analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://u7367700.ct.sendgrid.net/wf/click?upn=sw-2BpEri5LTJKiGqpmJIs6ZqVtF51SexOhTnZ-2BWu5mI8GQa3sq18IykBiMc7QQNI2nUpgJCyYgWaVLGSanpSd1fLcZCIHCoBbtKMXG0g7g56-2B09iL9MgvldVmqQM-2Fxcgj_NOzmJHCskOif8NCnH-2BVvVRvYJ3c47-2FOFxwXWMU5cx4upLR4qPgTArrqqCNSJZ-2BYfuxhXFzgBH2ZmrrseSPaFYmYYg5E7xXf8zdPEU8sGD4qrTuR9rk-2B5tckrKZNA7AfBcULesv2WFQfmH4JTZAc5cB5sWYrYoRKTl5RAH6HzNmVkkxRwUWdl-2Bdk3-2Fd7u-2BAcQsZzp4ZeeA9jJ3BB5X7F9jRoMgQdRjoLo5b240aR1q2w-3D

Full analysis: https://app.any.run/tasks/69f775d5-3441-4eeb-a0c9-a0bf919554d4
Verdict: Malicious activity
Analysis date: September 19, 2019, 12:06:40
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

007C0AAC26103BE0DBC28C2E2CE48648

SHA1:

49F5C8F96EFCAAD48E793385DA6C38EA540C33F0

SHA256:

A5F7A4F9841BBAF1ED0C7A00368B209E217E4AAD3EBF01D3C134CECCB4E42674

SSDEEP:

12:2a5DSrSLsfbo/MuMpQ0/odn/0epbAqGgS1:2+Io/Mumo187R5

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3192)
      • sdiagnhost.exe (PID: 2640)
      • sdiagnhost.exe (PID: 2200)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 2500)
      • msdt.exe (PID: 3028)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2640)
      • sdiagnhost.exe (PID: 2200)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3540)

    • Reads internet explorer settings

      • iexplore.exe (PID: 4016)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4016)

    • Changes internet zones settings

      • iexplore.exe (PID: 3540)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 4016)

    • Creates files in the user directory

      • iexplore.exe (PID: 4016)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3192)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3540)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
13
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3540"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4016"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3540 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3192C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
2500 -modal 327980 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF8CDE.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2640C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2560"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3596"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1032"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3028 -modal 327980 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFD9D6.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2200C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
882
Read events
590
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
27
Text files
245
Unknown types
19

Dropped files

PID
Process
Filename
Type
3540iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3540iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
4016iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
MD5:
SHA256:
4016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Z63LUP8D\style.min[1].csstext
MD5:83AB8BB7D08F0CED01CB834F5D518CBD
SHA256:858ECAE68A18E4AABC4A4D528F26EE6695A3EA189358A32505C063217940B6D4
4016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\021AYJEH\vendor.min[1].jstext
MD5:55B50F7E41CE399C8D16EBD52270E41A
SHA256:74C99B6C3E4D04EF6CC9725D23B70FE5FFEF611D3CF07DC2BD639D5A2E840573
4016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RWGOAFY1\sendgrid.min[1].jstext
MD5:F42D9910F6F3D6E776FBA9A7484B406D
SHA256:2F0D25EB4586D7C5132E96B2CCA3305B77BBE74143C9D6A97398A9CD15CA9ECA
4016iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txttext
MD5:ACE37320EBA5D54044193D7F2FBC6694
SHA256:89F44BF97A90AB5C8D5821B250E0107E0F3783E5E02E8D63B94E7F8C2AFE58E4
4016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:49842A1008396AE4E9B901F6453E7CDD
SHA256:E621884189D8CA4FF8E9084C4F484D7DA7D1B333BC7D86733E9028E52FAE855A
4016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\4T3SL64G\forms2.min[1].jstext
MD5:F1D23A5951023E4A0282D72A5163950D
SHA256:321BBCC4CC57483B7E329186E5159498B668DDDE87CB64696DDCDC95176CCE82
4016iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RWGOAFY1\72168671[1].jstext
MD5:B0AB69C80F170956BD17E6E614903C75
SHA256:A707B8FDC4D18C022A57DF8A9985F916242C5A87E630046345B100BB42112C8A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
273
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4016
iexplore.exe
GET
301
159.122.219.52:80
http://sendgrid.com/invalidlink
US
html
178 b
whitelisted
4016
iexplore.exe
GET
200
205.185.216.42:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
4016
iexplore.exe
GET
200
13.225.84.115:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
3540
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3540
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4016
iexplore.exe
172.217.18.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
4016
iexplore.exe
104.17.74.206:443
go.sendgrid.com
Cloudflare Inc
US
shared
4016
iexplore.exe
159.122.219.52:80
sendgrid.com
SoftLayer Technologies Inc.
US
unknown
4016
iexplore.exe
23.210.249.30:443
cdn.optimizely.com
Akamai International B.V.
NL
whitelisted
4016
iexplore.exe
159.122.219.52:443
sendgrid.com
SoftLayer Technologies Inc.
US
unknown
4016
iexplore.exe
172.217.18.104:443
www.googletagmanager.com
Google Inc.
US
suspicious
4016
iexplore.exe
13.224.193.80:443
cdn.segment.com
US
suspicious
4016
iexplore.exe
167.89.123.16:443
u7367700.ct.sendgrid.net
SendGrid, Inc.
US
malicious
4016
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
u7367700.ct.sendgrid.net
  • 167.89.123.16
  • 167.89.118.35
malicious
sendgrid.com
  • 159.122.219.52
  • 159.122.219.40
whitelisted
cdn.optimizely.com
  • 23.210.249.30
whitelisted
go.sendgrid.com
  • 104.17.74.206
  • 104.17.71.206
  • 104.17.70.206
  • 104.17.73.206
  • 104.17.72.206
suspicious
ajax.googleapis.com
  • 172.217.18.10
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 172.217.16.138
  • 172.217.22.74
  • 172.217.22.106
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.23.170
  • 172.217.21.202
  • 172.217.21.234
  • 172.217.22.10
whitelisted
cdn.segment.com
  • 13.224.193.80
shared
www.googletagmanager.com
  • 172.217.18.104
whitelisted
api.segment.io
  • 54.71.228.147
  • 54.244.22.169
  • 52.24.41.182
  • 54.68.159.219
  • 35.164.39.164
  • 54.218.56.203
  • 54.70.148.32
  • 35.155.224.35
whitelisted
www.google-analytics.com
  • 216.58.207.78
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://u7367700.ct.sendgrid.net/wf/click?upn=sw-2BpEri5LTJKiGqpmJIs6ZqVtF51SexOhTnZ-2BWu5mI8GQa3sq18IykBiMc7QQNI2nUpgJCyYgWaVLGSanpSd1fLcZCIHCoBbtKMXG0g7g56-2B09iL9MgvldVmqQM-2Fxcgj_NOzmJHCskOif8NCnH-2BVvVRvYJ3c47-2FOFxwXWMU5cx4upLR4qPgTArrqqCNSJZ-2BYfuxhXFzgBH2ZmrrseSPaFYmYYg5E7xXf8zdPEU8sGD4qrTuR9rk-2B5tckrKZNA7AfBcULesv2WFQfmH4JTZAc5cB5sWYrYoRKTl5RAH6HzNmVkkxRwUWdl-2Bdk3-2Fd7u-2BAcQsZzp4ZeeA9jJ3BB5X7F9jRoMgQdRjoLo5b240aR1q2w-3D