Malware analysis https://2no.co/2u3ii5.jpeg Malicious activity

Add for printing

URL:	https://2no.co/2u3ii5.jpeg
Full analysis:	https://app.any.run/tasks/69a03a0a-1ed6-4a8f-867b-83de4a66f54b
Verdict:	Malicious activity
Analysis date:	June 16, 2019, 18:22:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	evasion
Indicators:
MD5:	7A3AF32F23F9168D97CA98115B9F003B
SHA1:	C4A219CA46D2BA1D1CB6DD13535A9DA85BAA0895
SHA256:	B60F4A39637804317FBF825286ECE49045263B39FF70746B827236AB2CF1FD0A
SSDEEP:	3:N8LDMMQRACn:2LQR1n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Creates files in the user directory
  - iexplore.exe (PID: 1892)
  - iexplore.exe (PID: 3416)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3416)
- Reads internet explorer settings
  - iexplore.exe (PID: 3416)
- Changes internet zones settings
  - iexplore.exe (PID: 1892)
- Manual execution by user
  - chrome.exe (PID: 2328)
- Reads settings of System Certificates
  - iexplore.exe (PID: 1892)
  - chrome.exe (PID: 2328)
- Changes settings of System certificates
  - iexplore.exe (PID: 1892)
- Adds / modifies Windows certificates
  - iexplore.exe (PID: 1892)
- Application launched itself
  - chrome.exe (PID: 2328)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
1892	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3416	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1892 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
2328	"C:\Program Files\Google\Chrome\Application\chrome.exe"	C:\Program Files\Google\Chrome\Application\chrome.exe		explorer.exe
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 73.0.3683.75
2772	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6b3e0f18,0x6b3e0f28,0x6b3e0f34	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 73.0.3683.75
3412	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=344 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: MEDIUM Description: Google Chrome Version: 73.0.3683.75
3888	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=964,11724036674344745164,15824269247204196827,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14349820158884791533 --mojo-platform-channel-handle=948 --ignored=" --type=renderer " /prefetch:2	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 73.0.3683.75
3312	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,11724036674344745164,15824269247204196827,131072 --enable-features=PasswordImport --service-pipe-token=2537270307837793676 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2537270307837793676 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1848 /prefetch:1	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75
3988	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,11724036674344745164,15824269247204196827,131072 --enable-features=PasswordImport --service-pipe-token=14922999222400490849 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=14922999222400490849 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Version: 73.0.3683.75
3800	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,11724036674344745164,15824269247204196827,131072 --enable-features=PasswordImport --service-pipe-token=15935955582099277325 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15935955582099277325 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2108 /prefetch:1	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75
2236	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=964,11724036674344745164,15824269247204196827,131072 --enable-features=PasswordImport --disable-gpu-compositing --service-pipe-token=15266724770797804043 --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=15266724770797804043 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3716 /prefetch:1	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google Inc. Integrity Level: LOW Description: Google Chrome Exit code: 0 Version: 73.0.3683.75

Add for printing

Total events

669

Read events

537

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

318

Unknown types

Dropped files

PID	Process	Filename		Type
1892	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico		—
		MD5:—	SHA256:—
1892	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3416	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@amazon[1].txt		—
		MD5:—	SHA256:—
3416	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:161FC43BA54A946A68DD0815B236F22A	SHA256:02366E2DCEC830895FD28388EB9BA5BE473A7EAF7E56BF2F0A687E76EE96C5A7
3416	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VUN1MXE5\ref=mp_s_a_1_8[1].htm		html
		MD5:1858FE10A765ED28D0D674576DD6B0B8	SHA256:2CBE32D9DB58B78794530926C11723A04B13C3652ABAAF8445F10AFEFBB32358
3416	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\VUN1MXE5\210UtsRqV6L._RC_71+WX4uo+uL.css,11zh5zoa5AL.css,312AvbpH9bL.css,210-42NMyML.css,31wWWC6YAvL.css,11G4HxMtMSL.css,31OvHRW+XiL.css,01XHMOHpK1L.css_[1].css		text
		MD5:880F0D332C12221E1255E591A440431F	SHA256:94D4915725854C6F2820867B6C2778F5F13186C134DEADAEE6A326633A742CE3
3416	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:B1F7501D06EB635C7FF430BBA53B92B2	SHA256:9989B1DD6A8691ED055EA28B2BA9A84199E31708AD411E4BB35FD4361CE767AC
3416	iexplore.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@amazon[2].txt		text
		MD5:B37A71AF557C61500E7AA79BE6B3ABE7	SHA256:5B8E7F21D5C70F3CCE7F02DF4BEC38A1A971B9B084C21608EDE4D38F4F72BFD4
3416	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B441E3XV\nav-sprite-global_bluebeacon-1x_optimized_layout1._CB468670774_[1].png		image
		MD5:96D38D69C3982DEDAAF3D39BECC571B2	SHA256:FB688BD3A4C6531F4FA7A72DC0321C8F3BB1F7F3FDC5B03B7C2A8C485EF07D0E
3416	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT		smt
		MD5:33F159DE2A391B8FBC6F7DB4C1386AC1	SHA256:C34B963497007862F2A997845888012A54D024D5C700F970198471A98E962ADC

