analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://qlcsakai.com/CartTransferSystem.application

Full analysis: https://app.any.run/tasks/31772616-92a7-42ba-908e-5d179b156bc6
Verdict: Malicious activity
Analysis date: April 25, 2019, 08:53:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

B4EA8FF011E9DDB48A996A6300A14335

SHA1:

B6205F5BBE6CC0D9E1CF53E86CE2ED9BAB30E074

SHA256:

9D14E2C47FBD1BC4566FAC6008C7D6E55D88BFF9B86079F82E464F403892630A

SSDEEP:

3:N8FmK9uREYE/uMQn:2FmK9oE/M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • dfsvc.exe (PID: 3124)
      • CartTransferSystem.exe (PID: 2868)

    • Application was dropped or rewritten from another process

      • CartTransferSystem.exe (PID: 2868)

  • SUSPICIOUS

    • Reads Environment values

      • dfsvc.exe (PID: 3124)

    • Creates files in the user directory

      • dfsvc.exe (PID: 3124)

    • Creates a software uninstall entry

      • dfsvc.exe (PID: 3124)

    • Reads internet explorer settings

      • dfsvc.exe (PID: 3124)

    • Reads Internet Cache Settings

      • dfsvc.exe (PID: 3124)

    • Executable content was dropped or overwritten

      • dfsvc.exe (PID: 3124)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2668)

    • Creates files in the user directory

      • iexplore.exe (PID: 3092)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3092)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3092)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3092)
      • CartTransferSystem.exe (PID: 2868)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe dfsvc.exe no specs dfsvc.exe carttransfersystem.exe

Process information

PID
CMD
Path
Indicators
Parent process
2668"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2668 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2732"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
ClickOnce
Exit code:
0
Version:
4.6.1055.0 built by: NETFXREL2
3124"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
ClickOnce
Version:
4.6.1055.0 built by: NETFXREL2
2868"C:\Users\admin\AppData\Local\Apps\2.0\BKTP7BWX.WV7\J01O50PQ.P5L\cart..tion_2bfd6097e931d7c1_0001.0000_68cea65827dbfb73\CartTransferSystem.exe"C:\Users\admin\AppData\Local\Apps\2.0\BKTP7BWX.WV7\J01O50PQ.P5L\cart..tion_2bfd6097e931d7c1_0001.0000_68cea65827dbfb73\CartTransferSystem.exe
dfsvc.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
カゴ入出管理システム
Version:
1.0.0.0
Total events
959
Read events
548
Write events
0
Delete events
0

Modification events

No data
Executable files
32
Suspicious files
21
Text files
49
Unknown types
5

Dropped files

PID
Process
Filename
Type
2668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2668iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab69A9.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar69AA.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab69BA.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar69BB.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6A78.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6A79.tmp
MD5:
SHA256:
2668iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF5F1DFD18BFC2D441.TMP
MD5:
SHA256:
2668iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{9DB3E80E-6737-11E9-B63D-5254004A04AF}.dat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
5
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
iexplore.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
2668
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3092
iexplore.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/5F3B8CF2F810B37D78B4CEEC1919C37334B9C774.crt
US
der
891 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2668
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3092
iexplore.exe
93.184.221.240:80
www.download.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3092
iexplore.exe
153.127.77.53:443
qlcsakai.com
SAKURA Internet Inc.
JP
unknown
2868
CartTransferSystem.exe
153.127.77.53:443
qlcsakai.com
SAKURA Internet Inc.
JP
unknown
3124
dfsvc.exe
153.127.77.53:443
qlcsakai.com
SAKURA Internet Inc.
JP
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
qlcsakai.com
  • 153.127.77.53
unknown
www.download.windowsupdate.com
  • 93.184.221.240
whitelisted

Threats

No threats detected
Process
Message
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
dfsvc.exe
*** Status originated: -1073741811 *** Source File: d:\iso_whid\x86fre\base\isolation\hier_hierarchy.cpp, line 230
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://qlcsakai.com/CartTransferSystem.application