URL: | http://glwxifzkis.duckdns.org/k.html |
Full analysis: | https://app.any.run/tasks/0b8e41ac-f966-40d5-a893-0e3ccc4bec54 |
Verdict: | Malicious activity |
Analysis date: | January 14, 2022, 23:14:19 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | FA48EA5A450F48DAF5403BC9092FD673 |
SHA1: | DCF0582F15CFBF6B94AA1E6673E0BA24DFC4B4D7 |
SHA256: | ADDA6FEC977C5B83BFDCBBF28D5B30CFEFB3211A2764EEE497EB34052BAD935C |
SSDEEP: | 3:N1KZJ3qLxEWizn:CKNEWS |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3148 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://glwxifzkis.duckdns.org/k.html" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
4016 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3148 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30935452 | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30935452 | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (3148) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\red-icon[1].png | image | |
MD5:823825F22C8E441AC3B199A5798FFFA3 | SHA256:40F98500D3E6FE501E29CDEDBD392A7DAEA1A1DCD3DEC1782A396E9A978DABD8 | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\base[1].css | text | |
MD5:035BD9F3BD390B91E1450D557198547A | SHA256:07101499B69A3CD92468BD78D3469C26EA655CDA1CA31C72BAB07CBAC524BFA6 | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\addr-icon[1].png | image | |
MD5:84C1F2D26AE892C556C81159400139E4 | SHA256:98CDE2989ECAEAED156594BBB66708EB4D86F776442B5D0C5A086F0B6A0464CE | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\k[1].htm | html | |
MD5:5DC5A9512572472522310CCAA638B361 | SHA256:686BABE6ABC5668F50055559D1D9D25D66809EA75DE20FEAA1AB55EC9253BF75 | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\au_id[1].png | image | |
MD5:D1AF72F0B2D426388F6E356CF1C5D1C1 | SHA256:CDD7C2E336F17F7637FD20D04C6E6A449BDA30720B7FC76A5B3B165086A19C9F | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\main[1].css | text | |
MD5:49B652A5714CE984E932E494F545C25C | SHA256:75F24CF55B411BC47BD575397A225133D6EB7663FA7B01F5CBDC4979C823E7BA | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\lock-icon[1].png | image | |
MD5:DC94E905218FF89D230EB163E6217278 | SHA256:641BB741DC93200AEF4CC21950D57C566B15E37D01F03F383BB9C7C319B22998 | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\mobile-icon[1].png | image | |
MD5:FA62BD2B3690921F3017AC17BA6845EC | SHA256:D614EA7052BFE738D43BF2619D1AB5F32E066288BB117E58A7B83BD44C5377F1 | |||
3148 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC68ACF50745357D4EA92B214D9E7132 | SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154 | |||
4016 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\clean-icon[1].png | image | |
MD5:E284187D3162DFA45DC682F0F11BEEEA | SHA256:9F79EF84DF71ABC486696450887EF8B300367C91CA555F8571FD88A683A81446 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/js/script.js | CH | text | 634 b | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/css/base.css | CH | text | 2.85 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/images/mobile-icon.png | CH | image | 5.84 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/images/red-icon.png | CH | image | 35.9 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/k.html | CH | html | 2.45 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/images/clean-icon.png | CH | image | 8.96 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/images/people-icon.png | CH | image | 13.6 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/images/addr-icon.png | CH | image | 11.2 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/css/main.css | CH | text | 2.40 Kb | malicious |
4016 | iexplore.exe | GET | 200 | 179.43.149.56:80 | http://glwxifzkis.duckdns.org/images/au_id.png | CH | image | 26.3 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3148 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3148 | iexplore.exe | 2.16.106.171:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
4016 | iexplore.exe | 120.52.95.243:443 | js.users.51.la | China Unicom IP network | CN | malicious |
3148 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
4016 | iexplore.exe | 179.43.149.56:80 | glwxifzkis.duckdns.org | Private Layer INC | CH | malicious |
3148 | iexplore.exe | 2.16.106.186:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
3148 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
glwxifzkis.duckdns.org |
| malicious |
js.users.51.la |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO DYNAMIC_DNS Query to *.duckdns. Domain |