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3416	iexplore.exe	GET	200	13.107.4.50:80	http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	US	compressed	56.2 Kb	whitelisted
1892	iexplore.exe	GET	200	52.85.22.175:80	http://d2lo25i6d3q8zm.cloudfront.net/browser-plugins/AmazonSearchSuggestionsOSD.DPIE.xml	US	xml	1.18 Kb	shared
2328	chrome.exe	GET	302	216.58.205.238:80	http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx	US	html	504 b	whitelisted
2328	chrome.exe	GET	200	204.13.202.71:80	http://ssl.trustwave.com/issuers/STCA.crt	US	der	956 b	whitelisted
2328	chrome.exe	GET	301	88.99.66.31:80	http://2no.co/	DE	html	178 b	whitelisted
2328	chrome.exe	GET	200	173.194.183.201:80	http://r4---sn-aigl6nl7.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=217.147.89.18&mm=28&mn=sn-aigl6nl7&ms=nvh&mt=1560709349&mv=m&pl=22&shardbypass=yes	US	crx	842 Kb	whitelisted
3416	iexplore.exe	GET	200	52.85.22.120:80	http://x.ss2.us/x.cer	US	der	1.27 Kb	whitelisted
1892	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1892	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3416	iexplore.exe	88.99.66.31:443	2no.co	Hetzner Online GmbH	DE	malicious
3416	iexplore.exe	104.108.41.30:443	www.amazon.com	Akamai Technologies, Inc.	NL	whitelisted
3416	iexplore.exe	52.85.22.120:80	x.ss2.us	Amazon.com, Inc.	US	unknown
3416	iexplore.exe	54.192.218.146:443	images-na.ssl-images-amazon.com	Amazon.com, Inc.	US	unknown
3416	iexplore.exe	52.71.54.15:443	fls-na.amazon.com	Amazon.com, Inc.	US	unknown
3416	iexplore.exe	13.107.4.50:80	www.download.windowsupdate.com	Microsoft Corporation	US	whitelisted
1892	iexplore.exe	52.222.173.244:443	www.amazon.com	Amazon.com, Inc.	US	unknown
1892	iexplore.exe	52.85.22.175:80	d2lo25i6d3q8zm.cloudfront.net	Amazon.com, Inc.	US	whitelisted
2328	chrome.exe	172.217.16.141:443	accounts.google.com	Google Inc.	US	suspicious

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
2no.co	88.99.66.31	whitelisted
www.amazon.com	104.108.41.30 52.222.173.244	whitelisted
images-na.ssl-images-amazon.com	54.192.218.146	shared
m.media-amazon.com	54.192.218.146	whitelisted
fls-na.amazon.com	52.71.54.15 52.6.113.120 52.4.56.247 52.45.18.157 52.71.248.72 52.45.7.189 54.173.174.30 54.86.84.180	shared
x.ss2.us	52.85.22.120 52.85.22.17 52.85.22.108 52.85.22.38	whitelisted
www.download.windowsupdate.com	13.107.4.50	whitelisted
d2lo25i6d3q8zm.cloudfront.net	52.85.22.175 52.85.22.8 52.85.22.82 52.85.22.249	shared
clientservices.googleapis.com	216.58.206.3	whitelisted

Threats

PID	Process	Class	Message
3416	iexplore.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate
3416	iexplore.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate
2328	chrome.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate
2328	chrome.exe	Potential Corporate Privacy Violation	POLICY [PTsecurity] IP Check Domain SSL certificate

1 ETPRO signatures available at the full report

Add for printing

No debug info

General Info

https://2no.co/2u3ii5.jpeg

7A3AF32F23F9168D97CA98115B9F003B

C4A219CA46D2BA1D1CB6DD13535A9DA85BAA0895

B60F4A39637804317FBF825286ECE49045263B39FF70746B827236AB2CF1FD0A

3:N8LDMMQRACn:2LQR1n

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Creates files in the user directory

Reads Internet Cache Settings

Reads internet explorer settings

Changes internet zones settings

Manual execution by user

Reads settings of System Certificates

Changes settings of System certificates

Adds / modifies Windows certificates

Application launched itself

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings