Malware analysis http://dell1.ug/files/penelop/3.exe Malicious activity

Add for printing

URL:	http://dell1.ug/files/penelop/3.exe
Full analysis:	https://app.any.run/tasks/91ceee54-ab0d-4275-96cb-895def8a0986
Verdict:	Malicious activity
Threats:	Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. Malware Trends Tracker >>>
Analysis date:	September 18, 2019, 22:38:30
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	trojan
Indicators:
MD5:	294F9B3916C05A2127B6FF01F1FFA0B8
SHA1:	0FB71C4D4B1D31FD0BF1FAF34E8F5A7158CF65FE
SHA256:	C2B75D57FC8B43EEA66E868E6D913266CE14A7A1F0EE53CE40BD4D7CFF77221E
SSDEEP:	3:N1KaAJ1CKQJmwrT0dAn:Ca5f3rgC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 180 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 120 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 68.0.1 (x86 en-US) (68.0.1)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - iexplore.exe (PID: 2880)
- Changes internet zones settings
  - iexplore.exe (PID: 2880)
- Creates files in the user directory
  - iexplore.exe (PID: 3224)
  - iexplore.exe (PID: 2880)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3224)
- Reads internet explorer settings
  - iexplore.exe (PID: 3224)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
2880	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3224	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2880 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

353

Read events

308

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2880	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico		—
		MD5:—	SHA256:—
2880	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:98350C8734F32B73C477D7250FBFC2F2	SHA256:AFC90DFFA399898999A98D458DDA7F17A2DA9B422FDB0650AC20F645EC99326E
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:663CC2A0D71137A6E992F00C9B571397	SHA256:61A3ACC97160272A9BDBA4BD0B531D98F5CDDFB200BA7399C2051BE7A73A2160
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DAT		smt
		MD5:66D20D9CF2322C4B662EA6E754325CD7	SHA256:D6A4C1DF6554CDC6D56F1D92FD09F3D7991E3620151F00DB51D55C8EE260C3CC
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\ED8T0P8W\httpErrorPagesScripts[1]		text
		MD5:E7CA76A3C9EE0564471671D500E3F0F3	SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVTY7FXS\desktop.ini		ini
		MD5:4A3DEB274BB5F0212C2419D3D8D08612	SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\C3SIM6VZ\httpErrorPagesScripts[1]		text
		MD5:E7CA76A3C9EE0564471671D500E3F0F3	SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q8817MAL\ErrorPageTemplate[1]		text
		MD5:F4FE1CB77E758E1BA56B8A8EC20417C5	SHA256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
3224	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GVTY7FXS\http_404[1]		html
		MD5:4CD84A1B063BF6DEA53E06755EF9E24D	SHA256:988CC4B451673F847D823C9D9BA14AD50D3CA1141BC1E17C6415B8F64B6E1C22

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3224	iexplore.exe	GET	404	8.208.13.6:80	http://dell1.ug/files/penelop/3.exe	US	html	217 b	malicious
3224	iexplore.exe	GET	404	8.208.13.6:80	http://dell1.ug/files/penelop/3.exe	US	html	217 b	malicious
2880	iexplore.exe	GET	200	204.79.197.200:80	http://www.bing.com/favicon.ico	US	image	237 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2880	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
3224	iexplore.exe	8.208.13.6:80	dell1.ug	Level 3 Communications, Inc.	US	malicious

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
dell1.ug	8.208.13.6	malicious

Threats

PID	Process	Class	Message
3224	iexplore.exe	A Network Trojan was detected	ET TROJAN Single char EXE direct download likely trojan (multiple families)
3224	iexplore.exe	A Network Trojan was detected	ET TROJAN Single char EXE direct download likely trojan (multiple families)

Add for printing

No debug info

General Info

http://dell1.ug/files/penelop/3.exe

294F9B3916C05A2127B6FF01F1FFA0B8

0FB71C4D4B1D31FD0BF1FAF34E8F5A7158CF65FE

C2B75D57FC8B43EEA66E868E6D913266CE14A7A1F0EE53CE40BD4D7CFF77221E

3:N1KaAJ1CKQJmwrT0dAn:Ca5f3rgC

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

Changes internet zones settings

Creates files in the user directory

Reads Internet Cache Settings

Reads internet explorer settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings