analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.sodaplayer.com/

Full analysis: https://app.any.run/tasks/c8af82e2-5b94-4983-8b3e-e9dff1475588
Verdict: Malicious activity
Analysis date: February 09, 2020, 21:17:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

008E91134A1536385B8A791D915999B4

SHA1:

59006F1812E95F64440C73D26EEBF68BEB28159C

SHA256:

72C11B8313C1C4239CD2019CDB9E1E7ACC3A911C5DFDA3BD326A19E830104414

SSDEEP:

3:N8DSLUEcYR:2OLUEtR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Update.exe (PID: 3132)
      • Squirrel.exe (PID: 1380)
      • Update.exe (PID: 2692)
      • Update.exe (PID: 1812)
      • ace_engine.exe (PID: 2908)
      • ace_engine.exe (PID: 376)

    • Loads dropped or rewritten executable

      • Soda Player.exe (PID: 3764)
      • Soda Player.exe (PID: 1748)
      • Soda Player.exe (PID: 2436)
      • Soda Player.exe (PID: 2096)
      • Soda Player.exe (PID: 2836)
      • Soda Player.exe (PID: 2752)
      • Soda Player.exe (PID: 3864)
      • Soda Player.exe (PID: 3604)
      • Soda Player.exe (PID: 2056)
      • Soda Player.exe (PID: 1800)
      • Soda Player.exe (PID: 536)
      • ace_engine.exe (PID: 2908)
      • ace_engine.exe (PID: 376)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • SodaPlayerSetup 1.4.2.exe (PID: 3356)
      • Update.exe (PID: 3132)
      • Squirrel.exe (PID: 1380)
      • Soda Player.exe (PID: 2836)

    • Uses REG.EXE to modify Windows registry

      • Soda Player.exe (PID: 3764)
      • Soda Player.exe (PID: 1748)

    • Modifies the open verb of a shell class

      • reg.exe (PID: 1028)
      • reg.exe (PID: 604)
      • reg.exe (PID: 3448)

    • Creates files in the user directory

      • Update.exe (PID: 2692)
      • Soda Player.exe (PID: 1748)
      • ace_engine.exe (PID: 2908)
      • Soda Player.exe (PID: 2836)

    • Reads Environment values

      • Update.exe (PID: 3132)

    • Creates a software uninstall entry

      • Update.exe (PID: 3132)

    • Application launched itself

      • Soda Player.exe (PID: 1748)
      • ace_engine.exe (PID: 2908)

    • Reads CPU info

      • Soda Player.exe (PID: 2752)

    • Starts CMD.EXE for commands execution

      • NETSTAT.EXE (PID: 1136)
      • Soda Player.exe (PID: 2836)
      • ace_engine.exe (PID: 2908)

    • Uses NETSTAT.EXE to discover network connections

      • cmd.exe (PID: 1632)

    • Uses IPCONFIG.EXE to discover IP address

      • cmd.exe (PID: 3276)

    • Uses ATTRIB.EXE to modify file attributes

      • cmd.exe (PID: 820)
      • cmd.exe (PID: 2668)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 3608)

    • Loads Python modules

      • ace_engine.exe (PID: 2908)
      • ace_engine.exe (PID: 376)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 2400)

    • Dropped object may contain TOR URL's

      • iexplore.exe (PID: 2400)

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)

    • Creates files in the user directory

      • iexplore.exe (PID: 2400)
      • iexplore.exe (PID: 2956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2400)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2956)

    • Reads the hosts file

      • Soda Player.exe (PID: 3764)
      • Soda Player.exe (PID: 1748)

    • Reads settings of System Certificates

      • Update.exe (PID: 3132)
      • Soda Player.exe (PID: 1748)
      • iexplore.exe (PID: 2956)

