analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://sakpot.com/evon-executor/

Full analysis: https://app.any.run/tasks/d578b893-a170-48cb-8aab-9f95752cb65e
Verdict: Malicious activity
Analysis date: April 24, 2022, 14:27:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C2965D3C4A095D0B7C8F1837743C6ECD

SHA1:

FD4B8D1C312F7F835B268B7D0D24B056FAF3D5F6

SHA256:

CB398D36A6647EAD46EC0E8D06C17AB7C83434A8A7B15AC3748E4B076A947B10

SSDEEP:

3:N8J6QdIujEL:2wQKujEL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • iexplore.exe (PID: 3360)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3360)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3360)
    • Drops a file with a compile date too recent

      • iexplore.exe (PID: 3360)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3360)
    • Reads the computer name

      • iexplore.exe (PID: 3360)
      • iexplore.exe (PID: 2952)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3360)
      • iexplore.exe (PID: 2952)
    • Application launched itself

      • iexplore.exe (PID: 2952)
    • Changes internet zones settings

      • iexplore.exe (PID: 2952)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2952)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3360)
      • iexplore.exe (PID: 2952)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3360)
    • Creates files in the user directory

      • iexplore.exe (PID: 3360)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Internet Explorer\iexplore.exe" "https://sakpot.com/evon-executor/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3360"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
29 765
Read events
29 501
Write events
264
Delete events
0

Modification events

(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30955495
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30955495
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2952) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
1
Suspicious files
11
Text files
42
Unknown types
6

Dropped files

PID
Process
Filename
Type
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\maxresdefault[1].jpgimage
MD5:2A0B25D9E190BEEA4F42B9D646E004E9
SHA256:DD63BA088B8BAA7EB717C61013E9CC6D17893D7B72BB273C60929E16B5E90749
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\copy1[1].pngimage
MD5:37477FE26051FC6163256D59B8421426
SHA256:E9628F7A628FDC07EB154CEA34BAC4902E5BC71E37C4108821BEDB17434BFBDE
3360iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:C58984F41DE59E127038ECD87F2E2B03
SHA256:1401879B5CCD7F3BA9E72DC45FAD53D2B623C25410147DB679CB7764413B1281
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\unnamed[1].jpgimage
MD5:B793B947A69E62D962058692AB4033CF
SHA256:B45374ED0D9624466B2572D1A03D7757FC934215E500E890ABDC9A4C9405CB11
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\index[1].htmhtml
MD5:383DF5E6CCC9786FA494826E753D2EC3
SHA256:717D95565DEF06C5608912E29EA1C44A1D20D4DA7D3DF78685BD45C6DA09D7AB
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\impressionTrackerAMEXIABTCF20[1].jstext
MD5:A0959ECD60B82E569593042A7C7B095E
SHA256:BBDCB7C7165013BF5260E2D3892D69CB0E17FB33B957EE32D6E2394882D4CE78
3360iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_879B1C301AD571684A853B985E379A70der
MD5:B471E784F9540662C2A9EB6548D0E47B
SHA256:3DE68701422E1B1DDA0B2BFC0D6985D2EC9866507E095B3B262FB68FFFE62741
3360iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_011681896A8CCFE173478E2C6B69A9A1der
MD5:E31299E43A3422BD91B0CA9434683C43
SHA256:51ADCEC1DD11B396E4D41B5D01454781446BABCBE9C9F51D3864786E6711D9B4
3360iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\BUlE0MMmCtBIKYIx4niMcBRj2C-z9EUT4rYOzTNoZXM[1].jstext
MD5:02519FF5AD7A4036802EE05F52A4524C
SHA256:054944D0C3260AD048298231E2788C701463D82FB3F44513E2B60ECD33686573
3360iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_879B1C301AD571684A853B985E379A70binary
MD5:61EE3D77C4A9BF2CACF39AA44BF17794
SHA256:9A112F88AD66BE5581C00297D20266F56DC1B8D78C3404EE6D8871D28B7D2872
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
51
TCP/UDP connections
151
DNS requests
64
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDZVQ0c3n%2F16xKL4oJJTrDj
US
der
472 b
whitelisted
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCCPD%2BmI1IjpApTbalFlJFC
US
der
472 b
whitelisted
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDzUhX0mpRpeRIn54Dv2z6O
US
der
472 b
whitelisted
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGw1Yik%2BBw9wCsFmPcXqpzQ%3D
US
der
471 b
whitelisted
3360
iexplore.exe
GET
200
52.222.206.202:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEA8SVMKPsnFcEm%2FVYIITs7I%3D
US
der
471 b
whitelisted
3360
iexplore.exe
GET
200
52.222.206.73:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3360
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEHquXS%2BaUA73EnirQKFr398%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3360
iexplore.exe
142.250.185.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3360
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3360
iexplore.exe
188.114.96.7:443
sakpot.com
Cloudflare Inc
US
malicious
3360
iexplore.exe
104.17.25.14:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
3360
iexplore.exe
142.250.186.66:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3360
iexplore.exe
216.58.212.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3360
iexplore.exe
67.27.233.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
3360
iexplore.exe
216.58.212.163:443
ocsp.pki.goog
Google Inc.
US
whitelisted
3360
iexplore.exe
142.250.185.142:443
www.youtube.com
Google Inc.
US
whitelisted
3360
iexplore.exe
142.250.185.162:443
googleads.g.doubleclick.net
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
sakpot.com
  • 188.114.96.7
  • 188.114.97.7
malicious
ctldl.windowsupdate.com
  • 67.27.233.126
  • 67.26.81.254
  • 8.253.207.120
  • 8.248.117.254
  • 8.248.147.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
fonts.googleapis.com
  • 142.250.185.74
whitelisted
cdnjs.cloudflare.com
  • 104.17.25.14
  • 104.17.24.14
whitelisted
pagead2.googlesyndication.com
  • 142.250.186.66
whitelisted
ocsp.pki.goog
  • 216.58.212.163
whitelisted
fonts.gstatic.com
  • 216.58.212.163
whitelisted
googleads.g.doubleclick.net
  • 142.250.185.162
whitelisted
evon.cc
  • 188.114.97.7
  • 188.114.96.7
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
No debug info