analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://chogoon.com/srt/l5934

Full analysis: https://app.any.run/tasks/e5892367-4c1e-4af3-8945-47cda93ecb74
Verdict: Malicious activity
Analysis date: November 16, 2019, 09:04:52
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
ta505
Indicators:
MD5:

48C4E51724ADB68E82793A446497E59D

SHA1:

3B1D44ADFDC396CCDA0BA22744CD69E9D1C965F9

SHA256:

7C10DF64962EEF42108F7559F708B71F4E9E707023DD777D7E6435F9748FBF46

SSDEEP:

3:N8Q0QyBXsDWR:2Q0ZBXsDW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 2896)

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 2896)

  • SUSPICIOUS

    • Starts Microsoft Office Application

      • iexplore.exe (PID: 2384)
      • EXCEL.EXE (PID: 2896)

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 964)

    • Application launched itself

      • EXCEL.EXE (PID: 2896)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3084)

    • Changes internet zones settings

      • iexplore.exe (PID: 2384)

    • Application launched itself

      • iexplore.exe (PID: 2384)

    • Creates files in the user directory

      • iexplore.exe (PID: 3084)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 964)
      • EXCEL.EXE (PID: 2896)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2384)
      • EXCEL.EXE (PID: 2896)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3084)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 2896)
      • EXCEL.EXE (PID: 2124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs excel.exe excel.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2384"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3084"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2384 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
964C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
2896"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Version:
14.0.6024.1000
2124"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Total events
2 065
Read events
1 756
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
7
Text files
44
Unknown types
17

Dropped files

PID
Process
Filename
Type
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AD7NGI0L\ws3_onehub-en_com[1].txt
MD5:
SHA256:
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AD7NGI0L\ws3_onehub-en_com[1].htmhtml
MD5:B422F42C0C13CCA3973D78EF377430D6
SHA256:3C8E076EB69496C32E4A94262147E5B572CC1E7D1C05974717183740223F9DEB
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\SCE1X9XP\workspaces-1943206bff0f9b8467f7028ccbaa6c1c5de6dcedfa8313e69[1].csstext
MD5:5190F5BFD74FD2172FADFBB42F9D92D6
SHA256:1943206BFF0F9B8467F7028CCBAA6C1C5DE6DCEDFA8313E695AC1334ACC1A6FA
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V51YAIO5\gtm[1].jstext
MD5:1ED58D0D1757B02F528C21F33F7829B1
SHA256:0DEF0B5EFBCF662045B6816333464CE93B29829A8D7679729F600483A52DCD9C
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\AD7NGI0L\a[1]text
MD5:512AF7361080DF0571360C319B461B09
SHA256:7FBED62327AD291A236F3C7C37810CB848F427C1E68B63B313FFE7350C46C184
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V51YAIO5\fbevents[1].jstext
MD5:32C5CE04419784548A4754E0C7E59857
SHA256:DE5301D381E48CBF168DB3DD34B2835950501574FDD8BD8013EFEE9C854A7499
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:FC7A231EB8F9E3BFEF17063C2F566D06
SHA256:F59FBB4C9BA0133C48D82DEAE30A9D2C04CC24DFC4925597D287E583C53E665B
3084iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V51YAIO5\2004294186529575[1].jstext
MD5:692FF93422D0D1B40FEED55EE3929AC0
SHA256:36A1C00C91676C1CB16AB70C966E6626A266D68DC9EA3A535F520BCFD042B83F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
24
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3084
iexplore.exe
GET
301
185.69.52.50:80
http://onehub-en.com/
LT
html
185 b
unknown
2384
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3084
iexplore.exe
13.224.89.50:443
dp0qkd77b9xjk.cloudfront.net
US
unknown
3084
iexplore.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
3084
iexplore.exe
185.69.52.50:443
ws3.onehub-en.com
UAB Rakrejus
LT
unknown
3084
iexplore.exe
183.111.138.244:443
chogoon.com
Korea Telecom
KR
unknown
2384
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3084
iexplore.exe
172.217.18.100:443
www.google.com
Google Inc.
US
whitelisted
2384
iexplore.exe
13.224.89.50:443
dp0qkd77b9xjk.cloudfront.net
US
unknown
3084
iexplore.exe
172.217.18.98:443
www.googleadservices.com
Google Inc.
US
whitelisted
3084
iexplore.exe
185.69.52.50:80
ws3.onehub-en.com
UAB Rakrejus
LT
unknown
3084
iexplore.exe
172.217.18.104:443
www.googletagmanager.com
Google Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
chogoon.com
  • 183.111.138.244
whitelisted
ws3.onehub-en.com
  • 185.69.52.50
unknown
dp0qkd77b9xjk.cloudfront.net
  • 13.224.89.50
  • 13.224.89.222
  • 13.224.89.217
  • 13.224.89.22
whitelisted
www.google.com
  • 172.217.18.100
whitelisted
www.google.sk
  • 172.217.16.131
whitelisted
iplogger.org
  • 88.99.66.31
shared
www.googleadservices.com
  • 172.217.18.98
whitelisted
connect.facebook.net
  • 31.13.92.14
whitelisted
www.googletagmanager.com
  • 172.217.18.104
whitelisted

Threats

Found threats are available for the paid subscriptions
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://chogoon.com/srt/l5934