analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://anonfiles.com/HaZ3Q23do6/Egguware_rar

Full analysis: https://app.any.run/tasks/1f8dd360-351f-432d-82c5-ae6c2688ec8c
Verdict: Malicious activity
Analysis date: May 30, 2020, 16:36:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C08B4ED06B43463F89827A144D9A8BED

SHA1:

CB9542699ECA2F339E42C383485976DAFBDCAAB9

SHA256:

B0036B7D2BAA5F923939C051498C625081D71735C54E6AE75FE92B9BDD638632

SSDEEP:

3:N8M2K0BKgBF:2M2JKq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2028)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2064)
      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 328)

    • Changes internet zones settings

      • iexplore.exe (PID: 2064)

    • Creates files in the user directory

      • iexplore.exe (PID: 1936)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2028)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 2064)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 328)

    • Application launched itself

      • iexplore.exe (PID: 2064)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 328)
      • iexplore.exe (PID: 2064)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2064)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2064"C:\Program Files\Internet Explorer\iexplore.exe" "https://anonfiles.com/HaZ3Q23do6/Egguware_rar"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1936"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2064 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2028C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
328"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2064 CREDAT:3675399 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
6 906
Read events
1 492
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
81
Text files
53
Unknown types
33

Dropped files

PID
Process
Filename
Type
1936iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab5FE2.tmp
MD5:
SHA256:
1936iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar5FE3.tmp
MD5:
SHA256:
1936iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BCWXWH9H.txttext
MD5:5BCCBF63738ECA5349BE844F7CAF459E
SHA256:48BFD1857B522145CB612EF1849E83000C422114FE57BFACB24BE7F4BC4452B4
1936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1der
MD5:1ACA50EC477964C4D861F2701CF66EEA
SHA256:0F11ACD16954DCCA31CFFED26AD2DEB75FF3409E4810EC46DE67F8CBEF4EB2B9
1936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\anonfiles[1].csstext
MD5:A5D1A82F214F29F182A2EBA5FBEDADB6
SHA256:1F339D3A563C769381CD6C966BD4BE6A2DAE7418A88613B086B6870990169A5A
1936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_74167E25E5476CCA2A5946AAA61BF9E1binary
MD5:594FDD1EBA3D3A91AB9440C2EE75A818
SHA256:F43FBAB31650A5379A507AEDF1426175F7F569FE710095AFC4ECD9F9FB2F388B
1936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\Egguware_rar[1].htmhtml
MD5:E6ECD4E49A78E1A4A0624EA66329A56A
SHA256:9AAD42F4B8A2EBAB53494FC80E782705CCC83439C55604065D1609398B608267
1936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\app[1].jstext
MD5:AA0765A46DF7D8339CABFB0E0AA189A5
SHA256:9FC711F323D06BEA3B0A518498F7DC1D51251026AC3E254096807095C4A77E65
1936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\logo[1].pngimage
MD5:F9FD716D30E220AA24BAB0E94EBF0AA0
SHA256:5E937C4D8FD33714E43B400F238CF37630E6EAEEFA105CCA9D77760223A16E94
1936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\de[1].pngimage
MD5:9F8CC07C258BCD2DE0C7900861E20FFC
SHA256:07CD5A4CAD20604F77DCED9C7D8A92CA9AE3321718E5A1935296E4D75F921A19
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
37
TCP/UDP connections
70
DNS requests
38
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
1936
iexplore.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/rootr1/ME8wTTBLMEkwRzAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCDkbwjNvPLFRm7zMB3V80
US
der
1.49 Kb
whitelisted
1936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
1936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAyO4MkNaokViAQGHuJB%2Ba8%3D
US
der
471 b
whitelisted
1936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
328
iexplore.exe
GET
200
143.204.208.127:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
328
iexplore.exe
GET
200
13.35.253.5:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
328
iexplore.exe
GET
200
13.35.253.198:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
328
iexplore.exe
GET
304
2.17.46.169:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
57.0 Kb
whitelisted
328
iexplore.exe
GET
200
2.17.46.169:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
57.0 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1936
iexplore.exe
104.18.20.226:80
ocsp.globalsign.com
Cloudflare Inc
US
shared
1936
iexplore.exe
151.101.2.217:443
vjs.zencdn.net
Fastly
US
suspicious
104.31.92.18:443
anonfiles.com
Cloudflare Inc
US
shared
1936
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
151.101.2.217:443
vjs.zencdn.net
Fastly
US
suspicious
1936
iexplore.exe
104.31.92.18:443
anonfiles.com
Cloudflare Inc
US
shared
1936
iexplore.exe
13.35.253.164:443
djv99sxoqpv11.cloudfront.net
US
unknown
104.18.20.226:80
ocsp.globalsign.com
Cloudflare Inc
US
shared
2064
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2064
iexplore.exe
104.31.92.18:443
anonfiles.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
anonfiles.com
  • 104.31.92.18
  • 104.31.93.18
  • 172.67.219.188
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
vjs.zencdn.net
  • 151.101.2.217
  • 151.101.66.217
  • 151.101.130.217
  • 151.101.194.217
whitelisted
djv99sxoqpv11.cloudfront.net
  • 13.35.253.164
  • 13.35.253.123
  • 13.35.253.162
  • 13.35.253.58
shared
ocsp.globalsign.com
  • 104.18.20.226
  • 104.18.21.226
whitelisted
s.symcd.com
  • 23.37.43.27
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dkyp75kj7ldlr.cloudfront.net
  • 13.35.253.36
  • 13.35.253.56
  • 13.35.253.97
  • 13.35.253.224
whitelisted
appearedsoci.fun
  • 13.225.87.110
  • 13.225.87.94
  • 13.225.87.21
  • 13.225.87.122
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
328
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
328
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
328
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://anonfiles.com/HaZ3Q23do6/Egguware_rar