analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://upgradetypelast-restclicks.icu/XX6cjX6mC8hn02Jjc2pVCuxiH5IefAEm1pQl_K5aLdA?cid=6e311b8883d32a980d1015aab3022937&sid=14892298

Full analysis: https://app.any.run/tasks/b6915576-155f-4c89-9561-de79c1e23b34
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: March 21, 2019, 15:35:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
adware
installcore
pup
Indicators:
MD5:

4A1D9C3AC4C181B6F60A895535243E93

SHA1:

80C54C547EA77FC78DBCD4EB103FC8FEEFE92DF0

SHA256:

56A8E5BD093A3B787DA1F1EDE1815C9DA3A780FDEE04A3F2B8AD95DC78CC1D92

SSDEEP:

3:N1KLKIv9eMGVHXKRhPAZmIsQhV008KMB+AWqcX8t2VHcWucXMd:COIV9aZmI6QMcm1cV8Wo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • adobe_flash_player[1].exe (PID: 2292)
      • adobe_flash_player[1].exe (PID: 4024)

    • Connects to CnC server

      • adobe_flash_player[1].exe (PID: 2292)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3528)

    • INSTALLCORE was detected

      • adobe_flash_player[1].exe (PID: 2292)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2992)
      • iexplore.exe (PID: 3528)

    • Cleans NTFS data-stream (Zone Identifier)

      • adobe_flash_player[1].exe (PID: 4024)

    • Reads internet explorer settings

      • adobe_flash_player[1].exe (PID: 2292)

    • Reads Environment values

      • adobe_flash_player[1].exe (PID: 2292)

    • Application launched itself

      • adobe_flash_player[1].exe (PID: 4024)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2992)

    • Creates files in the user directory

      • iexplore.exe (PID: 2992)
      • iexplore.exe (PID: 3528)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3528)
      • iexplore.exe (PID: 2992)

    • Changes internet zones settings

      • iexplore.exe (PID: 2992)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe adobe_flash_player[1].exe no specs #INSTALLCORE adobe_flash_player[1].exe

Process information

PID
CMD
Path
Indicators
Parent process
2992"C:\Program Files\Internet Explorer\iexplore.exe" http://upgradetypelast-restclicks.icu/XX6cjX6mC8hn02Jjc2pVCuxiH5IefAEm1pQl_K5aLdA?cid=6e311b8883d32a980d1015aab3022937&sid=14892298C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3528"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2992 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4024"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\adobe_flash_player[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\adobe_flash_player[1].exeiexplore.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Kagas Setup
Exit code:
0
Version:
1.6.5.1
2292"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\adobe_flash_player[1].exe" /RSF /ppn:YWV4dQ0KChAjb3J1FQUI /ads:1 /mnlC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\adobe_flash_player[1].exe
adobe_flash_player[1].exe
User:
admin
Company:
Integrity Level:
HIGH
Description:
Kagas Setup
Version:
1.6.5.1
Total events
1 114
Read events
1 019
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
79
Unknown types
4

