URL: | https://cdn.discordapp.com/attachments/927643884236963941/927644049031168010/Bhad_Bhabie_Holiday.zip |
Full analysis: | https://app.any.run/tasks/f3d1c07b-88b8-4f06-80fa-c9e192ab9f42 |
Verdict: | Malicious activity |
Analysis date: | January 25, 2022, 01:30:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 86C912F4B30289E9D25C453C6EC707F4 |
SHA1: | 1D97BDB58EAC19E7D358F0C4CA1B83BA383CDB48 |
SHA256: | 6C22564D52B49C5F42B9B65D173D7204A8CEE8DF8610B838C47A88E34B3206B0 |
SSDEEP: | 3:N8cCWdy6//mSdWYTiWgTJ3wGVJNuMALKYVn:2cry6XfW+1gTJAGsBLF |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2760 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn.discordapp.com/attachments/927643884236963941/927644049031168010/Bhad_Bhabie_Holiday.zip" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3240 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2760 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2224 | "C:\Program Files\Opera\opera.exe" | C:\Program Files\Opera\opera.exe | Explorer.EXE | ||||||||||||
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Exit code: 0 Version: 1748 Modules
| |||||||||||||||
424 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Opera\Opera\temporary_downloads\Bhad_Bhabie_Holiday.zip" | C:\Program Files\WinRAR\WinRAR.exe | opera.exe | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
2148 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb424.41587\image_44041.jpg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb424.41587\image_44041.jpg.exe | WinRAR.exe | ||||||||||||
User: admin Company: Murray Hurps Software Pty Ltd Integrity Level: MEDIUM Description: Ad Muncher Exit code: 0 Version: 4.94.34121 (Free) Modules
| |||||||||||||||
2596 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb424.42254\image_44044.jpg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb424.42254\image_44044.jpg.exe | WinRAR.exe | ||||||||||||
User: admin Company: Murray Hurps Software Pty Ltd Integrity Level: MEDIUM Description: Ad Muncher Exit code: 0 Version: 4.94.34121 (Free) Modules
| |||||||||||||||
2940 | "C:\Users\admin\AppData\Local\Temp\Rar$EXb424.42523\image_44051.jpg.exe" | C:\Users\admin\AppData\Local\Temp\Rar$EXb424.42523\image_44051.jpg.exe | WinRAR.exe | ||||||||||||
User: admin Company: Murray Hurps Software Pty Ltd Integrity Level: MEDIUM Description: Ad Muncher Exit code: 0 Version: 4.94.34121 (Free) Modules
| |||||||||||||||
3264 | "C:\Users\admin\Desktop\image_44051.jpg.exe" | C:\Users\admin\Desktop\image_44051.jpg.exe | Explorer.EXE | ||||||||||||
User: admin Company: Murray Hurps Software Pty Ltd Integrity Level: HIGH Description: Ad Muncher Exit code: 0 Version: 4.94.34121 (Free) Modules
| |||||||||||||||
2280 | "C:\Users\admin\Desktop\image_44051.jpg.exe" | C:\Users\admin\Desktop\image_44051.jpg.exe | Explorer.EXE | ||||||||||||
User: admin Company: Murray Hurps Software Pty Ltd Integrity Level: HIGH Description: Ad Muncher Version: 4.94.34121 (Free) Modules
|
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: 632464032 | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30937483 | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: 932465282 | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30937483 | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2760) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2760 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:FC990EAA7247546FB67C18916A4CAC9B | SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993 | |||
2224 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini | text | |
MD5:3BBF5C96F669FDCE27781332B973D1A8 | SHA256:5E0E84D583D0C342F82EFFABB55DF786BC42D16628ABCA59129B29E5E0DADE21 | |||
2224 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr6ABD.tmp | text | |
MD5:3BBF5C96F669FDCE27781332B973D1A8 | SHA256:5E0E84D583D0C342F82EFFABB55DF786BC42D16628ABCA59129B29E5E0DADE21 | |||
2224 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opr6AFD.tmp | xml | |
MD5:8A1321728617D5319E8E3C10F1C61336 | SHA256:3E41C54069ED13E67B24A4A1DCD4B933CDF6736A123F01C761A6AE5947ADDBA8 | |||
2224 | opera.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0VC4WFBZM5CL9DNP0LJF.temp | binary | |
MD5:3F7590FD56AC999E0289444034C9CC80 | SHA256:632F80B7AD1F589FE608EF8546E3E7D1B0501A9EC3E38C0140EA1C10ED3E602B | |||
2224 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml | xml | |
MD5:8A1321728617D5319E8E3C10F1C61336 | SHA256:3E41C54069ED13E67B24A4A1DCD4B933CDF6736A123F01C761A6AE5947ADDBA8 | |||
2760 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:CF9EC8597D5634C927E15ADB50D7A837 | SHA256:9289FFC5D657EB93540ECC07BF167AD84C24098FBC00A1E03EC301A37D4124B5 | |||
2760 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:7355F9BD2E7D9C3C9D57DD35FD6FEB2E | SHA256:1C0100B6CA8B253F3B2C6CC6794D4C4F4353F9A06E5872EE8E3B9F2182B4D989 | |||
2224 | opera.exe | C:\Users\admin\AppData\Roaming\Opera\Opera\opcert6.dat | binary | |
MD5:1AA8644C9261DC10F7247F6A145C1DD2 | SHA256:58A8933F65361633C6AB194000D312DC9D566F717B1A16814A0DBEE24A60EBE3 | |||
2760 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | compressed | |
MD5:F7DCB24540769805E5BB30D193944DCE | SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2224 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl | US | der | 592 b | whitelisted |
2224 | opera.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.68 Kb | whitelisted |
2760 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2760 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
3240 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D | US | der | 1.47 Kb | whitelisted |
2760 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?eebe35231b25f1cc | US | compressed | 4.70 Kb | whitelisted |
2148 | image_44041.jpg.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3541700a08366138 | US | compressed | 59.9 Kb | whitelisted |
2760 | iexplore.exe | GET | 200 | 93.184.221.240:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?289cf79653f4f370 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2760 | iexplore.exe | 93.184.221.240:80 | ctldl.windowsupdate.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2224 | opera.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2760 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2760 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3240 | iexplore.exe | 162.159.129.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2224 | opera.exe | 185.26.182.94:443 | certs.opera.com | Opera Software AS | — | whitelisted |
2224 | opera.exe | 162.159.129.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2224 | opera.exe | 185.26.182.112:443 | sitecheck2.opera.com | Opera Software AS | — | malicious |
3240 | iexplore.exe | 162.159.133.233:443 | cdn.discordapp.com | Cloudflare Inc | — | shared |
2760 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
cdn.discordapp.com |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
certs.opera.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
sitecheck2.opera.com |
| whitelisted |
transfer.sh |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2224 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2224 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2224 | opera.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
— | — | Potentially Bad Traffic | ET POLICY Observed DNS Query to File Transfer Service Domain (transfer .sh) |
2148 | image_44041.jpg.exe | Potential Corporate Privacy Violation | ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) |
2596 | image_44044.jpg.exe | Potential Corporate Privacy Violation | ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) |
2940 | image_44051.jpg.exe | Potential Corporate Privacy Violation | ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) |
3264 | image_44051.jpg.exe | Potential Corporate Privacy Violation | ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) |
— | — | Potential Corporate Privacy Violation | ET POLICY Observed File Transfer Service SSL/TLS Certificate (transfer .sh) |