analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://ca.dl-myes.com/dl.php?src=flv

Full analysis: https://app.any.run/tasks/42fc4a19-76df-40f7-82e7-e9df4eb2260e
Verdict: Malicious activity
Analysis date: April 25, 2019, 19:06:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7445146FB0611FBF9DE44287C4A7C0E0

SHA1:

5670AC87AFEAFD0C624DA641BB30E99E64718F7C

SHA256:

770A99966FCD98F6B5BD542FC3F55158F92CCB0D22C3279D7C1204AEF2417A82

SSDEEP:

3:N8ZLBfx2JnfDd:2zxo5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • dl[1].exe (PID: 3936)
      • dl[1].exe (PID: 2880)
      • espcp_1.0.exe (PID: 2844)
      • espcp_1.0.exe (PID: 3784)
      • ESC.exe (PID: 3676)

    • Changes settings of System certificates

      • dl[1].exe (PID: 3936)
      • ESC.exe (PID: 3676)

    • Loads dropped or rewritten executable

      • ESC.exe (PID: 3676)

    • Loads the Task Scheduler DLL interface

      • espcp_1.0.exe (PID: 3784)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3176)
      • iexplore.exe (PID: 2940)
      • espcp_1.0.exe (PID: 3784)
      • dl[1].exe (PID: 3936)
      • msiexec.exe (PID: 3728)
      • espcp_1.0.exe (PID: 2844)

    • Adds / modifies Windows certificates

      • dl[1].exe (PID: 3936)
      • ESC.exe (PID: 3676)

    • Creates files in the user directory

      • espcp_1.0.exe (PID: 3784)
      • MsiExec.exe (PID: 3428)

    • Application launched itself

      • espcp_1.0.exe (PID: 3784)

    • Creates files in the program directory

      • espcp_1.0.exe (PID: 2844)
      • ESC.exe (PID: 3676)

    • Creates files in the Windows directory

      • msiexec.exe (PID: 3728)

    • Changes the autorun value in the registry

      • msiexec.exe (PID: 3728)

    • Reads Environment values

      • ESC.exe (PID: 3676)

    • Reads CPU info

      • ESC.exe (PID: 3676)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3176)

    • Changes internet zones settings

      • iexplore.exe (PID: 2940)

    • Creates files in the user directory

      • iexplore.exe (PID: 3176)

    • Application launched itself

      • iexplore.exe (PID: 2940)
      • msiexec.exe (PID: 3728)

    • Searches for installed software

      • msiexec.exe (PID: 3728)

    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3448)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 3428)
      • MsiExec.exe (PID: 4028)

    • Creates a software uninstall entry

      • msiexec.exe (PID: 3728)

    • Creates files in the program directory

      • msiexec.exe (PID: 3728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
12
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start iexplore.exe iexplore.exe dl[1].exe no specs dl[1].exe espcp_1.0.exe msiexec.exe msiexec.exe espcp_1.0.exe vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs esc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2940"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3176"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2940 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2880"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dl[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dl[1].exeiexplore.exe
User:
admin
Company:
Envoy Services
Integrity Level:
MEDIUM
Description:
ES Setup
Exit code:
3221226540
Version:
1.0.0.0
3936"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dl[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\dl[1].exe
iexplore.exe
User:
admin
Company:
Envoy Services
Integrity Level:
HIGH
Description:
ES Setup
Exit code:
0
Version:
1.0.0.0
3784"C:\Users\admin\AppData\Local\Temp\espcp_1.0.exe" C:\Users\admin\AppData\Local\Temp\espcp_1.0.exe
dl[1].exe
User:
admin
Company:
Envoy Services
Integrity Level:
HIGH
Description:
PC Repair Pro Installer
Exit code:
0
Version:
1.0.0
3728C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3428C:\Windows\system32\MsiExec.exe -Embedding CFB220B1A4A0D059990E03945E4D5342 CC:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2844"C:\Users\admin\AppData\Local\Temp\espcp_1.0.exe" /i "C:\Users\admin\AppData\Roaming\Envoy Services\PC Repair Pro 1.0.0\install\UCleaner.msi" AI_EUIMSI=1 APPDIR="C:\Program Files\Envoy Services\PC Repair Pro" CLIENTPROCESSID="3784" SECONDSEQUENCE="1" CHAINERUIPROCESSID="3784Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" AGREE_CHECKBOX="Yes" PRIMARYFOLDER="APPDIR" ROOTDRIVE="C:\" AI_FOUND_PREREQS=".NET Framework 4.0 (web installer)" AI_DETECTED_INTERNET_CONNECTION="1" AI_SETUPEXEPATH="C:\Users\admin\AppData\Local\Temp\espcp_1.0.exe" SETUPEXEDIR="C:\Users\admin\AppData\Local\Temp\" EXE_CMD_LINE="/exenoupdates " TARGETDIR="C:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\admin\AppData\Local\Temp\espcp_1.0.exe" AI_INSTALL="1"C:\Users\admin\AppData\Local\Temp\espcp_1.0.exe
espcp_1.0.exe
User:
admin
Company:
Envoy Services
Integrity Level:
HIGH
Description:
PC Repair Pro Installer
Exit code:
0
Version:
1.0.0
3448C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3672DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "00000390" "000005C4"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
3 529
Read events
3 103
Write events
0
Delete events
0

