Malware analysis http://saminside.findmysoft.com/ Malicious activity

Add for printing

URL:	http://saminside.findmysoft.com/
Full analysis:	https://app.any.run/tasks/40957ece-d4c6-4091-a5db-2dcc629f54f9
Verdict:	Malicious activity
Analysis date:	January 10, 2019, 21:59:29
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:	F5710CA1B472EA9A8F909356B144640F
SHA1:	C47DF98959809D7ED6AE559A071DA85B44E04A18
SHA256:	BD19F25293EA915AD40918264B57E65AF763F236AEBF5FF596C4B2449C6FE3FB
SSDEEP:	3:N1KNEINlLQCcWKDRtn:CWINl8+KXn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (68.0.3440.106)
Google Update Helper (1.3.33.17)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 61.0.2 (x86 en-US) (61.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Changes internet zones settings
  - iexplore.exe (PID: 2944)
- Reads internet explorer settings
  - iexplore.exe (PID: 3076)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3076)
  - iexplore.exe (PID: 2944)
- Creates files in the user directory
  - iexplore.exe (PID: 3076)
  - FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3668)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
2944	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe		explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3076	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe		iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3668	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding	C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe	—	svchost.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131

Add for printing

Total events

522

Read events

443

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2944	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico		—
		MD5:—	SHA256:—
2944	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\gtm[1].js		text
		MD5:1A8C4F3DF2F4B63BC4388FB0EBF82D57	SHA256:3570E6D7F2E777159F2602A1DB38C75628AC6D97BFF2968369E36A3C78B5B0ED
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\all[2].js		text
		MD5:D7B79E2F99D26E7CD7CB48AE02E2ADE2	SHA256:9053CA284FCB0786B049A8D99E722200612D71781F2D0D80C86B86C9DA275B5E
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\saminside_findmysoft_com[1].htm		html
		MD5:3DAE83C3B9F6335C4C5F52DA388C328E	SHA256:8D8B97E554FACB4083B26928F5192B984C1767DDF28DF94B3088FA962DD3A972
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\72014[1].jpg		image
		MD5:B6AA4B9DB0C5657F573ACDB6394F92B1	SHA256:9EF03CBB8959357C8F4C3FAF5A7EB8610B1715BD75A55066829BEFFDDA930174
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\all[1].js		text
		MD5:D7B79E2F99D26E7CD7CB48AE02E2ADE2	SHA256:9053CA284FCB0786B049A8D99E722200612D71781F2D0D80C86B86C9DA275B5E
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\72014[1].gif		image
		MD5:31D7E3486FDF62F14E8B823543B0F2C5	SHA256:45F377ACF18360ED77584B5CA4652E340E47EF791053188793546F34D32F5CEA
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\sprite_ico[1].png		image
		MD5:5AA49E50F2AA18D23A558D2D0B2115F5	SHA256:9FF9843B07FC44904CCD9F097F84EF04B2002D9ECBB19CA93E5CDF1F5A73A98C
3076	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\sprite_ico[1].png		image
		MD5:5AA49E50F2AA18D23A558D2D0B2115F5	SHA256:9FF9843B07FC44904CCD9F097F84EF04B2002D9ECBB19CA93E5CDF1F5A73A98C

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3076	iexplore.exe	GET	200	52.222.146.15:80	http://img.findmysoft.com/ico/72014.gif	US	image	901 b	shared
3076	iexplore.exe	GET	200	52.222.146.15:80	http://img.findmysoft.com/i3/sprite_ico.png	US	image	10.7 Kb	shared
3076	iexplore.exe	GET	200	52.222.146.15:80	http://img.findmysoft.com/js3/behavior.js	US	text	7.71 Kb	shared
3076	iexplore.exe	GET	200	52.73.84.74:80	http://saminside.findmysoft.com/	US	html	6.77 Kb	unknown
3076	iexplore.exe	GET	200	52.73.84.74:80	http://www.findmysoft.com/thumb/72014.jpg	US	image	8.01 Kb	unknown
3076	iexplore.exe	GET	200	52.222.146.15:80	http://img.findmysoft.com/i3/logo.png	US	image	8.95 Kb	shared
3076	iexplore.exe	GET	200	52.222.146.15:80	http://img.findmysoft.com/js3/ga_social_tracking.js	US	text	4.70 Kb	shared
3076	iexplore.exe	GET	200	172.217.21.200:80	http://www.googletagmanager.com/gtm.js?id=GTM-MJ4SPG	US	text	27.6 Kb	whitelisted
3076	iexplore.exe	GET	200	157.240.1.23:80	http://connect.facebook.net/en_US/all.js	US	text	1.89 Kb	whitelisted
3076	iexplore.exe	GET	200	52.222.146.15:80	http://img.findmysoft.com/js3/rating.js	US	text	3.49 Kb	shared

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2944	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3076	iexplore.exe	52.73.84.74:80	saminside.findmysoft.com	Amazon.com, Inc.	US	unknown
3076	iexplore.exe	52.222.146.15:80	img.findmysoft.com	Amazon.com, Inc.	US	whitelisted
3076	iexplore.exe	172.217.22.46:80	www.google-analytics.com	Google Inc.	US	whitelisted
3076	iexplore.exe	157.240.1.23:80	connect.facebook.net	Facebook, Inc.	US	whitelisted
3076	iexplore.exe	74.125.140.196:443	apis.google.com	Google Inc.	US	unknown
3076	iexplore.exe	52.222.146.69:80	video.findmysoft.com	Amazon.com, Inc.	US	suspicious
3076	iexplore.exe	157.240.1.23:443	connect.facebook.net	Facebook, Inc.	US	whitelisted
3076	iexplore.exe	216.58.205.227:443	www.google.pl	Google Inc.	US	whitelisted
3076	iexplore.exe	212.124.115.196:80	www.1-1ads.com	True Records Inc.	DE	suspicious

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
saminside.findmysoft.com	52.73.84.74	unknown
img.findmysoft.com	52.222.146.15 52.222.146.208 52.222.146.88 52.222.146.154	shared
www.findmysoft.com	52.73.84.74	unknown
www.google-analytics.com	172.217.22.46	whitelisted
www.googletagmanager.com	172.217.21.200	whitelisted
apis.google.com	74.125.140.196	whitelisted
connect.facebook.net	157.240.1.23	whitelisted
video.findmysoft.com	52.222.146.69 52.222.146.207 52.222.146.125 52.222.146.201	whitelisted
www.1-1ads.com	212.124.115.196 212.124.124.178	whitelisted

Threats

PID	Process	Class	Message
3076	iexplore.exe	Potential Corporate Privacy Violation	ET POLICY Outdated Flash Version M1

Add for printing

No debug info

General Info

http://saminside.findmysoft.com/

F5710CA1B472EA9A8F909356B144640F

C47DF98959809D7ED6AE559A071DA85B44E04A18

BD19F25293EA915AD40918264B57E65AF763F236AEBF5FF596C4B2449C6FE3FB

3:N1KNEINlLQCcWKDRtn:CWINl8+KXn

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Changes internet zones settings

Reads internet explorer settings

Reads Internet Cache Settings

Creates files in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings