analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://tascur.co.za/bestmy/gdrive/index.php

Full analysis: https://app.any.run/tasks/886f043e-5648-4c39-b8bc-97ab47084288
Verdict: Malicious activity
Analysis date: January 10, 2019, 19:09:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
Indicators:
MD5:

620938D4C001CE1462B5732291A0D827

SHA1:

F0340856BC27F0AB8F852B8AF702BD71D38E66C1

SHA256:

72C9D14CFDAD8A0DAFA228AFF6832D7E3DBDFD82E10AB63D1127D0B28AB66659

SSDEEP:

3:N1KKEmXLREcZBXzl4hHn:CKd9CHn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 3128)
      • iexplore.exe (PID: 2836)
    • Application launched itself

      • iexplore.exe (PID: 2836)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3128)
      • iexplore.exe (PID: 2836)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3128)
    • Changes internet zones settings

      • iexplore.exe (PID: 2836)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2836)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2836)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2836)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2836"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
3128"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2836 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
425
Read events
350
Write events
71
Delete events
4

Modification events

(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{5B5B27FB-150B-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2836) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307010004000A0013000A000E008103
Executable files
0
Suspicious files
0
Text files
9
Unknown types
2

Dropped files

PID
Process
Filename
Type
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\login[1].php
MD5:
SHA256:
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\qaa[1].pngimage
MD5:6B4938E0618FD9C02A1636782CF77180
SHA256:048621A9936B30D3D0B6FC8AFA411F9095602EE2072ED24600041798C9B17158
2836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011020190111\index.datdat
MD5:86C7F9A4959A0F492767B5170E0400C2
SHA256:209F4EE388F314C474E2DE104235AEF57609D6ADBD2DA31526FBC6F161D0A047
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\eht[1].pngimage
MD5:D2E72D33B106E9C9BEBFFE9DFAEC4AE7
SHA256:85DCEED424648518B89A2D0E529E469880260AFA293D4C3F6631F25D77E9E5FC
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\oolou[1].pngimage
MD5:144981412F5FDBE0325E0B2FFF3A4C9C
SHA256:4C4A577FD428303488F3F53540F41E6625C06DDD9B638302C67F7C1888F83E7D
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019011020190111\index.datdat
MD5:FA9CC6F4F5C08F7926C780BE5E9ACDED
SHA256:8E34C309983A213DD76D5B81D841239294DC1446CC9CE17B696024DFEFE41FEF
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\oha[1].pngimage
MD5:ACC349447E48489775D15C6D35A2D594
SHA256:EBF9DF12420E2C4F66FB49667EAB8B8AA7C9FD5434BC2FF908CCF2643387348C
3128iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\o[1].pngimage
MD5:EC73BA48092C13868425840B848FB56B
SHA256:55B07568D6E2633CBD26DAB105654842CAA47723FB93F0B48E94455D989E46A4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
8
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3128
iexplore.exe
GET
302
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/index.php
unknown
malicious
3128
iexplore.exe
GET
200
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/images/qaa.png
unknown
image
57.2 Kb
malicious
3128
iexplore.exe
GET
200
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/login.php?cmd=login_submit&id=cab021a9ab46680cacacd6fd45c34632cab021a9ab46680cacacd6fd45c34632&session=cab021a9ab46680cacacd6fd45c34632cab021a9ab46680cacacd6fd45c34632
unknown
html
2.52 Kb
malicious
3128
iexplore.exe
GET
302
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/
unknown
html
275 b
malicious
2836
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3128
iexplore.exe
GET
200
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/images/o.png
unknown
image
2.42 Kb
malicious
3128
iexplore.exe
GET
200
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/images/oha.png
unknown
image
2.36 Kb
malicious
3128
iexplore.exe
GET
301
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a
unknown
html
275 b
malicious
3128
iexplore.exe
GET
200
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/images/eht.png
unknown
image
5.66 Kb
malicious
3128
iexplore.exe
GET
200
102.177.158.108:80
http://tascur.co.za/bestmy/gdrive/eac07807b5a3952d4d90203131d3213a/images/lgoo.png
unknown
image
3.50 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2836
iexplore.exe
172.217.23.164:443
www.google.com
Google Inc.
US
whitelisted
2836
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3128
iexplore.exe
102.177.158.108:80
tascur.co.za
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
tascur.co.za
  • 102.177.158.108
malicious
www.google.com
  • 172.217.23.164
whitelisted

Threats

PID
Process
Class
Message
3128
iexplore.exe
A Network Trojan was detected
SC PHISHING PDF/Phishing - unknown malware
3128
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Google Drive Phishing Landing
3128
iexplore.exe
A Network Trojan was detected
ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017
No debug info