Dropped files

PID
Process
Filename
Type
2992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2992iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2992iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF6A38E4AC46523041.TMP
MD5:
SHA256:
2292adobe_flash_player[1].exeC:\Users\admin\AppData\Local\Temp\0010DAF1.log
MD5:
SHA256:
3528iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:3C5A4213F0A0CEB57A5CB75268612ABE
SHA256:68941925DB61211513636E39BB5F154CDEC62FB1ABAFF1AD70F2F8DBA57A0516
2992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{054D0496-4BEF-11E9-B63D-5254004A04AF}.datbinary
MD5:0FA058C9BE28683FD86798B7E4E68868
SHA256:C37E7A005906BF3F63D8253C08827255099B3E927D4E8158AB975C066FD934D3
2992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\adobe_flash_player[1].exeexecutable
MD5:5DC55D0829B4375E7EA2113F78FFFF6D
SHA256:55B9009D9CF3D7D702C71CFF1A02D97E16C30FC6C1C060D149CF904259EE26BE
2992iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019032120190322\index.datdat
MD5:0F4C95BBC58778B32E265A9F0F3466F4
SHA256:65A84997B950E8AFFD2DBE7A6CFDA057C24C3EE272801CA98AB94111732E996E
3528iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019032120190322\index.datdat
MD5:D137F5A2C2EF2DFB1DF01CBB720F4F85
SHA256:5EC64E0B84F46B3C49DF8B5FB68AED5572FDB08AD99C9472308DEAC8177CE3E5
3528iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GNNMH0MZ\adobe_flash_player_3702310382[1].exeexecutable
MD5:5DC55D0829B4375E7EA2113F78FFFF6D
SHA256:55B9009D9CF3D7D702C71CFF1A02D97E16C30FC6C1C060D149CF904259EE26BE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
5
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3528
iexplore.exe
GET
302
54.152.140.188:80
http://products.apps.co.me/ic_refresh/dl.php?cid=TfD2FvPhri93n1HUyRn7q00P6h4eaBp0njQEqGYcJsvt1z1xb-s4tfZR53WfG0jPzeMeFBgVlTuTaGGAfLQck4GD43joTHuKUWzqbSAQWGRsNJiqULrhvu7wX5AHRIw4flNFXg62mAmYfCTfhThvA4yaSEyH5-gBHcJZHny-oXnmHBDbe1AQLpkFkgJ1tNy__H1Lc4SDgjoCBqN2eqwfFw&channel=oko_ddl_ie_Eedge_15319&fn={fn}
US
unknown
3528
iexplore.exe
GET
200
13.32.222.241:80
http://d23uib91h71t70.cloudfront.net/7l0fz>9vmshtb/adobe_flash_player.exe
US
executable
2.03 Mb
whitelisted
2292
adobe_flash_player[1].exe
POST
200
54.194.149.175:80
http://vpn.ferelar-yofi.com/
IE
malicious
2292
adobe_flash_player[1].exe
POST
200
54.194.149.175:80
http://vpn.ferelar-yofi.com/
IE
malicious
2992
iexplore.exe
GET
200
13.107.21.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3528
iexplore.exe
GET
302
51.158.26.248:80
http://upgradetypelast-restclicks.icu/XX6cjX6mC8hn02Jjc2pVCuxiH5IefAEm1pQl_K5aLdA?cid=6e311b8883d32a980d1015aab3022937&sid=14892298
GB
html
158 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3528
iexplore.exe
51.158.26.248:80
upgradetypelast-restclicks.icu
GB
suspicious
3528
iexplore.exe
54.152.140.188:80
products.apps.co.me
Amazon.com, Inc.
US
unknown
2292
adobe_flash_player[1].exe
54.194.149.175:80
vpn.ferelar-yofi.com
Amazon.com, Inc.
IE
malicious
3528
iexplore.exe
13.32.222.241:80
d23uib91h71t70.cloudfront.net
Amazon.com, Inc.
US
whitelisted
2992
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
upgradetypelast-restclicks.icu
  • 51.158.26.248
unknown
products.apps.co.me
  • 54.152.140.188
unknown
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
d23uib91h71t70.cloudfront.net
  • 13.32.222.241
  • 13.32.222.24
  • 13.32.222.226
  • 13.32.222.6
whitelisted
vpn.ferelar-yofi.com
  • 54.194.149.175
  • 52.214.73.247
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
3528
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3528
iexplore.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2292
adobe_flash_player[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M2
2292
adobe_flash_player[1].exe
Misc activity
ADWARE [PTsecurity] PUP.Optional.InstallCore Artifact M1
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://upgradetypelast-restclicks.icu/XX6cjX6mC8hn02Jjc2pVCuxiH5IefAEm1pQl_K5aLdA?cid=6e311b8883d32a980d1015aab3022937&sid=14892298