analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://mabruuk.ridvxn.site/g5hHLoyE

Full analysis: https://app.any.run/tasks/019ccf51-18df-4622-b87e-7562a8c6ab9b
Verdict: Malicious activity
Analysis date: January 18, 2019, 09:51:14
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

400466865BD53C2C4344205882CDDC02

SHA1:

4D146E99B29EC7D985D46997E0763B73F04AE1A4

SHA256:

74FC3BF485344DE5700316970CE3416FE3BF2FB0C14B8E6A21497D5C9DBCF11E

SSDEEP:

3:N1KTYQedegCYtVgn:CBedegCog

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2672)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3060)
    • Changes internet zones settings

      • iexplore.exe (PID: 2672)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3060)
    • Creates files in the user directory

      • iexplore.exe (PID: 3060)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
30
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2672"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3060"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2672 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
330
Read events
285
Write events
45
Delete events
0

Modification events

(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{A733F189-1B06-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2672) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070100050012000900330029008002
Executable files
0
Suspicious files
0
Text files
29
Unknown types
2

Dropped files

PID
Process
Filename
Type
2672iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2672iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3060iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
MD5:
SHA256:
3060iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txttext
MD5:62D0A184E9995B8B9B11DDCA556357F0
SHA256:118B41FC2A3384C0290948D67B2D4C81498B725DFE442B848330ECB640651822
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\login[1].csstext
MD5:C1F5297FA113E77D4ECA397D38D47A07
SHA256:B667F15F318996325D7C46904E89869CAC05ECDBEFCFBCACE58CC6C48CC6ECDF
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\login[1].jstext
MD5:68714B592EE415662FC8880BC880A083
SHA256:2F6A840C392353A3EAC6D2F49E83636F5F5FECE9F5EFD6D31A2D0E7C644B4871
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\theme[1].csstext
MD5:3ED49F63CA98F670BF0BB5C4BC49D3A6
SHA256:B138392B633F94F481447C6F26302DAA5D02DFC5BDC04682147631ED58001C2E
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\style[1].csstext
MD5:F57E58A9BC267F2D2B9EC46A560163CF
SHA256:8E6B02967F2746002FF5F8ED2B9ADF75231956664F1AD2C62A9FF3D94E2C1119
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\datatables[1].csstext
MD5:4DFC2A2569CE7A6F0B21AEC8937F1B0D
SHA256:28E00E27F63EDD30CEBB8C4638A72DB92A56ACF2405CA0916B06B6F27249D32B
3060iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\bootstrap-fileupload[1].csstext
MD5:8C00A719F86A99DF2FC98203ACEB7E22
SHA256:B8A122CB3B4BD7A8D0F03809A1807CEA17AD4692F46E7E3E0F92914917EC4308
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
7
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3060
iexplore.exe
GET
307
185.173.26.236:80
http://mabruuk.ridvxn.site/
DE
malicious
3060
iexplore.exe
GET
307
185.173.26.236:80
http://mabruuk.ridvxn.site/g5hHLoyE
DE
malicious
3060
iexplore.exe
GET
307
185.173.26.236:80
http://mabruuk.ridvxn.site/themes/default/admin/assets/js/respond.min.js
DE
malicious
3060
iexplore.exe
GET
307
185.173.26.236:80
http://mabruuk.ridvxn.site/admin
DE
malicious
3060
iexplore.exe
GET
200
185.173.26.236:80
http://mabruuk.ridvxn.site/themes/default/admin/assets/styles/theme.css
DE
text
2.00 Kb
malicious
3060
iexplore.exe
GET
200
185.173.26.236:80
http://mabruuk.ridvxn.site/themes/default/admin/assets/styles/style.css
DE
text
52.3 Kb
malicious
3060
iexplore.exe
GET
200
185.173.26.236:80
http://mabruuk.ridvxn.site/themes/default/admin/assets/js/login.js
DE
text
39.3 Kb
malicious
3060
iexplore.exe
GET
200
185.173.26.236:80
http://mabruuk.ridvxn.site/admin/login
DE
html
7.24 Kb
malicious
3060
iexplore.exe
GET
200
185.173.26.236:80
http://mabruuk.ridvxn.site/themes/default/admin/assets/js/jquery-2.0.3.min.js
DE
text
81.6 Kb
malicious
3060
iexplore.exe
GET
200
185.173.26.236:80
http://mabruuk.ridvxn.site/themes/default/admin/assets/styles/helpers/redactor.css
DE
text
61.5 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2672
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3060
iexplore.exe
185.173.26.236:80
mabruuk.ridvxn.site
Digital Energy Technologies Limited
DE
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
mabruuk.ridvxn.site
  • 185.173.26.236
malicious

Threats

No threats detected
No debug info