analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://joyreactor.cc

Full analysis: https://app.any.run/tasks/72627eff-6c9d-4e2b-b865-069dee276ba3
Verdict: Malicious activity
Analysis date: May 21, 2022, 02:13:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

BD78BA07EE7FA4E8C9AF278E690EDBFB

SHA1:

B3C458BCC9A0A6D560C2BF9ABA05C7A1265C0B87

SHA256:

FF228CE17F70E541B47BBE2590F306BD0A6A33A258AE37CE54DA91D65EB629F8

SSDEEP:

3:N8PT:2PT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 3336)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3332)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3336)
    • Drops a file with a compile date too recent

      • msdt.exe (PID: 3336)
    • Executed via COM

      • sdiagnhost.exe (PID: 1576)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 2532)
      • msdt.exe (PID: 3336)
      • sdiagnhost.exe (PID: 1576)
    • Reads the computer name

      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 2532)
      • msdt.exe (PID: 3336)
      • sdiagnhost.exe (PID: 1576)
    • Application launched itself

      • iexplore.exe (PID: 2532)
    • Changes internet zones settings

      • iexplore.exe (PID: 2532)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3332)
      • iexplore.exe (PID: 2532)
      • msdt.exe (PID: 3336)
      • sdiagnhost.exe (PID: 1576)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2532)
      • iexplore.exe (PID: 3332)
      • msdt.exe (PID: 3336)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3332)
    • Creates files in the user directory

      • iexplore.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2532"C:\Program Files\Internet Explorer\iexplore.exe" "https://joyreactor.cc"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3332"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2532 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3336 -modal 131384 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF803E.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1576C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
23 422
Read events
23 285
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
26
Text files
169
Unknown types
17

Dropped files

PID
Process
Filename
Type
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4D85.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4D88.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
2532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:EE7A64B072F69F7B4EA13F8FA249F35E
SHA256:602A2A6D96FEBE223F3AD87698858662273C864757588682E66DD8C94E81521A
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:42F1B1C171FCF01F4F1B5CDCEE49CFF8
SHA256:0726BA8B3733CCD0FD7999D7085FED6B605D8B6587C6BF0F4C5768B3490FC9A4
2532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4D86.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4D87.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
2532iexplore.exeC:\Users\admin\AppData\Local\Temp\NDF803E.tmpbinary
MD5:1EEAE1E38CBAE88704D58DA4532CBCD8
SHA256:71BF9463EA592921070407619D99282C61B405AE9E3E66F7CE78B9DAC73CEB05
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:266098CA66D4BC9BBC2FCE30797B7544
SHA256:F219AEFE8FF9BF9D0857C1550F7ECF1C44ED0E888D6B41F7CAA452B2B03E283A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
141
TCP/UDP connections
60
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3332
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4af0313f2d4cc875
US
compressed
60.0 Kb
whitelisted
3332
iexplore.exe
GET
200
146.59.26.8:80
http://js.joyreactor.cc/v/JoG69p6ocLvkKIb-NHiqJdqSWQV9HA?1648708834
NO
text
171 Kb
suspicious
3332
iexplore.exe
GET
200
146.59.26.8:80
http://joyreactor.cc/m2/localized.ru.js?v=17
NO
text
1011 b
whitelisted
3332
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9495fb6e4dd0a8d9
US
compressed
60.0 Kb
whitelisted
2532
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3332
iexplore.exe
GET
200
146.59.26.8:80
http://joyreactor.cc/m2/colors.css?_=2022-05-21+05%3A14
NO
text
24.3 Kb
whitelisted
3332
iexplore.exe
GET
200
85.10.197.211:80
http://fonts.w.tools/css?family=Open+Sans:400,700&subset=latin,cyrillic-ext
DE
compressed
225 b
suspicious
3332
iexplore.exe
GET
200
138.201.117.10:80
http://img2.joyreactor.cc/pics/post/Leon-Era-animal-art-art-%D0%BA%D0%BE%D1%82-7392811.jpeg
DE
image
109 Kb
malicious
3332
iexplore.exe
GET
200
146.59.26.8:80
http://joyreactor.cc/
NO
html
17.0 Kb
whitelisted
3332
iexplore.exe
GET
200
146.59.26.8:80
http://joyreactor.cc/images/icon_en.png
NO
image
2.15 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2532
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3332
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
836
svchost.exe
146.59.26.8:443
joyreactor.cc
NO
unknown
3332
iexplore.exe
146.59.26.8:443
joyreactor.cc
NO
unknown
2532
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3332
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
146.59.26.8:443
joyreactor.cc
NO
unknown
146.59.26.8:80
joyreactor.cc
NO
unknown
3332
iexplore.exe
146.59.26.8:80
joyreactor.cc
NO
unknown
3332
iexplore.exe
5.255.255.88:443
yandex.ru
YANDEX LLC
RU
whitelisted

DNS requests

Domain
IP
Reputation
joyreactor.cc
  • 146.59.26.8
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
x1.c.lencr.org
  • 96.16.145.230
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
fonts.googleapis.com
  • 142.250.184.234
whitelisted
fonts.w.tools
  • 85.10.197.211
unknown
js.joyreactor.cc
  • 146.59.26.8
unknown
yandex.ru
  • 5.255.255.88
  • 77.88.55.55
  • 77.88.55.50
  • 5.255.255.80
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
Potentially Bad Traffic
ET DNS Query for .cc TLD
No debug info