analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.malware-traffic-analysis.net/2021/12/07/index.html

Full analysis: https://app.any.run/tasks/6a8e925d-83b0-4e9d-a15e-b075cd6b2bb5
Verdict: Malicious activity
Analysis date: May 20, 2022, 23:09:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
maldoc-42
Indicators:
MD5:

62B740E53B074BCCA8ED82101F4F52C3

SHA1:

5831A885F0B6008777124D94C9B6EEDC96EE91EC

SHA256:

9634064696BE8BB52C92EE30D40C9D4CBF22A13A6E13A4F06ABCDE8359CB596D

SSDEEP:

3:N8DSLHXWQfigcWMMLA220d5G:2OLHpJY90DG

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops known malicious document

      • WinRAR.exe (PID: 3628)
      • EXCEL.EXE (PID: 3412)
    • Unusual execution from Microsoft Office

      • EXCEL.EXE (PID: 3412)
    • Registers / Runs the DLL via REGSVR32.EXE

      • EXCEL.EXE (PID: 3412)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2188)
    • Checks supported languages

      • WinRAR.exe (PID: 1980)
      • WinRAR.exe (PID: 3628)
    • Reads the computer name

      • WinRAR.exe (PID: 1980)
      • WinRAR.exe (PID: 3628)
    • Application launched itself

      • WinRAR.exe (PID: 1980)
    • Starts Microsoft Office Application

      • WinRAR.exe (PID: 3628)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 2188)
      • EXCEL.EXE (PID: 3412)
      • regsvr32.exe (PID: 3664)
      • regsvr32.exe (PID: 1732)
      • regsvr32.exe (PID: 2268)
      • regsvr32.exe (PID: 3376)
      • regsvr32.exe (PID: 1448)
      • regsvr32.exe (PID: 2384)
    • Reads the computer name

      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 2188)
      • EXCEL.EXE (PID: 3412)
    • Changes internet zones settings

      • iexplore.exe (PID: 2956)
    • Application launched itself

      • iexplore.exe (PID: 2956)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2188)
      • iexplore.exe (PID: 2956)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2188)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2188)
      • iexplore.exe (PID: 2956)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2956)
    • Creates files in the user directory

      • iexplore.exe (PID: 2956)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2956)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2956)
    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 3628)
      • EXCEL.EXE (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe winrar.exe no specs winrar.exe no specs excel.exe regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.malware-traffic-analysis.net/2021/12/07/index.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
2188"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1980"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\2021-12-07-obama141-Qakbot-and-Matanbuchus-malware-and-artifacts.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3628"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb1980.40114\gcJaBMPOQ.zipC:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\winrar\winrar.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\shlwapi.dll
3412"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\microsoft office\office14\excel.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3376regsvr32 C:\ProgramData\Volet1.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3664regsvr32 C:\ProgramData\Volet2.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1732regsvr32 C:\ProgramData\Volet3.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\user32.dll
1448regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet4.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2268regsvr32 -e -n -i:&Tiposa!G22& C:\ProgramData\Volet5.ocxC:\Windows\system32\regsvr32.exeEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft(C) Register Server
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\regsvr32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
Total events
17 616
Read events
17 352
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
16
Text files
23
Unknown types
7

Dropped files

PID
Process
Filename
Type
2188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:79C3C1E84F2E434A3804BC8C15911C2A
SHA256:15387117F9DD50DA117B962930E038E19D1F0FAEDAA09DFE1D79EA07C7F62526
2188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:647D7093A95A48765D2046A3A39BAC81
SHA256:198DCD8997FC15EF0DFF2F7D76CA422181D52EBEF0ED94CC1837988C5D7FDB3D
2188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2A249A8EAE5FF8B677AA8B178688CF94der
MD5:D71BCC80A7B0FC9612D7B4619FB2C2AE
SHA256:B7C991C3B5997CDA961B68B8D3BF0597BC0A9B4805810FC2AFD1A061DD67953B
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:151A6310D5DD1C8F543FA201A0B3230E
SHA256:5866662077ED47B64F9A411BE0BA30FF32CBFD34D8417F21CAD96832914448BE
2188iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\index[1].htmhtml
MD5:AEAF0609FFFA8D4426C3D349E656211E
SHA256:5DFC6C8D28B83BCF80139022625B345271AF9342B5E2A542453D9052F9D771B1
2188iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\2021-12-07-obama141-Qakbot-and-Matanbuchus-malware-and-artifacts[1].zipcompressed
MD5:8764F6EF1DD0F9133064D0AE493346DD
SHA256:AAFA7ED2680B0596246CBEFC9EB60D2C82794A5666A110E56632FB9A99013085
2188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2A249A8EAE5FF8B677AA8B178688CF94binary
MD5:0653C42FEC0DE196810E4F27BF647C50
SHA256:66EF3849B3B0282F7BE0ED8273EC5884F1B04CD46D8CA28E6B350C2050222692
2188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:06367F548FA74D35154AB4E39928030E
SHA256:E5D9AF76A753FE939E1CCB9E2B542621191E5612E2E85EB98768DB901226DBD4
2188iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:C04F441D0220712231531A90823834DB
SHA256:055641D3987AE98E2DD627D3214EA8084AE773A3DF9592191B86977C752A29E7
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:6FFDBD9F131388240CEF1BA0C03AB3BB
SHA256:1F086A1DF128F3A57D3A0A0AAE76016261FA2EE8BB925249D5841264CE1D5AFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
32
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3412
EXCEL.EXE
GET
101.99.95.143:80
http://101.99.95.143/44702.0077041667.dat2
MY
suspicious
3412
EXCEL.EXE
GET
194.38.20.30:80
http://194.38.20.30/44702.0077041667.dat2
unknown
suspicious
3412
EXCEL.EXE
GET
194.38.20.30:80
http://194.38.20.30/44702.0077041667.dat
unknown
suspicious
3412
EXCEL.EXE
GET
404
185.244.149.138:80
http://185.244.149.138/44702.0077041667.dat2
unknown
html
277 b
suspicious
2188
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3412
EXCEL.EXE
GET
404
101.99.95.143:80
http://101.99.95.143/44702.0077041667.dat
MY
html
9.86 Kb
suspicious
2188
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECrsM%2B7Sq5MOuq8mZpDVUKY%3D
US
der
471 b
whitelisted
2956
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2956
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2956
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2956
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2188
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2956
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2188
iexplore.exe
104.18.32.68:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
2188
iexplore.exe
199.201.110.204:443
www.malware-traffic-analysis.net
Namecheap, Inc.
US
suspicious
2956
iexplore.exe
199.201.110.204:443
www.malware-traffic-analysis.net
Namecheap, Inc.
US
suspicious
2956
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3412
EXCEL.EXE
101.99.95.143:80
MY
suspicious
3412
EXCEL.EXE
194.38.20.30:80
suspicious
2956
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.malware-traffic-analysis.net
  • 199.201.110.204
malicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.comodoca.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.usertrust.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
ocsp.sectigo.com
  • 104.18.32.68
  • 172.64.155.188
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info