analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://is.gd/CKq83V

Full analysis: https://app.any.run/tasks/cef5b784-2c7e-4e6a-be3f-3b5572764b99
Verdict: Malicious activity
Analysis date: November 16, 2019, 09:28:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
ta505
Indicators:
MD5:

DD23335957C49DD130A4AD77B89C9A28

SHA1:

C484FE3BD1791B5FCADA6544968F216DC9E30639

SHA256:

9D958963742033F0797871C9E441F17408A95CAFC85A6C33E41BAB1C5C1D9F23

SSDEEP:

3:N85EWz:2Bz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executable content was dropped or overwritten

      • EXCEL.EXE (PID: 3904)

    • Loads dropped or rewritten executable

      • EXCEL.EXE (PID: 3904)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2824)

    • Application launched itself

      • EXCEL.EXE (PID: 3904)

    • Starts Microsoft Office Application

      • EXCEL.EXE (PID: 3904)
      • iexplore.exe (PID: 2508)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2508)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3144)

    • Creates files in the user directory

      • iexplore.exe (PID: 2508)
      • iexplore.exe (PID: 3144)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2824)
      • EXCEL.EXE (PID: 3904)

    • Application launched itself

      • iexplore.exe (PID: 2508)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3144)
      • iexplore.exe (PID: 2508)

    • Reads Microsoft Office registry keys

      • EXCEL.EXE (PID: 3904)
      • EXCEL.EXE (PID: 2096)

    • Reads settings of System Certificates

      • EXCEL.EXE (PID: 3904)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs excel.exe excel.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2508"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3144"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2508 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2824C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
3904"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /ddeC:\Program Files\Microsoft Office\Office14\EXCEL.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Excel
Exit code:
3489660927
Version:
14.0.6024.1000
2096"C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /EmbeddingC:\Program Files\Microsoft Office\Office14\EXCEL.EXEEXCEL.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Excel
Exit code:
0
Version:
14.0.6024.1000
Total events
2 396
Read events
2 042
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
12
Text files
42
Unknown types
18

Dropped files

PID
Process
Filename
Type
2508iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2508iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\H6KT1UA2\ws2_onehub-en_com[1].txt
MD5:
SHA256:
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A1E08182FB530ADAD91004E91F9394EB
SHA256:D51B2FB238AAE30563122B087F569596FADCCBE789CC287FD7B584F07B476C50
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G572D6FS\conversion_async[1].jstext
MD5:3813B36FC7DD91FD80F0BFF03C87C190
SHA256:F03EFBEB9D5D9AD71FD40C8BCD6716766F2DED9737A23E67DDEAC421DF771CB5
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G572D6FS\fbevents[1].jstext
MD5:32C5CE04419784548A4754E0C7E59857
SHA256:DE5301D381E48CBF168DB3DD34B2835950501574FDD8BD8013EFEE9C854A7499
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:D69DB8B145C0E3261E63FC7851B9FD18
SHA256:0A425CE9870A5875508AF6BF8D19B8293CA52EFC9989C3E8C85C0B8B6498C535
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G572D6FS\24437603[1].jstext
MD5:7BAC208B863BE3BE30E0DE9B831AA55F
SHA256:5734DF78976B01D0762F0651843ED94FF94B0663F0CFE419A388E132ED6B10B6
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\G572D6FS\gtm[1].jstext
MD5:1ED58D0D1757B02F528C21F33F7829B1
SHA256:0DEF0B5EFBCF662045B6816333464CE93B29829A8D7679729F600483A52DCD9C
3144iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\W1AJP1NJ\workspaces-1943206bff0f9b8467f7028ccbaa6c1c5de6dcedfa8313e69[1].csstext
MD5:5190F5BFD74FD2172FADFBB42F9D92D6
SHA256:1943206BFF0F9B8467F7028CCBAA6C1C5DE6DCEDFA8313E695AC1334ACC1A6FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
21
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2508
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2508
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3144
iexplore.exe
185.69.52.50:443
ws2.onehub-en.com
UAB Rakrejus
LT
unknown
3144
iexplore.exe
104.25.23.21:443
is.gd
Cloudflare Inc
US
shared
3144
iexplore.exe
172.217.22.67:443
www.google.sk
Google Inc.
US
whitelisted
3144
iexplore.exe
13.32.222.210:443
dp0qkd77b9xjk.cloudfront.net
Amazon.com, Inc.
US
whitelisted
3144
iexplore.exe
216.58.208.36:443
www.google.com
Google Inc.
US
whitelisted
3144
iexplore.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
3144
iexplore.exe
216.58.206.3:443
www.google.co.uk
Google Inc.
US
whitelisted
3144
iexplore.exe
172.217.22.104:443
www.googletagmanager.com
Google Inc.
US
whitelisted
3144
iexplore.exe
31.13.92.14:443
connect.facebook.net
Facebook, Inc.
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
is.gd
  • 104.25.23.21
  • 104.25.22.21
shared
ws2.onehub-en.com
  • 185.69.52.50
unknown
dp0qkd77b9xjk.cloudfront.net
  • 13.32.222.210
  • 13.32.222.81
  • 13.32.222.78
  • 13.32.222.30
whitelisted
www.google.com
  • 216.58.208.36
whitelisted
www.google.sk
  • 172.217.22.67
whitelisted
iplogger.org
  • 88.99.66.31
shared
www.googleadservices.com
  • 172.217.23.130
whitelisted
connect.facebook.net
  • 31.13.92.14
whitelisted
www.googletagmanager.com
  • 172.217.22.104
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://is.gd/CKq83V