    • Dropped object may contain Bitcoin addresses

      • Soda Player.exe (PID: 2836)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2956)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
103
Monitored processes
46
Malicious processes
17
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start iexplore.exe iexplore.exe sodaplayersetup 1.4.2.exe update.exe squirrel.exe soda player.exe no specs update.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs soda player.exe soda player.exe no specs soda player.exe soda player.exe no specs soda player.exe no specs soda player.exe no specs soda player.exe no specs soda player.exe no specs soda player.exe no specs soda player.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs reg.exe no specs update.exe cmd.exe no specs tasklist.exe no specs ace_engine.exe cmd.exe no specs netstat.exe no specs cmd.exe no specs route.exe no specs cmd.exe no specs ipconfig.exe no specs cmd.exe no specs attrib.exe no specs ace_engine.exe no specs cmd.exe no specs attrib.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" https://www.sodaplayer.com/C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2400"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3356"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\SodaPlayerSetup 1.4.2.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\SodaPlayerSetup 1.4.2.exe
iexplore.exe
User:
admin
Company:
Soda Player
Integrity Level:
MEDIUM
Description:
The most feature-packed video player ever made.
Exit code:
0
Version:
1.4.2
3132"C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe" --install . C:\Users\admin\AppData\Local\SquirrelTemp\Update.exe
SodaPlayerSetup 1.4.2.exe
User:
admin
Company:
GitHub
Integrity Level:
MEDIUM
Description:
Update
Exit code:
0
Version:
1.7.9.0
1380"C:\Users\admin\AppData\Local\sodaplayer\app-1.4.2\Squirrel.exe" --updateSelf=C:\Users\admin\AppData\Local\SquirrelTemp\Update.exeC:\Users\admin\AppData\Local\sodaplayer\app-1.4.2\Squirrel.exe
Update.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3764"C:\Users\admin\AppData\Local\sodaplayer\app-1.4.2\Soda Player.exe" --squirrel-install 1.4.2C:\Users\admin\AppData\Local\sodaplayer\app-1.4.2\Soda Player.exeUpdate.exe
User:
admin
Company:
Soda Player
Integrity Level:
MEDIUM
Description:
Soda Player
Exit code:
0
Version:
1.4.2
2692C:\Users\admin\AppData\Local\sodaplayer\Update.exe --createShortcut "Soda Player.exe"C:\Users\admin\AppData\Local\sodaplayer\Update.exeSoda Player.exe
User:
admin
Company:
GitHub
Integrity Level:
MEDIUM
Description:
Update
Exit code:
0
Version:
1.7.9.0
820C:\Windows\system32\reg.exe DELETE HKCU\Software\Classes\sodaplayer /fC:\Windows\system32\reg.exeSoda Player.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3524C:\Windows\system32\reg.exe ADD HKCU\Software\Classes\sodaplayer /ve /t REG_SZ /d URL:sodaplayer /fC:\Windows\system32\reg.exeSoda Player.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4068C:\Windows\system32\reg.exe ADD HKCU\Software\Classes\sodaplayer /v "URL Protocol" /t REG_SZ /d "" /fC:\Windows\system32\reg.exeSoda Player.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
7 347
Read events
2 074
Write events
0
Delete events
0

Modification events

No data
Executable files
147
Suspicious files
137
Text files
233
Unknown types
280

Dropped files

PID
Process
Filename
Type
2400iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6C8D.tmp
MD5:
SHA256:
2400iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6C8E.tmp
MD5:
SHA256:
2400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\main[1].csstext
MD5:F32EE52B7E06F9A39F4011C69219BCEF
SHA256:30F50C60931C2E8705FBB17814281E458D1AA6D30A8BD48A7097D0316EE73AD8
2400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\main[1].jstext
MD5:20871D11B3C8F8B4126E9ADFC7BF138D
SHA256:E9EDC696FD6FF21D0695E95929B77DE7EB91535847F4F9203B623C005227594F
2400iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HWYJH8NS.txttext
MD5:BF03165905C74A3E6DE09A1EC034B48E
SHA256:B504DD3A41715A6DE6FADB87228A2DE1650C42225E4780AFF472673FBB3568C7
2400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9EC3B71635F8BA3FC68DE181A104A0EF_F6C39EF89D8A3A72327D8412589658B2binary
MD5:2B5599C24ED8BFDF361DD0D651AE8C48
SHA256:979D2DF60F32EF8BBC9D19F8A876083A0A38F82F6067413A0BB0AFC5A00C4521
2400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\PANGYP2Q.htmhtml
MD5:2E905E69E96CA9269AA56A8228334AE1
SHA256:6C20D35BEBC1FEAAB2C0F64E9906CE214D2171107CA1B8D12981D6B7B8C3EA95
2400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C1B3CC7FF1466C71640A202F8258105B_0BE5CCF3469D7CC890B58C8BD9E56C1Ader
MD5:878635DA33F0D43F616C3672ACF6A759
SHA256:3B7F32F5815F51B131DCD1706052DE7020E23C4761D70C44E684E21E1304A270
2400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1der
MD5:99D9BF45C0E91AA0FF83CE6493041DFE
SHA256:AFDC7BCB11AD124C629E21F5B02DFCF3CAD180756971A82A5DD6167DD9B7E782
2400iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABder
MD5:3A98163998F5A092AE5004CE2032CA10
SHA256:C17CB9A31A2A6AC19469E99F568BAE0A509313761CF0EB82CDB13051505A712C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
233
DNS requests
42
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2400
iexplore.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2400
iexplore.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2400
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrJdiQ%2Ficg9B19asFe73bPYs%2BreAQUdXGnGUgZvJ2d6kFH35TESHeZ03kCEFslzmkHxCZVZtM5DJmpVK0%3D
US
der
313 b
whitelisted
2400
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
US
der
471 b
whitelisted
2400
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2400
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
2400
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
US
der
471 b
whitelisted
2400
iexplore.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD6Ee7RUf7bMAgAAAAAKrKe
US
der
472 b
whitelisted
2400
iexplore.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2400
iexplore.exe
GET
200
216.58.207.67:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEBi17v2iewEJCAAAAAAqstc%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2400
iexplore.exe
172.217.22.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2400
iexplore.exe
151.139.128.14:80
ocsp.trust-provider.com
Highwinds Network Group, Inc.
US
suspicious
2400
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2400
iexplore.exe
172.217.23.138:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2400
iexplore.exe
104.16.85.20:443
cdn.jsdelivr.net
Cloudflare Inc
US
shared
2400
iexplore.exe
151.101.12.157:443
platform.twitter.com
Fastly
US
suspicious
2400
iexplore.exe
104.28.6.182:443
www.sodaplayer.com
Cloudflare Inc
US
unknown
2956
iexplore.exe
104.28.6.182:443
www.sodaplayer.com
Cloudflare Inc
US
unknown
2400
iexplore.exe
185.60.216.19:443
connect.facebook.net
Facebook, Inc.
IE
whitelisted
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.sodaplayer.com
  • 104.28.6.182
  • 104.28.7.182
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cdn.jsdelivr.net
  • 104.16.85.20
  • 104.16.86.20
  • 104.16.88.20
  • 104.16.89.20
  • 104.16.87.20
whitelisted
fonts.googleapis.com
  • 172.217.22.42
whitelisted
ajax.googleapis.com
  • 172.217.23.138
whitelisted
platform.twitter.com
  • 151.101.12.157
whitelisted
ocsp.trust-provider.com
  • 151.139.128.14
whitelisted
ocsp.pki.goog
  • 216.58.207.67
whitelisted
ocsp.comodoca4.com
  • 151.139.128.14
whitelisted
connect.facebook.net
  • 185.60.216.19
whitelisted

Threats

PID
Process
Class
Message
2836
Soda Player.exe
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT ping request
2908
ace_engine.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
2908
ace_engine.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
2908
ace_engine.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
Potentially Bad Traffic
ET DNS Query to a .tk domain - Likely Hostile
2908
ace_engine.exe
Potential Corporate Privacy Violation
ET P2P Vuze BT UDP Connection (5)
2908
ace_engine.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
2908
ace_engine.exe
Attempted Information Leak
ET POLICY Python-urllib/ Suspicious User Agent
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT nodes reply
Potential Corporate Privacy Violation
ET P2P BitTorrent DHT announce_peers request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://www.sodaplayer.com/