analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://onedrive.live.com/download.aspx?cid=DA091709BFDF76DD&authKey=%21ABTrEDUaCQSP2IY&resid=DA091709BFDF76DD!6284&ithint=%2Ezip

Full analysis: https://app.any.run/tasks/f04bd3f0-6bb6-480d-8833-c65b0e343554
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 24, 2019, 12:23:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
trojan
Indicators:
MD5:

2BDF03E5F65D5DAB7773FDE16DD74308

SHA1:

C0CAA2D6420AD81F434A9CB094FFF44313053AFB

SHA256:

7DC2C9303B9B83DDE1CE236D749E922150556A6AA4475EBFF3BE8438A86CB8F3

SSDEEP:

3:N8Ck3CTwKKfeqUzdc3NcOuRghgFW1lVcUzdc38dREUIc:2CkST/Kfeq863NcOo+c863MWUN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses BITADMIN.EXE for downloading application

      • WScript.exe (PID: 2616)

  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 2860)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 772)
      • iexplore.exe (PID: 1664)

    • Changes internet zones settings

      • iexplore.exe (PID: 3464)

    • Reads internet explorer settings

      • iexplore.exe (PID: 772)
      • iexplore.exe (PID: 1664)

    • Application launched itself

      • iexplore.exe (PID: 3464)
      • firefox.exe (PID: 2860)

    • Creates files in the user directory

      • iexplore.exe (PID: 772)
      • iexplore.exe (PID: 3464)
      • iexplore.exe (PID: 1664)
      • firefox.exe (PID: 2860)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3464)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3464)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3464)

    • Manual execution by user

      • explorer.exe (PID: 1828)
      • firefox.exe (PID: 2860)
      • explorer.exe (PID: 2732)
      • WinRAR.exe (PID: 3252)
      • WScript.exe (PID: 2616)
      • cmd.exe (PID: 2764)

    • Reads CPU info

      • firefox.exe (PID: 2860)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
15
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe explorer.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe explorer.exe no specs winrar.exe no specs wscript.exe no specs wmic.exe no specs bitsadmin.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3464"C:\Program Files\Internet Explorer\iexplore.exe" https://onedrive.live.com/download.aspx?cid=DA091709BFDF76DD&authKey=%21ABTrEDUaCQSP2IY&resid=DA091709BFDF76DD!6284&ithint=%2EzipC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3464 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1664"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3464 CREDAT:6403C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1828"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2860"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
1208"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.0.1333195734\473565043" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 1132 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
3140"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.6.829585801\1169167240" -childID 1 -isForBrowser -prefsHandle 1524 -prefMapHandle 1556 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 1712 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
3620"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.13.1192451611\945577532" -childID 2 -isForBrowser -prefsHandle 2576 -prefMapHandle 2304 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 2604 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
1152"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2860.20.257410819\225195408" -childID 3 -isForBrowser -prefsHandle 3480 -prefMapHandle 3492 -prefsLen 5882 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2860 "\\.\pipe\gecko-crash-server-pipe.2860" 3504 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
2732"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 462
Read events
1 352
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
64
Text files
78
Unknown types
52

Dropped files

PID
Process
Filename
Type
3464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\645ZAY27\download[1].aspx
MD5:
SHA256:
772iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:D002991350D87C0916176D73CD4772C2
SHA256:7B5F5B1C4F7EE94CB8553EBCAB2DD636ECE69E8886D100BFF1E7CAB8E51D9ECE
772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\645ZAY27\download[1].htmhtml
MD5:79B3B8F781F8CC319A7235D41EC2C356
SHA256:2155BECB0ABD3951553A3F182C14BD2960B189D80081A1BB9A984F2C344AEF9A
772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:647C301241A8B947FDBEAB59DEFD435B
SHA256:1A46526B9DAA766E3C9ED62A57A4416C998E269883D081CE93CF1C72EA976851
3464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XTWOKNUG\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\645ZAY27\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
50
DNS requests
103
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
HEAD
200
216.120.237.103:80
http://pretty.rooftransformers.com/finagle.png?bg=sp41&os=TWljcm9zb2Z0IFdpbmRvd3MgNyBQcm9mZXNzaW9uYWwgDQ0KDQ0KDQ0KDQ0K&av=
US
malicious
2860
firefox.exe
POST
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2860
firefox.exe
POST
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3464
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2860
firefox.exe
POST
200
172.217.18.163:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2860
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
772
iexplore.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
3464
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
772
iexplore.exe
2.16.186.40:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
1664
iexplore.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
772
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
3464
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
772
iexplore.exe
2.16.186.25:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
1664
iexplore.exe
95.101.78.170:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted
1664
iexplore.exe
2.19.37.83:443
p.sfx.ms
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
onedrive.live.com
  • 13.107.42.13
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
spoprod-a.akamaihd.net
  • 2.16.186.40
  • 2.16.186.25
  • 95.101.78.170
  • 95.101.78.211
whitelisted
p.sfx.ms
  • 2.19.37.83
whitelisted
c.live.com
  • 52.142.114.2
whitelisted
c.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
detectportal.firefox.com
  • 95.100.39.17
  • 95.100.39.8
  • 2.16.186.50
  • 2.16.186.112
whitelisted
aus5.mozilla.org
  • 52.43.79.30
  • 34.216.134.104
  • 34.214.241.105
  • 34.218.159.169
  • 54.148.138.18
  • 54.244.6.221
  • 52.40.226.98
  • 52.32.77.100
  • 54.148.105.101
  • 52.222.227.171
  • 52.222.227.32
  • 52.222.227.41
  • 52.222.227.144
whitelisted
balrog-aus5.r53-2.services.mozilla.com
  • 52.32.77.100
  • 52.40.226.98
  • 54.244.6.221
  • 54.148.138.18
  • 34.218.159.169
  • 34.214.241.105
  • 34.216.134.104
  • 52.43.79.30
  • 54.148.105.101
whitelisted
a1089.dscd.akamai.net
  • 95.100.39.8
  • 95.100.39.17
  • 2.16.186.112
  • 2.16.186.50
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
MALWARE [PTsecurity] Trojan-Downloader.VBS.SLoad.gen
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://onedrive.live.com/download.aspx?cid=DA091709BFDF76DD&authKey=%21ABTrEDUaCQSP2IY&resid=DA091709BFDF76DD!6284&ithint=%2Ezip