analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://185.177.59.58/viewtopic.php?f576=501?f948=75736572?f783=64666a756f6e61637169676d

Full analysis: https://app.any.run/tasks/8a5d3db7-0fd9-4b50-8f1a-6642cf683209
Verdict: Malicious activity
Analysis date: May 30, 2020, 06:43:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

F5E3B41EA812DE9328FB8D221FABAD95

SHA1:

6168220C08A9D6619383720686EE4522B84554A7

SHA256:

A58C5A8038B166FFDDC04C369E7BB4F279215B705E1B27D5356CB2E0FD702220

SSDEEP:

3:N1KlmeLQDhKVMGbVafYpdecTDkRTzGPzuBn:CSDhO7VWYzecTw1YuB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • iexplore.exe (PID: 2816)

    • Starts Internet Explorer

      • rundll32.exe (PID: 2464)

  • INFO

    • Modifies the open verb of a shell class

      • rundll32.exe (PID: 2464)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2816)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2432)
      • iexplore.exe (PID: 2816)

    • Changes internet zones settings

      • iexplore.exe (PID: 2816)

    • Application launched itself

      • iexplore.exe (PID: 2816)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe rundll32.exe no specs iexplore.exe no specs iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2816"C:\Program Files\Internet Explorer\iexplore.exe" "http://185.177.59.58/viewtopic.php?f576=501?f948=75736572?f783=64666a756f6e61637169676d"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2432"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2816 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2464"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\viewtopic.phpC:\Windows\system32\rundll32.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3332"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\viewtopic.phpC:\Program Files\Internet Explorer\iexplore.exerundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2060"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Downloads\viewtopic.phpC:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
1 568
Read events
1 410
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
2432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\viewtopic.php.q0hu3i9.partial
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7B2DC9A5E5255941.TMP
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\viewtopic.php.q0hu3i9.partial:Zone.Identifier
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF05941D223CFCE61D.TMP
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\Downloads\viewtopic.php.xidjqut.partial\:Zone.Identifier:$DATA
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\Downloads\viewtopic.php.xidjqut.partial
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\Downloads\viewtopic.php.xidjqut.partial:Zone.Identifier
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3B3F2854710F1DA5.TMP
MD5:
SHA256:
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{E7F6DE49-A240-11EA-9F59-5254004A04AF}.datbinary
MD5:09A2CC73786A4D432D9B8BE80A213FD8
SHA256:5C2EABB9096F13D38A72D774CE523D95159B838AB8C5ECC1BAFF3CB78422716B
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\viewtopic.phpbinary
MD5:E95EC8CDC84CA3500DEB2564721F9244
SHA256:73D990A15B01F2E9580EF08CFB6C34ED2EE1AE41125A7E1D69E2C42FF282CB09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
2
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2816
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2432
iexplore.exe
185.177.59.58:80
BelCloud Hosting Corporation
BG
malicious
185.177.59.58:80
BelCloud Hosting Corporation
BG
malicious

DNS requests

Domain
IP
Reputation
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
2432
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] RTM.Payload.xor
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://185.177.59.58/viewtopic.php?f576=501?f948=75736572?f783=64666a756f6e61637169676d