHA256:FDCEC44F84BEB06FBFBCA9A86E518EBF4B46F3141BC0675E7E833FAE2C6604D3
3508iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:D9D6AD415F88FB4E3D9B9C970DD99498
SHA256:EA62E5426372D572A3160AF70FB33E91EEF3878E0CB4E3B3A5A449BE65E05872
3508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019051520190516\index.datdat
MD5:14F54D60F4DF89A776ACA65D4A881760
SHA256:9B74F92B137A59450A440AAE85481BA51AC968DBD66C9B1152E5174156A7138C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3956
iexplore.exe
GET
104.28.25.168:80
http://www.florian.ca/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js
US
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/toplevel_W.gif
US
image
265 b
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/florian_logo.gif
US
image
7.52 Kb
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/page_E_right_bottom.gif
US
image
667 b
suspicious
3508
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/fileadmin/Florian-Live-Support.exe
US
executable
228 Kb
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/toplevel_E.gif
US
image
239 b
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/fileadmin/Florian-Live-Support.exe
US
executable
228 Kb
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/page_W.gif
US
image
229 b
suspicious
3956
iexplore.exe
GET
200
104.28.25.168:80
http://www.florian.ca/
US
html
3.81 Kb
suspicious
3352
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3352
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2984
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3956
iexplore.exe
216.58.206.14:443
www.google-analytics.com
Google Inc.
US
whitelisted
3956
iexplore.exe
74.125.206.154:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
3508
iexplore.exe
104.28.25.168:80
www.florian.ca
Cloudflare Inc
US
shared
3956
iexplore.exe
104.28.25.168:80
www.florian.ca
Cloudflare Inc
US
shared
3956
iexplore.exe
172.217.16.163:80
fonts.gstatic.com
Google Inc.
US
whitelisted
3956
iexplore.exe
216.58.210.10:80
fonts.googleapis.com
Google Inc.
US
whitelisted
3956
iexplore.exe
50.31.64.21:80
lab.florian.ca
Steadfast
US
unknown

DNS requests

Domain
IP
Reputation
www.florian.ca
  • 104.28.25.168
  • 104.28.24.168
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google-analytics.com
  • 216.58.206.14
whitelisted
stats.g.doubleclick.net
  • 74.125.206.154
  • 74.125.206.157
  • 74.125.206.156
  • 74.125.206.155
whitelisted
lab.florian.ca
  • 50.31.64.21
unknown
fonts.googleapis.com
  • 216.58.210.10
whitelisted
fonts.gstatic.com
  • 172.217.16.163
whitelisted

Threats

PID
Process
Class
Message
3508
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3956
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info