analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.sendspace.com/file/ef7fsu

Full analysis: https://app.any.run/tasks/8917b7c0-1ac9-47ec-bf00-acf374b6a714
Verdict: Malicious activity
Analysis date: February 11, 2019, 08:32:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

E1187E98AE9373F828575E8B97F962EE

SHA1:

B2000DB93C01995591E92B19C52FA6CA9A3F3489

SHA256:

6D2FC90112EB7F3CD00E4B9E317676785711D858D4449AB548637812741EC58D

SSDEEP:

3:N8DSLEvuGTYomwWQ:2OL0uKWwX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 840)
      • OSB.exe (PID: 3788)

    • Application was dropped or rewritten from another process

      • OSB.exe (PID: 3788)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3312)
      • iexplore.exe (PID: 3208)
      • iexplore.exe (PID: 2996)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3312)
      • iexplore.exe (PID: 3208)

    • Changes internet zones settings

      • iexplore.exe (PID: 2996)

    • Application launched itself

      • iexplore.exe (PID: 2996)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3832)
      • iexplore.exe (PID: 3312)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
7
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs iexplore.exe winrar.exe no specs searchprotocolhost.exe no specs osb.exe

Process information

PID
CMD
Path
Indicators
Parent process
2996"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3312"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3832C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
3208"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2996 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2380"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\OSB[1].rar"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
840"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe6_ Global\UsGthrCtrlFltPipeMssGthrPipe6 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3788"C:\Users\admin\Desktop\OSB.exe" C:\Users\admin\Desktop\OSB.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
OSB
Exit code:
0
Version:
1.0.0.0
Total events
1 472
Read events
1 354
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
48
Unknown types
4

Dropped files

PID
Process
Filename
Type
2996iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2996iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3312iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@sendspace[1].txt
MD5:
SHA256:
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\client_platform[1].jstext
MD5:85FA397F0B26FA0FD1ACC9094F417DC0
SHA256:90DD7B932E9859024647280BA45EBD685FE676F6CE0C6D8A3EE74032222EED0C
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ef7fsu[1].htmhtml
MD5:12DD78B93E21CD47C460930BF6DBEADA
SHA256:FFE00522DD9874FBEA87CADB36BAA23F119E09449DF315E787207AD9C4A08724
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\jquery.jstree[1].jstext
MD5:73D0D1CB54D729CC7CB72969FDD7FD00
SHA256:9BC14E510091AA81072ADF418EA5BF39513073E424088A15105A2E246FB521D3
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\jquery-browser-deprecated[1].jstext
MD5:8175420FDF2F5F19F601AFCDCE6C0C3E
SHA256:17393A0497E6F9B957F890E46BFD9F941F554461FACFC20E9A45F4A52AFF3FEB
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\sendspace[1].csstext
MD5:EAD940441B487CBB9105987518856CEF
SHA256:DD93E679A140A218814E4CAC541DC853CEDE15F8455BD0F0FD569EA9C2051E83
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\sw[1].jstext
MD5:78EF7A0FB58742E0C40F410222219E9C
SHA256:62628AD4B886DBCE078BBCAFB0BDB5DD9E550E3EB4A890E5705804DE266B03AA
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\openid[1].csstext
MD5:6AAA3C326547B06D763E789B3EF2F6F4
SHA256:31680FD65EB1E12272010FA9068E02CC60C983422EB3DCFA6526DF94E7EDEDE9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
45
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3788
OSB.exe
POST
200
185.50.25.39:80
http://c9134831.beget.tech/login.php
RU
text
222 b
malicious
2996
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2996
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2996
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3312
iexplore.exe
69.31.136.5:443
www.sendspace.com
GTT Communications Inc.
US
suspicious
3312
iexplore.exe
172.217.22.46:443
apis.google.com
Google Inc.
US
whitelisted
3312
iexplore.exe
74.125.140.156:443
stats.g.doubleclick.net
Google Inc.
US
whitelisted
3312
iexplore.exe
104.19.196.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
3312
iexplore.exe
13.32.223.5:443
t.mdn2015x4.com
Amazon.com, Inc.
US
unknown
3312
iexplore.exe
172.217.23.142:443
www.google-analytics.com
Google Inc.
US
whitelisted
2996
iexplore.exe
69.31.136.5:443
www.sendspace.com
GTT Communications Inc.
US
suspicious
3788
OSB.exe
185.50.25.39:80
c9134831.beget.tech
Beget Ltd
RU
malicious
3208
iexplore.exe
69.31.136.53:443
fs12n3.sendspace.com
GTT Communications Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.sendspace.com
  • 69.31.136.5
shared
apis.google.com
  • 172.217.22.46
whitelisted
t.mdn2015x4.com
  • 13.32.223.5
  • 13.32.223.165
  • 13.32.223.83
  • 13.32.223.45
whitelisted
cdnjs.cloudflare.com
  • 104.19.196.151
  • 104.19.198.151
  • 104.19.199.151
  • 104.19.195.151
  • 104.19.197.151
whitelisted
www.google-analytics.com
  • 172.217.23.142
whitelisted
stats.g.doubleclick.net
  • 74.125.140.156
  • 74.125.140.157
  • 74.125.140.154
  • 74.125.140.155
whitelisted
fs12n3.sendspace.com
  • 69.31.136.53
unknown
c9134831.beget.tech
  • 185.50.25.39
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.sendspace.com/file/ef7fsu