Analysis

Category Package Started Completed Duration Log
URL ie 2020-02-08 19:27:43 2020-02-08 19:30:14 151 seconds Show Log
2020-02-08 20:28:17,000 [root] INFO: Date set to: 02-08-20, time set to: 19:28:17, timeout set to: 200
2020-02-08 20:28:17,046 [root] DEBUG: Starting analyzer from: C:\ohrtasg
2020-02-08 20:28:17,046 [root] DEBUG: Storing results at: C:\SXUzUCJJ
2020-02-08 20:28:17,046 [root] DEBUG: Pipe server name: \\.\PIPE\iSqlIg
2020-02-08 20:28:17,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-08 20:28:17,046 [root] INFO: Automatically selected analysis package "ie"
2020-02-08 20:28:20,967 [root] DEBUG: Started auxiliary module Browser
2020-02-08 20:28:20,967 [root] DEBUG: Started auxiliary module Curtain
2020-02-08 20:28:20,967 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2020-02-08 20:28:20,967 [root] DEBUG: Started auxiliary module DigiSig
2020-02-08 20:28:20,967 [root] DEBUG: Started auxiliary module Disguise
2020-02-08 20:28:20,967 [root] DEBUG: Started auxiliary module Human
2020-02-08 20:28:20,983 [root] DEBUG: Started auxiliary module Screenshots
2020-02-08 20:28:20,983 [root] DEBUG: Started auxiliary module Sysmon
2020-02-08 20:28:20,983 [root] DEBUG: Started auxiliary module Usage
2020-02-08 20:28:20,983 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2020-02-08 20:28:20,983 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2020-02-08 20:28:21,000 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Internet Explorer\iexplore.exe" with arguments ""www.inforensic.hu"" with pid 3200
2020-02-08 20:28:21,046 [lib.api.process] INFO: 32-bit DLL to inject is C:\ohrtasg\dll\mbezMSI.dll, loader C:\ohrtasg\bin\CTREoGv.exe
2020-02-08 20:28:34,078 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\iSqlIg.
2020-02-08 20:28:34,358 [root] DEBUG: Loader: Injecting process 3200 (thread 2012) with C:\ohrtasg\dll\mbezMSI.dll.
2020-02-08 20:28:35,217 [root] DEBUG: Process image base: 0x00900000
2020-02-08 20:28:35,328 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\ohrtasg\dll\mbezMSI.dll.
2020-02-08 20:28:35,467 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-08 20:28:35,483 [root] DEBUG: Successfully injected DLL C:\ohrtasg\dll\mbezMSI.dll.
2020-02-08 20:28:35,515 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 3200
2020-02-08 20:28:37,515 [lib.api.process] INFO: Successfully resumed process with pid 3200
2020-02-08 20:28:37,515 [root] INFO: Added new process to list with pid: 3200
2020-02-08 20:28:37,530 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-08 20:28:37,546 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-08 20:28:37,546 [root] INFO: Disabling sleep skipping.
2020-02-08 20:28:37,546 [root] INFO: Disabling sleep skipping.
2020-02-08 20:28:37,546 [root] INFO: Disabling sleep skipping.
2020-02-08 20:28:37,546 [root] INFO: Disabling sleep skipping.
2020-02-08 20:28:37,546 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 3200 at 0x6d010000, image base 0x900000, stack from 0x312000-0x320000
2020-02-08 20:28:37,562 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Program Files\Internet Explorer\iexplore.exe" "www.inforensic.hu".
2020-02-08 20:28:37,562 [root] INFO: Monitor successfully loaded in process with pid 3200.
2020-02-08 20:28:37,562 [root] DEBUG: DLL unloaded from 0x77E50000.
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x6EAF0000: C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x77060000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x6EE80000: C:\Windows\system32\IEFRAME (0xd12000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x76020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x73780000: C:\Windows\system32\webio (0x50000 bytes).
2020-02-08 20:28:37,562 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-02-08 20:28:37,828 [root] DEBUG: DLL loaded at 0x6D530000: C:\Program Files\Internet Explorer\IEShims (0x4b000 bytes).
2020-02-08 20:28:37,921 [root] DEBUG: DLL loaded at 0x765E0000: C:\Windows\system32\comdlg32 (0x7b000 bytes).
2020-02-08 20:28:37,937 [root] DEBUG: DLL loaded at 0x76970000: C:\Windows\system32\urlmon (0x150000 bytes).
2020-02-08 20:28:37,937 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-08 20:28:38,092 [root] DEBUG: DLL loaded at 0x76C20000: C:\Windows\system32\WININET (0x437000 bytes).
2020-02-08 20:28:38,092 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-08 20:28:38,092 [root] DEBUG: DLL loaded at 0x75A40000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-08 20:28:38,983 [root] DEBUG: DLL loaded at 0x6D4F0000: C:\Program Files\Internet Explorer\sqmapi (0x39000 bytes).
2020-02-08 20:28:39,280 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-08 20:28:39,500 [root] DEBUG: DLL loaded at 0x71D70000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-02-08 20:28:39,500 [root] DEBUG: DLL loaded at 0x6D870000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-02-08 20:28:39,578 [root] DEBUG: DLL loaded at 0x73EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-02-08 20:28:39,578 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-08 20:28:39,578 [root] DEBUG: DLL loaded at 0x73E70000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-02-08 20:28:39,578 [root] DEBUG: DLL loaded at 0x73B50000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-02-08 20:28:39,578 [root] DEBUG: DLL loaded at 0x76190000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-08 20:28:39,578 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-08 20:28:39,592 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-08 20:28:39,592 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-08 20:28:39,592 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-02-08 20:28:39,592 [root] DEBUG: DLL loaded at 0x750C0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-02-08 20:28:39,592 [root] DEBUG: DLL unloaded from 0x753F0000.
2020-02-08 20:28:39,592 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-08 20:28:40,953 [root] DEBUG: DLL loaded at 0x73B40000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-02-08 20:28:40,953 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-02-08 20:28:40,953 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-02-08 20:28:40,953 [root] DEBUG: DLL loaded at 0x74190000: C:\Windows\system32\netutils (0x9000 bytes).
2020-02-08 20:28:40,953 [root] DEBUG: DLL loaded at 0x75620000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-02-08 20:28:41,203 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-08 20:28:57,953 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 3200
2020-02-08 20:28:57,953 [root] DEBUG: GetHookCallerBase: failed to get return address.
2020-02-08 20:28:57,953 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00900000.
2020-02-08 20:28:57,953 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-08 20:28:57,953 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00900000.
2020-02-08 20:28:57,953 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001E00.
2020-02-08 20:28:58,015 [root] INFO: Added new CAPE file to list with path: C:\SXUzUCJJ\CAPE\3200_05848198622020
2020-02-08 20:28:58,015 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc3c00.
2020-02-08 20:28:58,015 [root] INFO: Notified of termination of process with pid 3200.
2020-02-08 20:28:58,108 [root] DEBUG: Terminate Event: Process 3200 has already been dumped(!)
2020-02-08 20:29:03,608 [root] INFO: Process list is empty, terminating analysis.
2020-02-08 20:29:04,625 [root] INFO: Created shutdown mutex.
2020-02-08 20:29:05,640 [root] INFO: Shutting down package.
2020-02-08 20:29:05,640 [root] INFO: Stopping auxiliary modules.
2020-02-08 20:29:07,000 [root] INFO: Finishing auxiliary modules.
2020-02-08 20:29:07,000 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-08 20:29:07,000 [root] WARNING: File at path "C:\SXUzUCJJ\debugger" does not exist, skip.
2020-02-08 20:29:07,000 [root] INFO: Analysis completed.

MalScore

3.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-08 19:27:43 2020-02-08 19:30:13

URL Details

URL
www.inforensic.hu

Signatures

Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

WHOIS Information

Name: None
Country: None
State: None
City: None
ZIP Code: None
Address: None

Orginization: None
Domain Name(s):
    None
Creation Date:
    None
Updated Date:
    None
Expiration Date:
    None
Email(s):
    None

Registrar(s):
    None
Name Server(s):
    None
Referral URL(s):
    None
This file is not on VirusTotal.

Process Tree


iexplore.exe, PID: 3200, Parent PID: 2280
Full Path: C:\Program Files\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" "www.inforensic.hu"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 51997 1.1.1.1 53
192.168.1.2 58416 1.1.1.1 53
192.168.1.2 59272 1.1.1.1 53
192.168.1.2 59508 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138
192.168.1.2 51142 8.8.8.8 53
192.168.1.2 51584 8.8.8.8 53
192.168.1.2 51997 8.8.8.8 53
192.168.1.2 58416 8.8.8.8 53
192.168.1.2 59272 8.8.8.8 53
192.168.1.2 59508 8.8.8.8 53
192.168.1.2 64163 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name iexplore.exe
PID 3200
Dump Size 801792 bytes
Module Path C:\Program Files\Internet Explorer\iexplore.exe
Type PE image: 32-bit executable
MD5 7ffe49ccbc22261737adf7030b6a6716
SHA1 335978d86344cea187d6ba46d19f23234ab7c014
SHA256 1ab1c969ce42cd34387e2cdf703e90a18f0d85d2e56a74a5ec6f7f190b67b213
CRC32 59BDCD54
Ssdeep 24576:DmUf07TbGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUQ:D1MMHMMMvMMZMMMlmMMMiMMMYJMMHMMs
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename 1ab1c969ce42cd34387e2cdf703e90a18f0d85d2e56a74a5ec6f7f190b67b213
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted

Processing ( 5.901 seconds )

  • 5.023 Suricata
  • 0.244 VirusTotal
  • 0.23 ProcDump
  • 0.227 Static
  • 0.11 NetworkAnalysis
  • 0.058 Deduplicate
  • 0.007 AnalysisInfo
  • 0.002 Debug

Signatures ( 0.017 seconds )

  • 0.004 ransomware_files
  • 0.003 antiav_detectreg
  • 0.002 antiav_detectfile
  • 0.002 ransomware_extensions
  • 0.001 persistence_autorun
  • 0.001 browser_security
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_ftp
  • 0.001 infostealer_im
  • 0.001 infostealer_mail

Reporting ( 0.954 seconds )

  • 0.948 BinGraph
  • 0.006 JsonDump
Task ID 12545
Mongo ID 5e3f0c5269c896aba9a76cb2
Cuckoo release 1.3-CAPE
Delete