analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://adpop.xyz/UN3HO

Full analysis: https://app.any.run/tasks/3c07e3ed-4010-4de9-b335-072807d9ac46
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: July 18, 2019, 06:30:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
exploit
underminer
underminerek
Indicators:
MD5:

F30BF54A14FDC0F14CF848A9308CA783

SHA1:

A7628E1A29E5BF795A0724FB8EBC24A7EC490D6F

SHA256:

DDF6E475A994648BF6EC94FD6E625CF619A5E852121E836BAC8163AEE0D0B68B

SSDEEP:

3:N8+OLefKwl:2+keiwl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • rundll32.exe (PID: 3824)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3976)

    • Low-level read access rights to disk partition

      • rundll32.exe (PID: 3824)

    • Reads Internet Cache Settings

      • dllhost.exe (PID: 2272)

    • Reads the BIOS version

      • rundll32.exe (PID: 3824)

    • Uses RUNDLL32.EXE to load library

      • dllhost.exe (PID: 2272)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3760)

    • Changes internet zones settings

      • iexplore.exe (PID: 3760)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3664)

    • Creates files in the user directory

      • iexplore.exe (PID: 3664)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3976)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3664)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs dllhost.exe rundll32.exe

Process information

PID
CMD
Path
Indicators
Parent process
3760"C:\Program Files\Internet Explorer\iexplore.exe" "https://adpop.xyz/UN3HO"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3664"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3760 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3976C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
2272"C:\Windows\system32\dllhost.exe"C:\Windows\system32\dllhost.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3824InetCpl.cpl,ClearMyTracksByProcess 8C:\Windows\system32\rundll32.exe
dllhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
554
Read events
457
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
43
Unknown types
28

Dropped files

PID
Process
Filename
Type
3760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3760iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\1Hqmyt597XO0ZNj9tXit7HZOMroEJu8c[1].php
MD5:
SHA256:
3664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\THOJPES7\ninjamediascript_devdojo_com[1].txt
MD5:
SHA256:
3664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\index[1].php
MD5:
SHA256:
3664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:B0741B59228BCF0D43FD2F7F806D6B8A
SHA256:CBFCD188A0249F9364E018811A1CB8C1898C49CD16CBFA218732883E503D2E62
3664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@adpop[1].txttext
MD5:958F59E9BB22211B209D3594ADCF748D
SHA256:C05914297B358E3603D3BCD89E009403A26AE76F0F93DE50FB960B0020FFB71B
3664iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:380F38B80B7793E6AE47D6AE63D3181F
SHA256:50EAC7121798C79C75125910F3975D768E0E317E798987D542E37C8EB49FEB8D
3664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\THOJPES7\ninjamediascript_devdojo_com[1].htmhtml
MD5:7C3DAC12B346645960410C0423A46562
SHA256:01613332E7BB569EA087F3FBD3FC05968092F367F86AB3AFC5A4746A95FBF9E5
3664iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\index[1].htmhtml
MD5:B856D429613D44394129A6B2CEBCC0FA
SHA256:091DBC35D877EFBEBB29DD8997F6A6CFAD75069E58067C813D03E3A6FCB8CEE0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
43
TCP/UDP connections
20
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3664
iexplore.exe
GET
302
67.198.185.101:80
http://67.198.185.101/Xa137b375cc3881a70e186ce2172c8TT.php
US
unknown
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/?pop
US
html
3.05 Kb
shared
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/storage/themes/December2017/YFJWUNeiVSaE0fAJQq21.png
US
image
4.55 Kb
shared
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/themes/simple/assets/css/style.css
US
text
2.71 Kb
shared
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/themes/simple/assets/js/jquery-1.11.1.min.js
US
text
32.5 Kb
shared
3664
iexplore.exe
GET
200
67.198.185.100:80
http://67.198.185.100/1Hqmyt597XO0ZNj9tXit7HZOMroEJu8c.php
US
html
1.68 Kb
unknown
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/storage/posts/February2014/must-be-monday.gif
US
image
141 Kb
shared
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/themes/simple/assets/js/jquery.fitvid.js
US
html
1.00 Kb
shared
3664
iexplore.exe
GET
200
104.25.141.116:80
http://ninjamediascript.devdojo.com/storage/posts/February2014/highlight-anything-stupid.jpg
US
image
57.5 Kb
shared
3664
iexplore.exe
GET
200
38.75.137.9:9088
http://38.75.137.9:9088/index.php?ad_id=Tj_0_cOHejcqGyRdV8mtVA&re=Tj_0_cOHejcqGyRdV8mtVA&rt=Tj_0_cOHejcqGyRdV8mtVA&id=9088&zone=Tj_0_cOHejcqGyRdV8mtVA&prod=Tj_0_cOHejcqGyRdV8mtVA&lp=Type&st=Tj_0_cOHejcqGyRdV8mtVA&e=1563431573&y=203383623512
US
html
967 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3664
iexplore.exe
67.198.185.98:443
adpop.xyz
Krypt Technologies
US
suspicious
3760
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3664
iexplore.exe
67.198.185.101:80
Krypt Technologies
US
unknown
3664
iexplore.exe
23.111.8.154:443
oss.maxcdn.com
netDNA
US
unknown
3664
iexplore.exe
67.198.185.100:80
Krypt Technologies
US
unknown
3664
iexplore.exe
104.25.141.116:80
ninjamediascript.devdojo.com
Cloudflare Inc
US
shared
3664
iexplore.exe
38.75.137.9:9088
Cogent Communications
US
suspicious
67.198.185.100:80
Krypt Technologies
US
unknown
3824
rundll32.exe
38.75.137.9:9088
Cogent Communications
US
suspicious
3824
rundll32.exe
38.75.137.28:1108
bbs.favcom.space
Cogent Communications
US
malicious

DNS requests

Domain
IP
Reputation
adpop.xyz
  • 67.198.185.98
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
oss.maxcdn.com
  • 23.111.8.154
whitelisted
ninjamediascript.devdojo.com
  • 104.25.141.116
  • 104.25.142.116
unknown
bbs.favcom.space
  • 38.75.137.28
  • 38.75.136.222
malicious

Threats

PID
Process
Class
Message
3664
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3664
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Underminer EK Landing
3664
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Outdated Flash Version M1
3664
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Underminer EK IE Exploit
3824
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Encrypted Hidden Bee binary payload
3824
rundll32.exe
A Network Trojan was detected
MALWARE [PTsecurity] Encrypted Hidden Bee binary payload
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://adpop.xyz/UN3HO