analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://bubblemark.com/ClientBin/SilverlightBalls.xap

Full analysis: https://app.any.run/tasks/baf29c11-6c38-4168-907f-90bff6583e9c
Verdict: Malicious activity
Analysis date: May 15, 2019, 12:36:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

2310CBCD9323EA8439ACA566DBAD3ED9

SHA1:

D4C6027CE4D5C37C52EDF1410CCD1510B6E8006E

SHA256:

F89E2AD569865AF9EB2470C935700B09F0B0BC47330B1230E685C9108C17C2C3

SSDEEP:

3:N1KcSuEWXRnKKd+7gq8:Cc1XRRdk58

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 1256)
      • explorer.exe (PID: 252)
      • install.exe (PID: 3388)
      • coregen.exe (PID: 3416)
      • rundll32.exe (PID: 3264)
      • coregen.exe (PID: 3076)
      • coregen.exe (PID: 2708)
      • coregen.exe (PID: 3704)
      • coregen.exe (PID: 3712)
      • coregen.exe (PID: 4040)
      • coregen.exe (PID: 2892)
      • coregen.exe (PID: 2120)
      • coregen.exe (PID: 3328)
      • coregen.exe (PID: 2300)
      • coregen.exe (PID: 3628)
      • coregen.exe (PID: 2416)
      • coregen.exe (PID: 3132)
      • coregen.exe (PID: 3892)
      • coregen.exe (PID: 2624)
      • agcp.exe (PID: 2280)
      • iexplore.exe (PID: 2444)
    • Application was dropped or rewritten from another process

      • install.exe (PID: 3388)
      • install.exe (PID: 4084)
      • Silverlight.exe (PID: 2412)
      • coregen.exe (PID: 3416)
      • coregen.exe (PID: 2708)
      • coregen.exe (PID: 3076)
      • coregen.exe (PID: 3704)
      • coregen.exe (PID: 3712)
      • coregen.exe (PID: 2892)
      • coregen.exe (PID: 2120)
      • coregen.exe (PID: 4040)
      • coregen.exe (PID: 2300)
      • coregen.exe (PID: 3328)
      • coregen.exe (PID: 3628)
      • silverlight.configuration.exe (PID: 4036)
      • coregen.exe (PID: 3892)
      • coregen.exe (PID: 2416)
      • coregen.exe (PID: 3132)
      • coregen.exe (PID: 2624)
      • Silverlight.Configuration.exe (PID: 3452)
      • Silverlight.Configuration.exe (PID: 2840)
      • agcp.exe (PID: 2280)
    • Changes settings of System certificates

      • msiexec.exe (PID: 3856)
  • SUSPICIOUS

    • Starts Internet Explorer

      • explorer.exe (PID: 252)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2976)
      • iexplore.exe (PID: 2948)
      • iexplore.exe (PID: 2444)
      • Silverlight.exe (PID: 2412)
      • coregen.exe (PID: 3076)
      • coregen.exe (PID: 3416)
      • coregen.exe (PID: 3704)
      • coregen.exe (PID: 2708)
      • msiexec.exe (PID: 3856)
      • coregen.exe (PID: 3712)
      • coregen.exe (PID: 2120)
      • coregen.exe (PID: 2892)
      • coregen.exe (PID: 2300)
      • coregen.exe (PID: 3328)
      • coregen.exe (PID: 4040)
      • coregen.exe (PID: 3628)
      • coregen.exe (PID: 2416)
      • coregen.exe (PID: 3132)
      • coregen.exe (PID: 3892)
      • coregen.exe (PID: 2624)
    • Reads Internet Cache Settings

      • explorer.exe (PID: 252)
    • Creates files in the user directory

      • explorer.exe (PID: 252)
    • Adds / modifies Windows certificates

      • msiexec.exe (PID: 3856)
    • Creates COM task schedule object

      • msiexec.exe (PID: 3856)
    • Changes IE settings (feature browser emulation)

      • msiexec.exe (PID: 3856)
    • Uses RUNDLL32.EXE to load library

      • install.exe (PID: 3388)
    • Creates files in the program directory

      • coregen.exe (PID: 3416)
      • coregen.exe (PID: 3076)
      • coregen.exe (PID: 2708)
      • coregen.exe (PID: 3704)
      • coregen.exe (PID: 3712)
      • coregen.exe (PID: 2120)
      • coregen.exe (PID: 2892)
      • coregen.exe (PID: 4040)
      • coregen.exe (PID: 3328)
      • coregen.exe (PID: 2300)
      • coregen.exe (PID: 2416)
      • coregen.exe (PID: 3628)
      • coregen.exe (PID: 3892)
      • coregen.exe (PID: 3132)
      • coregen.exe (PID: 2624)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2968)
      • iexplore.exe (PID: 2948)
    • Application launched itself

      • iexplore.exe (PID: 2968)
      • iexplore.exe (PID: 2948)
      • msiexec.exe (PID: 3856)
    • Creates files in the user directory

      • iexplore.exe (PID: 3488)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 2968)
      • iexplore.exe (PID: 2444)
    • Reads Microsoft Office registry keys

      • explorer.exe (PID: 252)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2444)
    • Reads settings of System Certificates

      • explorer.exe (PID: 252)
    • Starts application with an unusual extension

      • msiexec.exe (PID: 3856)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 3856)
    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2276)
    • Creates files in the program directory

      • msiexec.exe (PID: 3856)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
33
Malicious processes
22
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe winrar.exe searchprotocolhost.exe no specs iexplore.exe iexplore.exe explorer.exe no specs silverlight.exe install.exe no specs install.exe msiexec.exe msid510.tmp no specs msiexec.exe no specs rundll32.exe no specs coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe coregen.exe silverlight.configuration.exe no specs coregen.exe coregen.exe coregen.exe coregen.exe agcp.exe no specs silverlight.configuration.exe no specs silverlight.configuration.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\Internet Explorer\iexplore.exe" http://bubblemark.com/ClientBin/SilverlightBalls.xapC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3488"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2968 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2976"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\SilverlightBalls.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
1256"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
2948"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\SilverlightBalls.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2444"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2948 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
252C:\Windows\Explorer.EXEC:\Windows\explorer.exectfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2412"C:\Users\admin\Desktop\Silverlight.exe" C:\Users\admin\Desktop\Silverlight.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Self-Extracting Cabinet
Exit code:
0
Version:
5.1.50918.0
4084c:\65c003ed8a5846164a24a7b7e0ab\install.exec:\65c003ed8a5846164a24a7b7e0ab\install.exeSilverlight.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
External Installer
Exit code:
3221226540
Version:
VER_DOTPRODUCTVERSION
3388c:\65c003ed8a5846164a24a7b7e0ab\install.exec:\65c003ed8a5846164a24a7b7e0ab\install.exe
Silverlight.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
External Installer
Exit code:
0
Version:
VER_DOTPRODUCTVERSION
Total events
10 656
Read events
7 546
Write events
0
Delete events
0

Modification events

No data
Executable files
214
Suspicious files
10
Text files
24
Unknown types
15

Dropped files

PID
Process
Filename
Type
2968iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB6E8C061B61ECD66.TMP
MD5:
SHA256:
2968iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFFADFC7852E6A8439.TMP
MD5:
SHA256:
2968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{231B3489-770E-11E9-B3B3-5254004A04AF}.dat
MD5:
SHA256:
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\E8RQJY72\SilverlightBalls[1].zipcompressed
MD5:D92A07AF3EDC91FBC58418EFF22225F9
SHA256:846671EC3641174B11F75CED64F49C739008BDAE5389BB07D262725CCF8D457E
3488iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:6ED2D8C44B90099F1D37DF3228EF740D
SHA256:88B4CEE12C00084AE540A95A5D5F7CCB90B217B27B7533B1BB7D7F1FDDAC5F63
252explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\SilverlightBalls.zip.lnklnk
MD5:96A566F0FDD75AD35A1453AB81268AB8
SHA256:C47148AA0F613BBB0EE4CBB4C8AD3971D5D7AAA1539A1D71630784D1CCF72FC5
2976WinRAR.exeC:\Users\admin\Desktop\SilverlightBalls.dllexecutable
MD5:E190977FF8B09985F12EBEE4F9136B81
SHA256:4E95A4C4C08E3E24AE2AFE1F715C8EABF3FA2C11F07918EF13635688AE93A012
2968iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{231B348A-770E-11E9-B3B3-5254004A04AF}.datbinary
MD5:9F0798CBC5B6C14A4664E953A9849F30
SHA256:041FDF2740F391832CDF24E4FB546E49E4D155B1E8120044183225A8845C820D
2968iexplore.exeC:\Users\admin\Desktop\SilverlightBalls.zipcompressed
MD5:9D8786728AE432AC8E2A3C20889F5FD3
SHA256:B37FB164EA4D6EF35ED0EE32A77723C4A1B1A4B4988F69DBCA1B5852B8493188
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:26EA9E4454EC0ACB5FBDAA71F6F5175F
SHA256:4FB1B4A2F6ECB1B4EFAE42A5436DC7948802AF21DBBB592E9799FB7D8CF06852
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
12
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2444
iexplore.exe
GET
302
104.96.149.181:80
http://go.microsoft.com/fwlink/?LinkID=229320
NL
whitelisted
2444
iexplore.exe
GET
302
104.96.149.181:80
http://go.microsoft.com/fwlink/?LinkID=124807
NL
whitelisted
HEAD
200
173.223.11.161:80
http://download.windowsupdate.com/v9/windowsupdate/redir/muv4wuredir.cab?1905151238
NL
whitelisted
2444
iexplore.exe
GET
200
2.18.233.19:80
http://download.microsoft.com/download/d/2/9/d29e5571-4b68-4d95-b43a-4e81ba178455/2.0/ENU/InstallSilverlight.png
unknown
image
13.8 Kb
whitelisted
2444
iexplore.exe
GET
302
104.96.149.181:80
http://go.microsoft.com/fwlink/?LinkId=108181
NL
whitelisted
3488
iexplore.exe
GET
200
75.125.38.3:80
http://bubblemark.com/ClientBin/SilverlightBalls.xap
US
compressed
91.4 Kb
unknown
2948
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
HEAD
302
104.111.243.236:80
http://go2.microsoft.com/fwlink/?prd=12063&plcid=0x409&ar=UPDATE&sar=AUTO&pver=5.1.50918.0&os=19
NL
whitelisted
GET
302
104.111.243.236:80
http://go2.microsoft.com/fwlink/?prd=12063&plcid=0x409&ar=UPDATE&sar=AUTO&pver=5.1.50918.0&os=19
NL
whitelisted
HEAD
200
205.185.216.42:80
http://ds.download.windowsupdate.com/v11/2/microsoftupdate/redir/v6-legacy-muauth.cab?1905151238
US
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2968
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2948
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2444
iexplore.exe
2.23.106.83:80
www.microsoft.com
Akamai International B.V.
whitelisted
3488
iexplore.exe
75.125.38.3:80
bubblemark.com
SoftLayer Technologies Inc.
US
unknown
2444
iexplore.exe
2.18.233.19:80
download.microsoft.com
Akamai International B.V.
whitelisted
2444
iexplore.exe
104.96.149.181:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
2444
iexplore.exe
2.18.233.19:443
download.microsoft.com
Akamai International B.V.
whitelisted
2.18.233.19:443
download.microsoft.com
Akamai International B.V.
whitelisted
205.185.216.42:80
ds.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
23.38.36.63:443
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted

DNS requests

Domain
IP
Reputation
bubblemark.com
  • 75.125.38.3
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
go.microsoft.com
  • 104.96.149.181
  • 23.38.36.63
whitelisted
download.microsoft.com
  • 2.18.233.19
whitelisted
www.microsoft.com
  • 2.23.106.83
whitelisted
download.windowsupdate.com
  • 173.223.11.161
  • 173.223.11.137
  • 173.223.11.177
  • 173.223.11.151
  • 173.223.11.150
whitelisted
ds.download.windowsupdate.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted
go2.microsoft.com
  • 104.111.243.236
whitelisted

Threats

No threats detected
No debug info