URL:

https://disk.yandex.ru/d/vSkAGZAXPezbVA

Full analysis: https://app.any.run/tasks/64320af0-d69b-49a6-82d9-a420bc018c42
Verdict: Malicious activity
Analysis date: August 23, 2022, 20:44:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C2F72856C923CC6787F183BB2F007A81

SHA1:

7241436E391CB833846D9B3959A4D8103C214619

SHA256:

9844AE3290D5F58B85894C76417B9D9097CC5EB6D10D4C6030DCD103956CB11B

SSDEEP:

3:N8U2C24kCk:2U2/Ck

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 3168)
    • Application was dropped or rewritten from another process

      • @bat_crack (1).exe (PID: 1788)
      • @bat_crack (1).exe (PID: 2776)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3168)
      • iexplore.exe (PID: 2972)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3168)
      • iexplore.exe (PID: 2972)
    • Drops a file with a compile date too recent

      • iexplore.exe (PID: 3168)
      • iexplore.exe (PID: 2972)
    • Checks supported languages

      • @bat_crack (1).exe (PID: 2776)
      • cmd.exe (PID: 2016)
    • Executed via COM

      • DllHost.exe (PID: 2780)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 3168)
      • explorer.exe (PID: 2908)
      • DllHost.exe (PID: 2780)
    • Application launched itself

      • iexplore.exe (PID: 2972)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3168)
      • iexplore.exe (PID: 2972)
    • Checks supported languages

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 3168)
      • explorer.exe (PID: 2908)
      • DllHost.exe (PID: 2780)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2972)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 3168)
    • Manual execution by user

      • explorer.exe (PID: 2908)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 2972)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2972)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2972)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3168)
    • Changes internet zones settings

      • iexplore.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
7
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
drop and start drop and start start iexplore.exe iexplore.exe @bat_crack (1).exe no specs @bat_crack (1).exe cmd.exe no specs explorer.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Internet Explorer\iexplore.exe" "https://disk.yandex.ru/d/vSkAGZAXPezbVA"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3168"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2972 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
1788"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\@bat_crack (1).exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\@bat_crack (1).exeiexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\@bat_crack (1).exe
c:\windows\system32\ntdll.dll
2776"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\@bat_crack (1).exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\@bat_crack (1).exe
iexplore.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\@bat_crack (1).exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2016C:\Windows\system32\cmd.exe /c pauseC:\Windows\system32\cmd.exe@bat_crack (1).exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2908"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2780C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ole32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
12 733
Read events
12 555
Write events
173
Delete events
5

Modification events

(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
856429856
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30979889
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30979889
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
3
Suspicious files
26
Text files
33
Unknown types
18

Dropped files

PID
Process
Filename
Type
3168iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XGKEUUJ8.txttext
MD5:E38D8EB856799B7C956156DAE2EDEA03
SHA256:405C037DCB00DE72EB0A0D9A3EF179ABD470AAF95EF260E0A3A0194253FE11BB
3168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81Bbinary
MD5:E0CF11E3EFB7AF5AA22079F2874463BC
SHA256:C3C1F2866947DDE5A042032E233B8C85A3209018F62C32B8827FF4C3CF7E3725
3168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3binary
MD5:B1D086FA0C0E7751F5831D521D059DE9
SHA256:BA29466FEF58E17AF0D86AA6334BEAD5017C320B3D328B17919B8B26C9A78191
3168iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\vSkAGZAXPezbVA[1].htmhtml
MD5:ABCABA4075D0FBFD86ED0B5D4C956F94
SHA256:DEDC2DAEFE10DE061F716E4811F9FE992980F47F96E82880B7662199DCAACF98
3168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_77DA99F661FA088EBE8D771B7E655EB9binary
MD5:9B5BEE06E0B2418B8644923464D54AA5
SHA256:C59B749F62BABC48A7EACDA2D12672E15A5F8795EE84346FE2B8EDC9EB0454EA
3168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FBbinary
MD5:64E07C70E7F397BFF0CA5C22A1EAE142
SHA256:245B17144C4E5B0B6B6A430E8764396774D7D2DC154524EA74005D421C9878A7
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:F586D462AC901F4FE724C2CDA77A8C92
SHA256:5E16E4A2DA52E9A25B2CFAC6C6F5A5A39544B31F88B5C33AD8741CAD238515F0
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:20D645AE896646732F550ACCADB5B344
SHA256:0F3DA1429779E8DF2621EFA2DA8251939E218C2AD860A20976A12DDFCBA27B25
3168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046der
MD5:5493B1639A7C5FB5DD05132D6B7C7EC8
SHA256:3B7EEC48A64C7435F4EF8BD14052380B5BA4A957390BDE6D98DA05FEBA5DF9E9
3168iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\60K0C99T.txttext
MD5:05B3CFF2358B8850DCD5F14D69A3C539
SHA256:C5A77E3F08B36C40A44CCDBD03A4339DBB9EAEB2CD345D27B173D32E21B3A693
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
43
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDDr6WyPB2UqgqvyNjw%3D%3D
US
der
940 b
whitelisted
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDDUIIMQUh1zyGUCLng%3D%3D
US
der
1.40 Kb
whitelisted
3168
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr3/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBT1nGh%2FJBjWKnkPdZIzB1bqhelHBwQUj%2FBLf6guRSSuTVD6Y5qL3uLdG7wCDQHuXyId%2FGI71DM6hVc%3D
US
der
1.40 Kb
whitelisted
2972
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDHTVhRq84N8msfX0sg%3D%3D
US
der
1.40 Kb
whitelisted
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/rootr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDQHuXxad%2F5c1K2Rl1mo%3D
US
der
1.41 Kb
whitelisted
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gsrsaovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBRrcGT%2BanRD3C1tW3nsrKeuXC7DPwQU%2BO9%2F8s14Z6jeb48kjYjxhwMCs%2BsCDAOPhLc24iwNn477jA%3D%3D
US
der
1.40 Kb
whitelisted
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/rootr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHUeP1PjGFkz6V8I7O6tApc%3D
US
der
1.41 Kb
whitelisted
3168
iexplore.exe
GET
200
151.101.2.133:80
http://ocsp.globalsign.com/gseccovsslca2018/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSTMjK03nNiYoQYvu4Izyfn9OJNdAQUWHuOdSr%2BYYCqkEABrtboB0ZuP0gCDEQg1Y49A9QQ%2BwVA7A%3D%3D
US
der
940 b
whitelisted
3168
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp2.globalsign.com/rootr5/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQiD0S5cIHyfrLTJ1fvAkJWflH%2B2QQUPeYpSJvqB8ohREom3m7e0oPQn1kCDQHuXyKVQkkF%2BQGRqNw%3D
US
der
1.26 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2972
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3168
iexplore.exe
178.154.131.215:443
yastatic.net
YANDEX LLC
RU
whitelisted
3168
iexplore.exe
151.101.2.133:80
ocsp.globalsign.com
Fastly
US
malicious
2972
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3168
iexplore.exe
104.18.20.226:80
ocsp2.globalsign.com
Cloudflare Inc
US
shared
3168
iexplore.exe
87.250.250.119:443
mc.yandex.ru
YANDEX LLC
RU
whitelisted
3168
iexplore.exe
87.250.250.50:443
disk.yandex.ru
YANDEX LLC
RU
whitelisted
3168
iexplore.exe
77.88.21.127:443
downloader.disk.yandex.ru
YANDEX LLC
RU
unknown
2972
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3168
iexplore.exe
5.45.236.129:443
s01vlx.storage.yandex.net
YANDEX LLC
RU
unknown

DNS requests

Domain
IP
Reputation
disk.yandex.ru
  • 87.250.250.50
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.globalsign.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
whitelisted
ocsp2.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
mc.yandex.ru
  • 87.250.250.119
  • 77.88.21.119
  • 93.158.134.119
  • 87.250.251.119
whitelisted
yastatic.net
  • 178.154.131.215
  • 178.154.131.216
  • 178.154.131.217
whitelisted
downloader.disk.yandex.ru
  • 77.88.21.127
shared

Threats

No threats detected
No debug info