Malware analysis http://www.alamosystems.com Malicious activity

Add for printing

URL:	http://www.alamosystems.com
Full analysis:	https://app.any.run/tasks/4be2316d-1d8c-4712-bf3d-9d0e895ae364
Verdict:	Malicious activity
Analysis date:	July 11, 2019, 15:12:25
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:	4749222825FEB65034602108107BCAE9
SHA1:	8D60D64D782F85567F2884D7E8588EEAB5B0E4DA
SHA256:	828DA1A2BC7D1176FE6C3E46B1BC5CAC0AE79DF0423DCB1185636DA667D2EAFD
SSDEEP:	3:N1KJS4BSFT:Cc4Y9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
- Executed via COM
  - FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2980)
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 2904)
- Application launched itself
  - iexplore.exe (PID: 2904)
- Reads internet explorer settings
  - iexplore.exe (PID: 3320)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3320)
- Creates files in the user directory
  - iexplore.exe (PID: 3320)
  - FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2980)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2904	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3320	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2904 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2980	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe	—	svchost.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131

Add for printing

Total events

439

Read events

368

Write events

Delete events

Modification events


(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:	write	Name:	{59CEA1B1-A3EE-11E9-A9B1-5254004A04AF}
Value: 0
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Type
Value: 4
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Count
Value: 1
(PID) Process:	(2904) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Time
Value: E307070004000B000F000C0035008B00

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2904	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico		—
		MD5:—	SHA256:—
2904	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:EC5856525AA689BAC7E0084FCDFCA95C	SHA256:4302665CC8E14EA70C4E604C9D2371223FC22AAF1C258E957F8EA592DA8E008F
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7QUGCEO4\node.h[1].js		html
		MD5:4B305A9B2FC481354C1AC4C5C1C2E97B	SHA256:5284A7ABE0D117EACA4824C45751487B7CF54175BC35057950C47BE49D5FE017
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C1INRKPX\index[1].css		text
		MD5:55316F67BE709CFC0D9DBDA10854B7E7	SHA256:4795C59BA44A38E031A8B7D9884BC24CB18EFADD2A359489AFEB9C79F758A684
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\7QUGCEO4\11.0.1[1].js		html
		MD5:A33510B861FF37145779F52FCDBBBD1D	SHA256:63BA4F4194F92AC35E4090573D779D4F6CD08C8C45D30AD8B7C01D6D590F5AED
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J52GVJWH\jquery.multiscroll[1].css		text
		MD5:EDB681CA8DDA270ED553A1CE21AC7A15	SHA256:BFF61C72EF6E688E94CA50A1C997A20F864D1B42EAB575A86D10F76A15FC8FDD
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C1INRKPX\index_pc[1].css		text
		MD5:10CC49C3B600FF0B0FC362790230B362	SHA256:1FDB77039ED0CD27C6D4A3FEEBAF2B6FF47F288A84B8430F75CDE7566B3AF630
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:751E1E0DE62BD5D7278E91E7099D586D	SHA256:018D2B8C4C968F7ECD323DD878012546692CB009A56F72E28D01BBC26FFC381A
3320	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C4EO4JFS\alamosystems_com[1].htm		html
		MD5:E6AC1F44EEA270306077B5AF1EF9CB27	SHA256:18F308D078BEB3BEA5B43D63A587713B4E8B480E16E8E208D9B9FA9DD385A681

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3320	iexplore.exe	GET	—	144.168.119.139:80	http://www.alamosystems.com/koolchadjs/js/jquery.easing.min.js	US	—	—	unknown
3320	iexplore.exe	GET	—	185.59.220.19:80	http://www.ssd996.com/home/css/index_pc.css	DE	—	—	suspicious
3320	iexplore.exe	GET	200	144.168.119.139:80	http://www.alamosystems.com/koolcss/css/jquery.multiscroll.css	US	text	653 b	unknown
3320	iexplore.exe	GET	200	185.59.220.19:80	http://www.ssd996.com/uploads/15583554967007.png	DE	image	9.29 Kb	suspicious
3320	iexplore.exe	GET	200	185.59.220.19:80	http://www.ssd996.com/home/imgs/bg1.jpg	DE	image	81.6 Kb	suspicious
3320	iexplore.exe	GET	200	144.168.119.139:80	http://www.alamosystems.com/	US	html	2.76 Kb	unknown
3320	iexplore.exe	GET	200	111.206.37.189:80	http://push.zhanzhang.baidu.com/push.js	CN	text	227 b	whitelisted
3320	iexplore.exe	GET	200	144.168.119.139:80	http://www.alamosystems.com/koolcss/css/index.css	US	text	2.92 Kb	unknown
3320	iexplore.exe	GET	200	185.59.220.19:80	http://www.ssd996.com/home/css/index_pc.css	DE	text	1.14 Kb	suspicious
3320	iexplore.exe	GET	200	144.168.119.139:80	http://www.alamosystems.com/js/node.h.js	US	html	1.24 Kb	unknown

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2904	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3320	iexplore.exe	144.168.119.139:80	www.alamosystems.com	eSited Solutions	US	unknown
—	—	104.192.110.245:80	js.passport.qihucdn.com	Beijing Qihu Technology Company Limited	US	suspicious
3320	iexplore.exe	185.59.220.19:80	www.ssd996.com	Datacamp Limited	DE	malicious
3320	iexplore.exe	220.242.139.165:443	js.users.51.la	—	CN	unknown
3320	iexplore.exe	111.206.37.189:80	push.zhanzhang.baidu.com	China Unicom Beijing Province Network	CN	malicious
3320	iexplore.exe	103.235.46.191:443	hm.baidu.com	Beijing Baidu Netcom Science and Technology Co., Ltd.	HK	suspicious
3320	iexplore.exe	13.224.68.36:80	s6.qhres.com	—	US	unknown
3320	iexplore.exe	183.131.207.66:80	ia.51.la	DaLi	CN	malicious
2904	iexplore.exe	144.168.119.139:80	www.alamosystems.com	eSited Solutions	US	unknown

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
www.alamosystems.com	144.168.119.139	unknown
www.ssd996.com	185.59.220.19	suspicious
push.zhanzhang.baidu.com	111.206.37.189 61.135.185.248	whitelisted
js.passport.qihucdn.com	104.192.110.245	suspicious
hm.baidu.com	103.235.46.191	whitelisted
js.users.51.la	220.242.139.165 163.171.128.16 220.242.140.187 220.242.182.12	whitelisted
s6.qhres.com	13.224.68.36 13.224.68.177 13.224.68.43 13.224.68.168	whitelisted
ia.51.la	183.131.207.66	whitelisted
s.360.cn	171.8.167.89 180.163.251.231 180.163.251.230 171.8.167.90 101.226.161.227 180.97.63.237 171.13.14.66	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

http://www.alamosystems.com

4749222825FEB65034602108107BCAE9

8D60D64D782F85567F2884D7E8588EEAB5B0E4DA

828DA1A2BC7D1176FE6C3E46B1BC5CAC0AE79DF0423DCB1185636DA667D2EAFD

3:N1KJS4BSFT:Cc4Y9

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

Executed via COM

INFO

Changes internet zones settings

Application launched itself

Reads internet explorer settings

Reads Internet Cache Settings

Creates files in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings