analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://origin.pfultd.com/downloads/IMAGE/sca/olu/OLU1218_info.exe

Full analysis: https://app.any.run/tasks/3505012f-4997-4068-8bd1-694479c6c642
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 12, 2019, 03:17:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

F34A235C8248C7BC8F49CE7ED9FA0BE7

SHA1:

4A61B670ACD6615D7B9C686713CF061E5E31EF4F

SHA256:

621BB90C08021623CEF244EEE5DBD0522501C0985BEFE07CF54E4676C3C6528C

SSDEEP:

3:N1KRXQL3BXKVyvq2LU:CyLxaeqsU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1256)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3212)

    • Application was dropped or rewritten from another process

      • OLU1218_info[1].exe (PID: 2792)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2928)
      • OLU1218_info[1].exe (PID: 2792)
      • iexplore.exe (PID: 3212)

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3212)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2928)
      • iexplore.exe (PID: 3212)

    • Application launched itself

      • iexplore.exe (PID: 2928)

    • Changes internet zones settings

      • iexplore.exe (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe olu1218_info[1].exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2928"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3212"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2928 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2792"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\OLU1218_info[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\OLU1218_info[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1256"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
951
Read events
899
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
1
Text files
26
Unknown types
5

Dropped files

PID
Process
Filename
Type
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2928iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2928iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF60A7F57CCFEAE24C.TMP
MD5:
SHA256:
2792OLU1218_info[1].exeC:\Users\admin\Desktop\Disc1\am000000
MD5:
SHA256:
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:047BEF1B39E0EF90255D09B3BE2274BC
SHA256:01E03937F3686CAE9B856C25E88BEFFEDA9E72070F771E790BA4E17A492A0197
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061220190613\index.datdat
MD5:FDFF8EFAE67213DB63D9A259D5A081AC
SHA256:674252A05F6B43B668D7484AD5946306E85AEA5CEF0B3148041E8341BBC1C703
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:4BDD9F2C76425926801D6F3277E1C50A
SHA256:596558846AE7FE368E3ED787FFDEFA2396E1AD932E9E82650F702D10949E0D07
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9EE8763C-8CC0-11E9-B3B3-5254004A04AF}.datbinary
MD5:7EF8DE3AAF18B468DE84F443D74BFDD2
SHA256:C8DF2BC6254FB89D1DCFAAF18CE82122285419489A7827A2114126853859034C
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019061220190613\index.datdat
MD5:726CDF187D94A347FB6180D0A5C04844
SHA256:638B8DFE636AEED8C9264A149D8AAA1B1CB12B19446057ABD43C704DE99D2B16
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\OLU1218_info[1].exeexecutable
MD5:FF7E798CF15060FB675897C0AE7560D1
SHA256:DDE1D68CE01C46D310FE13F40F2A4454289ABBDE14F20D289C661CD75F130B51
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3212
iexplore.exe
GET
200
2.16.186.120:80
http://origin.pfultd.com/downloads/IMAGE/sca/olu/OLU1218_info.exe
unknown
executable
243 Kb
whitelisted
2928
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2928
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3212
iexplore.exe
2.16.186.120:80
origin.pfultd.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
origin.pfultd.com
  • 2.16.186.120
  • 2.16.186.82
whitelisted

Threats

PID
Process
Class
Message
3212
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://origin.pfultd.com/downloads/IMAGE/sca/olu/OLU1218_info.exe