Modification events

No data
Executable files
28
Suspicious files
9
Text files
213
Unknown types
8

Dropped files

PID
Process
Filename
Type
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF702D9F9C13EE0F72.TMP
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFCA16278111BE75E2.TMP
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{546777EF-678D-11E9-B3B3-5254004A04AF}.dat
MD5:
SHA256:
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{546777F0-678D-11E9-B3B3-5254004A04AF}.datbinary
MD5:66C60CCBB239B22EADA3B66AFB330170
SHA256:D9D7DBFD344624DC053E31598C1ADA25829B7FC9CD9751ABEF93A2A2D7A399F9
3176iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:2AC6D4FFBFCD6881F229565F268C6D51
SHA256:0DAC217720A93E199DE8C8B0A4387694E82DE585A5AC0769F8ADCE9A7B943CF5
2940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042520190426\index.datdat
MD5:3E250BC74603ACB6822C364CA460FAF0
SHA256:9B4B4343204B408D8200F69A96743349029EA606A7D395761E5C9701C78E23D7
3784espcp_1.0.exeC:\Users\admin\AppData\Roaming\Envoy Services\PC Repair Pro 1.0.0\install\holder0.aiph
MD5:
SHA256:
3176iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6BUBOLAE\PC_Repair_3275071010[1].exeexecutable
MD5:B651BD3919BC4AA8CF30653C21FB264D
SHA256:9ED05092A8EDA40AABE6DC2CD41E0A8A8FBBA794C172A71266D645CCD426AA61
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
10
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3428
MsiExec.exe
GET
200
172.217.16.132:80
http://www.google.com/
US
html
13.9 Kb
whitelisted
GET
200
2.16.186.32:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI%3D
unknown
der
471 b
whitelisted
3428
MsiExec.exe
GET
200
172.217.16.132:80
http://www.google.com/
US
html
13.9 Kb
whitelisted
2940
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
GET
200
2.16.186.8:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
unknown
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2940
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3936
dl[1].exe
54.37.155.185:443
fr.dl-myes.com
OVH SAS
FR
unknown
3428
MsiExec.exe
172.217.16.132:80
www.google.com
Google Inc.
US
whitelisted
3676
ESC.exe
104.20.62.85:443
wyday.com
Cloudflare Inc
US
shared
2.16.186.32:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted
2.16.186.8:80
ocsp.comodoca.com
Akamai International B.V.
whitelisted
3936
dl[1].exe
46.4.74.228:443
dl-myes.com
Hetzner Online GmbH
DE
unknown
3676
ESC.exe
46.4.74.228:443
dl-myes.com
Hetzner Online GmbH
DE
unknown
3176
iexplore.exe
54.39.23.247:443
ca.dl-myes.com
OVH SAS
FR
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ca.dl-myes.com
  • 54.39.23.247
unknown
dl-myes.com
  • 46.4.74.228
unknown
fr.dl-myes.com
  • 54.37.155.185
unknown
www.google.com
  • 172.217.16.132
whitelisted
wyday.com
  • 104.20.62.85
  • 104.20.63.85
unknown
ocsp.usertrust.com
  • 2.16.186.32
  • 2.16.186.41
whitelisted
ocsp.comodoca.com
  • 2.16.186.8
  • 2.16.186.16
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://ca.dl-myes.com/dl.php?src=flv