analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://dbaworkshop.blogspot.com/2013/05/How-to-perform-a-SCN-based-incomplete-recovery.html

Full analysis: https://app.any.run/tasks/14332f36-6bcb-44a6-ad9e-7ef11462626d
Verdict: Malicious activity
Analysis date: October 14, 2019, 16:30:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

685F5146B73F5FBEF08D33688961171A

SHA1:

B250E00FB7AC8E358662F7F249BC93141A48E0F1

SHA256:

7B706427BC17C15BB2A2772C2FE10D6C654113FD0651758F957DBE1E72E80499

SSDEEP:

3:N1KaH4TOloSKMhKgsIqjc6/BdTSX0HIJ:CaHDKGEjc6rTSX0oJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3116)
    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3336)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2548)
      • chrome.exe (PID: 3336)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2068)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2068)
    • Manual execution by user

      • chrome.exe (PID: 3336)
    • Changes internet zones settings

      • iexplore.exe (PID: 2548)
    • Creates files in the user directory

      • iexplore.exe (PID: 2068)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3116)
    • Reads the hosts file

      • chrome.exe (PID: 3336)
      • chrome.exe (PID: 1956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
95
Monitored processes
61
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2548"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2068"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2548 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3116C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
3336"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2152"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6feda9d0,0x6feda9e0,0x6feda9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2864"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2752 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=10675019695617980417 --mojo-platform-channel-handle=1000 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1956"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=6267015359620162502 --mojo-platform-channel-handle=1580 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3940"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=10901059232176452870 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=992,10237195860911727325,9457289700858951769,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=16014622165681054102 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2392 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
Total events
1 100
Read events
902
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
206
Text files
348
Unknown types
21

Dropped files

PID
Process
Filename
Type
2548iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2548iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IC4L61VZ\210157244-ieretrofit[1].jshtml
MD5:83A14CE8A07941331DFB5A615AF96CA9
SHA256:C17B6213AB3A96180261DEC659C93EC2D6D3691A7FFE1AE09173C1BA124CC6C4
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:D0AC1E6DCBF679C6AFC729F8CB9EC296
SHA256:090054E516E8720428AB8DDF2EC115599D912EB8C99E76F42FC8833AB5A48FC3
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A11AC272163B8A2DDB4FF81829A5613C
SHA256:4B0CCC4DF04C05ECA0E4286F612BE3F87B03B667B6BE34C10B3CEBF5D23BE79D
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q58AB90R\cb=gapi[1].loaded_0text
MD5:9592A9DDF920739FAD11ECB40E312905
SHA256:AEF6EEB769CC25D6F1776C5F7E97AEF03258C9B5362D72F0D7955633EADF8F09
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XM1XHYBY\plusone[1].jshtml
MD5:632E7FD3CA61FEF2DD2B7A9F847E5F34
SHA256:D996E8927AE45383450BD8314F8BC89259A528AAA698231FE91D2295872D0496
2068iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txttext
MD5:D914613A05ADAF7DD58BC6973A838B2E
SHA256:CE5C804313535445650F1121AEE0AFF9A4F2A007CA4D853E35D66AE309BC2D83
2068iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:BC00F101538A821ABCA75759D58FFCEF
SHA256:5BF18AA37534FDCE70123A75C1C307D2584A00FFF8D483A834B4997770FC1803
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\KR5MPS8U\widgets[1].jstext
MD5:1D8D0709ED691E2BC0472DBFC17C8ABD
SHA256:90476F48E0B8A9F9C5C11FD16F13FC6A8772FE281D12C8E63153A6F948CDD348
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
186
TCP/UDP connections
208
DNS requests
160
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushVb.js
US
html
1.55 Kb
suspicious
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushPhp.js
US
html
1.55 Kb
suspicious
2068
iexplore.exe
GET
200
216.58.205.225:80
http://dbaworkshop.blogspot.com/2013/05/How-to-perform-a-SCN-based-incomplete-recovery.html
US
html
38.6 Kb
whitelisted
2068
iexplore.exe
GET
301
108.174.11.81:80
http://www.linkedin.com/img/webpromo/btn_viewmy_160x33.png
US
whitelisted
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushJava.js
US
html
1.56 Kb
suspicious
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushCpp.js
US
html
1.55 Kb
suspicious
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushCss.js
US
html
1.55 Kb
suspicious
2068
iexplore.exe
GET
200
93.184.220.66:80
http://platform.twitter.com/widgets.js
US
text
28.0 Kb
whitelisted
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shCore.js
US
html
1.55 Kb
suspicious
2068
iexplore.exe
GET
404
64.233.166.82:80
http://syntaxhighlighter.googlecode.com/svn/trunk/Scripts/shBrushXml.js
US
html
1.55 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2548
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2068
iexplore.exe
64.233.166.82:80
syntaxhighlighter.googlecode.com
Google Inc.
US
whitelisted
2068
iexplore.exe
172.217.18.9:443
www.blogger.com
Google Inc.
US
whitelisted
2068
iexplore.exe
172.217.22.14:443
apis.google.com
Google Inc.
US
whitelisted
2068
iexplore.exe
216.58.205.225:80
dbaworkshop.blogspot.com
Google Inc.
US
whitelisted
2068
iexplore.exe
93.184.220.66:80
platform.twitter.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2068
iexplore.exe
172.217.21.226:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
2068
iexplore.exe
185.206.85.82:80
codice.shinystat.com
Shiny S.r.l.
IT
unknown
2068
iexplore.exe
108.174.11.81:443
www.linkedin.com
LinkedIn Corporation
US
unknown
2068
iexplore.exe
108.174.11.81:80
www.linkedin.com
LinkedIn Corporation
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dbaworkshop.blogspot.com
  • 216.58.205.225
whitelisted
www.blogger.com
  • 172.217.18.9
shared
dns.msftncsi.com
  • 131.107.255.255
shared
syntaxhighlighter.googlecode.com
  • 64.233.166.82
suspicious
apis.google.com
  • 172.217.22.14
  • 172.217.23.142
whitelisted
platform.twitter.com
  • 93.184.220.66
  • 192.229.233.25
whitelisted
pagead2.googlesyndication.com
  • 172.217.21.226
  • 172.217.22.98
whitelisted
resources.blogblog.com
  • 172.217.18.9
whitelisted
www.blogblog.com
  • 172.217.18.9
whitelisted

Threats

PID
Process
Class
Message
1956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1956
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info