Malware analysis https://live-nba.stream/watch/43062/2/portland-trail-blazers-golden-state-warriors-live.html Malicious activity

Add for printing

URL:	https://live-nba.stream/watch/43062/2/portland-trail-blazers-golden-state-warriors-live.html
Full analysis:	https://app.any.run/tasks/1d32bde1-a317-409b-8b69-59d0d4b59f02
Verdict:	Malicious activity
Analysis date:	May 15, 2019, 06:27:55
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:	0A9216A1AA760487AE1DC296C72BE3A2
SHA1:	E41AB8063C36D1C24B9752E113523E830D0E7BBA
SHA256:	D22485A9A81D97F9D388625CF4469B95F8CEBFDBA6364285F6E1516600448025
SSDEEP:	3:N8MT6iG9zXKXViBwc2AxacrhMTAwJ:2Mm9Oq2yaPJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Creates files in the user directory
  - opera.exe (PID: 3660)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3660	"C:\Program Files\Opera\opera.exe" https://live-nba.stream/watch/43062/2/portland-trail-blazers-golden-state-warriors-live.html	C:\Program Files\Opera\opera.exe		explorer.exe
User: admin Company: Opera Software Integrity Level: MEDIUM Description: Opera Internet Browser Version: 1748
2856	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 3660	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	—	opera.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641
1684	"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 3660	C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe	—	AcroRd32.exe
User: admin Company: Adobe Systems Incorporated Integrity Level: LOW Description: Adobe Acrobat Reader DC Version: 15.23.20070.215641

Add for printing

Total events

265

Read events

204

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\oprFB07.tmp		—
		MD5:—	SHA256:—
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\oprFB27.tmp		—
		MD5:—	SHA256:—
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\oprFBC4.tmp		—
		MD5:—	SHA256:—
3660	opera.exe	C:\Users\admin\AppData\Local\Opera\Opera\cache\sesn\opr00001.tmp		—
		MD5:—	SHA256:—
3660	opera.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4KD4BA1XE0HANVX6Z70.temp		—
		MD5:—	SHA256:—
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\sessions\opr1289.tmp		—
		MD5:—	SHA256:—
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\operaprefs.ini		text
		MD5:A446B1A8D21B10E8D4D96CF2F2EB9662	SHA256:4D4B397B4AA9D3680EA9706C4E2B18D126814C6CD3777DE397CE9E94D9487012
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\tasks.xml		xml
		MD5:73D1408704BCCD9142E5F520535261B7	SHA256:40B0ACF7BA27A3637C8B78FBA12B6B5BF90277D5717BA59B6C354291B6DB1A45
3660	opera.exe	C:\Users\admin\AppData\Roaming\Opera\Opera\opssl6.dat		binary
		MD5:C231CE06258CAC1A27B7797C5C6119B8	SHA256:354657E42DC273494D4ACD52E6C9F5E4C89868C4825DE9D9B02F1338E2464EC4
3660	opera.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\16ec093b8f51508f.customDestinations-ms		binary
		MD5:9BE9CCC710D3048CFD9BFA594A41206A	SHA256:85766104413F074C4D5A44FE7A2472002A0B99DC59D4224DB4CD1E19072D2903

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

125

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3660	opera.exe	GET	200	151.139.128.14:80	http://ocsp.comodoca4.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCECpNJaw%2FqAVZDxAFL0VG%2Bnc%3D	US	der	471 b	whitelisted
3660	opera.exe	GET	200	192.35.177.64:80	http://crl.identrust.com/DSTROOTCAX3CRL.crl	US	der	896 b	whitelisted
3660	opera.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQQX6Z6gAidtSefNc6DC0OInqPHDQQUD4BhHIIxYdUvKOeNRji0LOHG2eICEAJvJGeK%2FtwlV70AH1C0Bso%3D	US	der	471 b	whitelisted
3660	opera.exe	GET	200	151.139.128.14:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEAwlX%2BWwe0xUZK7sA79up6Y%3D	US	der	471 b	whitelisted
3660	opera.exe	GET	200	93.184.220.29:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAwYRnF7eZBhU2LgcspZxrA%3D	US	der	471 b	whitelisted
3660	opera.exe	GET	200	172.217.22.99:80	http://crl.pki.goog/gsr2/gsr2.crl	US	der	546 b	whitelisted
3660	opera.exe	GET	200	151.139.128.14:80	http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEDVcoTH82eAUPv6eGMIxtds%3D	US	der	471 b	whitelisted
3660	opera.exe	GET	200	151.139.128.14:80	http://crl.usertrust.com/AddTrustExternalCARoot.crl	US	der	673 b	whitelisted
3660	opera.exe	GET	200	151.139.128.14:80	http://ocsp.comodoca4.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQAU7Bfe6xSRj1%2Bo83zCN%2BY2wTgIAQU1LD0%2FU%2BcQqRs3D0u7ltBGMmtA%2FYCEQDSVJWT1OLxShV3sbdg0rEr	US	der	472 b	whitelisted
3660	opera.exe	GET	200	93.184.220.29:80	http://crl3.digicert.com/DigiCertGlobalRootCA.crl	US	der	581 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3660	opera.exe	192.35.177.64:80	crl.identrust.com	IdenTrust	US	malicious
3660	opera.exe	66.225.197.197:80	crl4.digicert.com	CacheNetworks, Inc.	US	whitelisted
3660	opera.exe	185.26.182.112:443	sitecheck2.opera.com	Opera Software AS	—	malicious
3660	opera.exe	185.125.230.221:443	live-nba.stream	MAROSNET Telecommunication Company LLC	RU	unknown
3660	opera.exe	185.26.182.93:443	sitecheck2.opera.com	Opera Software AS	—	whitelisted
3660	opera.exe	104.19.195.151:443	cdnjs.cloudflare.com	Cloudflare Inc	US	shared
3660	opera.exe	31.13.90.36:443	www.facebook.com	Facebook, Inc.	IE	whitelisted
3660	opera.exe	195.181.170.18:443	1079020916.rsc.cdn77.org	Datacamp Limited	DE	suspicious
3660	opera.exe	93.184.220.66:443	platform.twitter.com	MCI Communications Services, Inc. d/b/a Verizon Business	US	whitelisted
3660	opera.exe	151.139.128.14:80	crl.comodoca.com	Highwinds Network Group, Inc.	US	suspicious

DNS requests

Domain	IP	Reputation
live-nba.stream	185.125.230.221 185.125.230.53	suspicious
sitecheck2.opera.com	185.26.182.112 185.26.182.93 185.26.182.94 185.26.182.111	whitelisted
certs.opera.com	185.26.182.93 185.26.182.94	whitelisted
crl.identrust.com	192.35.177.64	whitelisted
crl4.digicert.com	66.225.197.197	whitelisted
1079020916.rsc.cdn77.org	195.181.170.18	whitelisted
cdnjs.cloudflare.com	104.19.195.151 104.19.199.151 104.19.198.151 104.19.196.151 104.19.197.151	whitelisted
www.facebook.com	31.13.90.36	whitelisted
platform.twitter.com	93.184.220.66	whitelisted
st.chatango.com	208.93.230.18 208.93.230.28 208.93.230.22 208.93.230.16 208.93.230.24 208.93.230.26	whitelisted

Threats

No threats detected

Add for printing

No debug info

General Info

https://live-nba.stream/watch/43062/2/portland-trail-blazers-golden-state-warriors-live.html

0A9216A1AA760487AE1DC296C72BE3A2

E41AB8063C36D1C24B9752E113523E830D0E7BBA

D22485A9A81D97F9D388625CF4469B95F8CEBFDBA6364285F6E1516600448025

3:N8MT6iG9zXKXViBwc2AxacrhMTAwJ:2Mm9Oq2yaPJ

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Creates files in the user directory

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings