Malware analysis tatneft.online Malicious activity | ANY.RUN

Add for printing

URL:	tatneft.online
Full analysis:	https://app.any.run/tasks/9bf40336-c9bb-4bc9-aad2-1caa424e98ab
Verdict:	Malicious activity
Analysis date:	December 14, 2024, 10:35:56
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	magecart
MD5:	90CFE2EC50CF151426E80D92B00A5656
SHA1:	C4E406FDEBB5DE52BC70461CF7315D5997B5548E
SHA256:	F717D07E60803D18C9342645438236559ABDC5EBC03EA27B6DACA601FA1399EA
SSDEEP:	3:bcbn:bu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
PowerShell 7-x64 (7.3.5.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
Windows 10 Upgrade Assistant (1.4.9200.22175)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
Client LanguagePack Package
DotNetRollup
DotNetRollup
DotNetRollup 481
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
Hello Face Package
InternetExplorer Optional Package
InternetExplorer Optional Package
KB4562830
KB5003791
KB5007401
KB5011048
KB5012170
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MSPaint FoD Package
MediaPlayer Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
Notepad FoD Package
OpenSSH Client Package
OpenSSH Client Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
Printing WFS FoD Package
ProfessionalEdition
ProfessionalEdition
QuickAssist Package
QuickAssist Package
RollupFix
RollupFix
ServicingStack
ServicingStack
ServicingStack 1852
ServicingStack 3989
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
StepsRecorder Package
TabletPCMath Package
TabletPCMath Package
UserExperience Desktop Package
UserExperience Desktop Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
WordPad FoD Package
Xps Xps Viewer Opt Package
Xps Xps Viewer Opt Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

136

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
4792	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2604 --field-trial-handle=2320,i,16194277592197507296,15814343983252007256,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c1		image
		MD5:2DC77A1B5D9F30BCE73673487EF05DB7	SHA256:934772DFA5B609BC8383D88D29AB7C71E8CED78739B7F8AD54DC7A055A9AC72C
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000cb		binary
		MD5:50B140B1E97D859D6D0603414F4298EE	SHA256:FDC9964050BFA24C27A3C76C6791B3674292A5F352CBC83D7A4DC49595BC3FB1
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c6		image
		MD5:0C9BF76AAFF666F4AF86895C596E4A6A	SHA256:72BC9F2F98A718B2795F04A1B9FC2958E7AE662868D754F9E46E2C4B43340AF6
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ca		binary
		MD5:AF7AE505A9EED503F8B8E6982036873E	SHA256:2ADEFCBC041E7D18FCF2D417879DC5A09997AA64D675B7A3C4B6CE33DA13F3FE
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c3		image
		MD5:9D54044B93ED6888E7DD1AE813A76C86	SHA256:4A9C49FEF573692E59AEC1FA0F8326D28A428CDA8A810FF3F8BC5E3FDF6E28C5
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bd		binary
		MD5:8FB8FEE4FCC3CC86FF6C724154C49C42	SHA256:FF1523FB7389539C84C65ABA19260648793BB4F5E29329D2EE8804BC37A3FE6E
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c8		image
		MD5:292DA5F118A7B70C2F70483E81EDE34B	SHA256:E37D4D17DB37887873CFD2BE8F06DB3AEB68B442B74E073FC11DD10D1FED4DCC
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c7		image
		MD5:D409F0E62181D77E6BACBED5F5C014D0	SHA256:6B629F186E2496DE949E0D76289A5A3CCBC75222232B6270EAD50F6758C6F808
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c5		image
		MD5:701F2642ECC4ECEE63963D5BC65BAE36	SHA256:8ED09636EA8A4D825F625DAB03C1DF4C19EC767421983B1DEF69CF83B19FE4E7
4792	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c2		image
		MD5:AE0FE0A74F4F95C86943C6EDF202C64E	SHA256:D5A17C9D741098FCAEA4C291A0C79409C25B3F57AA4B38674F46F1375F69C9E7

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	301	192.168.1.2:443	https://tatneft.online/	unknown	—	—	—
—	—	HEAD	200	23.218.208.109:443	https://fs.microsoft.com/fs/windows/config.json	unknown	—	—	—
6900	svchost.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4792	msedge.exe	GET	200	195.216.243.16:80	http://tatneft.online/	unknown	—	—	—
1676	RUXIMICS.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4792	msedge.exe	GET	200	195.216.243.16:80	http://s22.ucoz.net/cgi/uutils.fcg?a=uSD&ca=2&ug=999&isp=0&r=0.170615565527683	unknown	—	—	whitelisted
4792	msedge.exe	GET	200	195.216.243.16:80	http://tatneft.online/.s/src/base.min.css	unknown	—	—	—
4304	MoUsoCoreWorker.exe	GET	200	2.16.164.49:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4792	msedge.exe	GET	200	195.216.243.16:80	http://tatneft.online/.s/src/css/1803.css	unknown	—	—	—
4792	msedge.exe	GET	200	195.216.243.16:80	http://s22.ucoz.net/cgi/uutils.fcg?a=uSD&ca=2&ug=999&isp=0&r=0.52514647954558	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
6900	svchost.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
1676	RUXIMICS.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4304	MoUsoCoreWorker.exe	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4792	msedge.exe	51.11.192.48:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	FR	unknown
—	—	224.0.0.251:5353	—	—	—	unknown
4792	msedge.exe	2.23.209.135:443	www.bing.com	Akamai International B.V.	GB	whitelisted
5988	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4792	msedge.exe	195.216.243.16:443	tatneft.online	Ddos-guard Ltd	RU	whitelisted
6552	svchost.exe	184.28.90.27:443	fs.microsoft.com	AKAMAI-AS	US	whitelisted
4792	msedge.exe	195.216.243.16:80	tatneft.online	Ddos-guard Ltd	RU	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 51.104.136.2	whitelisted
google.com	142.250.186.142	whitelisted
www.bing.com	2.23.209.135 2.23.209.130 2.23.209.149 2.23.209.158 2.23.209.140 2.23.209.141 2.23.209.144 2.23.209.133 2.23.209.150 2.23.209.182 2.23.209.187 2.23.209.181 2.23.209.160	whitelisted
tatneft.online	195.216.243.16	unknown
fs.microsoft.com	184.28.90.27	whitelisted
crl.microsoft.com	2.16.164.49 2.16.164.97	whitelisted
s22.ucoz.net	195.216.243.16	whitelisted
arc.msn.com	20.199.58.43	whitelisted
www.microsoft.com	88.221.169.152	whitelisted
fonts.googleapis.com	172.217.16.202	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET MALWARE Magecart Loader Javascript
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content
—	—	Potentially Bad Traffic	ET HUNTING DDoS-Guard Hosted Content

Add for printing

No debug info

General Info

tatneft.online

90CFE2EC50CF151426E80D92B00A5656

C4E406FDEBB5DE52BC70461CF7315D5997B5548E

F717D07E60803D18C9342645438236559ABDC5EBC03EA27B6DACA601FA1399EA

3:bcbn:bu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings