analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://foodart-eg.com/kchitgql/index.php

Full analysis: https://app.any.run/tasks/dc164b15-feb7-4a67-9f96-4227e099e570
Verdict: Malicious activity
Analysis date: December 06, 2018, 16:24:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

F8068884424CD2D5F9870CE65CB59028

SHA1:

DDC1673014274DAEC92121FF123B0B9093FF408B

SHA256:

6B18CFC1AD900E1CF74D82F2748F3517502AF4CEA5F19FD18FD12390AB39D6BA

SSDEEP:

3:N1KYEXRk+GtfphHn:CYEBfePHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3336)
    • Changes internet zones settings

      • iexplore.exe (PID: 2964)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3336)
      • iexplore.exe (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Internet Explorer\iexplore.exe" http://foodart-eg.com/kchitgql/index.phpC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3336"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2964 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
428
Read events
366
Write events
59
Delete events
3

Modification events

(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{60014E79-F973-11E8-91D7-5254004A04AF}
Value:
0
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2964) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E2070C0004000600100018001100D701
Executable files
0
Suspicious files
0
Text files
8
Unknown types
2

Dropped files

PID
Process
Filename
Type
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
2964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\index[1].php
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\first[1].php
MD5:
SHA256:
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\first[1].htmhtml
MD5:781181828615C02B033D9581FD2C7225
SHA256:E8AD4CEA26AC41CDE448593AAFD4F1E4C3BBF4652CB1994D3D1FBFF8B9E5CF5F
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\first[1].jstext
MD5:0BE3309A72DD8AEAA65268877CD6D979
SHA256:4E06D1CB2DDD2FCB5C73E1B5C2C893FA0FE80604B83BAD59A0D16225D2A6777D
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207\index.datdat
MD5:966967C984AFC3BC8704A6A5AE8AF1F1
SHA256:37C7998C5EE830A88C7CAF70D73008067E9E781919BC795789E7848400BCB04E
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\logon[1].csstext
MD5:7C2DC13DB7932AC4773F8218BFCB7982
SHA256:C38CC13ACE1D65062B3C5FA186184ABA02106F79D19C5B71491685089E59472C
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.datdat
MD5:DD6AABCD547E13AA851C28A43830382B
SHA256:195F0AC26AA479EA66DC3E75E0BE63AFBC843A448469B19481EB5A806E19B7B7
3336iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\index[1].htmhtml
MD5:4BC9751F5CF29B821F1F5A1AA510E492
SHA256:8B1BE5CAEBC2CD99E5396ABB040AFCAE0BF76CD0D5B20B3058B1A69C46DA4EDB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
14
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3336
iexplore.exe
GET
192.254.189.18:80
http://foodart-eg.com/kchitgql/first.php?7667798623d4948ed309e970ee099a28
US
suspicious
3336
iexplore.exe
GET
200
192.254.189.18:80
http://foodart-eg.com/kchitgql/index.php
US
html
200 b
suspicious
3336
iexplore.exe
GET
404
192.254.189.18:80
http://foodart-eg.com/kchitgql/opensans-semibold.eot?
US
html
453 b
suspicious
3336
iexplore.exe
GET
200
192.254.189.18:80
http://foodart-eg.com/kchitgql/files/first.js
US
text
334 b
suspicious
3336
iexplore.exe
GET
404
192.254.189.18:80
http://foodart-eg.com/kchitgql/videoplayer.eot?
US
html
453 b
suspicious
3336
iexplore.exe
GET
404
192.254.189.18:80
http://foodart-eg.com/kchitgql/files/fonts/video-icon.eot?460wyr
US
html
453 b
suspicious
3336
iexplore.exe
GET
404
192.254.189.18:80
http://foodart-eg.com/kchitgql/assets/fonts/dcefont.eot?
US
html
453 b
suspicious
3336
iexplore.exe
GET
404
192.254.189.18:80
http://foodart-eg.com/kchitgql/opensans-light.eot?
US
html
453 b
suspicious
3336
iexplore.exe
GET
200
192.254.189.18:80
http://foodart-eg.com/kchitgql/first.php?7667798623d4948ed309e970ee099a28
US
html
3.20 Kb
suspicious
3336
iexplore.exe
GET
200
192.254.189.18:80
http://foodart-eg.com/kchitgql/files/logon.css
US
text
18.1 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2964
iexplore.exe
192.254.189.18:80
foodart-eg.com
Unified Layer
US
suspicious
3336
iexplore.exe
192.254.189.18:80
foodart-eg.com
Unified Layer
US
suspicious

DNS requests

Domain
IP
Reputation
foodart-eg.com
  • 192.254.189.18
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
3336
iexplore.exe
A Network Trojan was detected
ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017
3336
iexplore.exe
A Network Trojan was detected
ET INFO Suspicious HTML Hex Obfuscated Title - Possible Phishing Landing Jun 28 2017
1 ETPRO signatures available at the full report
No debug info