Analysis

Category Package Started Completed Duration Options Log
URL ie 2020-02-10 15:21:01 2020-02-10 15:22:38 97 seconds Show Options Show Log
route = inetsim
procdump = 1
2020-02-10 16:21:14,015 [root] INFO: Date set to: 02-10-20, time set to: 15:21:14, timeout set to: 200
2020-02-10 16:21:14,046 [root] DEBUG: Starting analyzer from: C:\sjdfcqoz
2020-02-10 16:21:14,046 [root] DEBUG: Storing results at: C:\DxIJQikaRb
2020-02-10 16:21:14,046 [root] DEBUG: Pipe server name: \\.\PIPE\hNOxIrpMM
2020-02-10 16:21:14,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-10 16:21:14,046 [root] INFO: Automatically selected analysis package "ie"
2020-02-10 16:21:50,500 [root] DEBUG: Started auxiliary module Browser
2020-02-10 16:21:50,500 [root] DEBUG: Started auxiliary module Curtain
2020-02-10 16:21:50,500 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2020-02-10 16:21:50,515 [root] DEBUG: Started auxiliary module DigiSig
2020-02-10 16:21:50,515 [root] DEBUG: Started auxiliary module Disguise
2020-02-10 16:21:50,515 [root] DEBUG: Started auxiliary module Human
2020-02-10 16:21:50,515 [root] DEBUG: Started auxiliary module Screenshots
2020-02-10 16:21:50,515 [root] DEBUG: Started auxiliary module Sysmon
2020-02-10 16:21:50,515 [root] DEBUG: Started auxiliary module Usage
2020-02-10 16:21:50,515 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2020-02-10 16:21:50,515 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2020-02-10 16:21:53,046 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Internet Explorer\iexplore.exe" with arguments ""https://cts.vrmailer1.com/click?sk=aDroB2JgejBKQeORbAOEF5KrJHLkeH2YG3hije8IBFdo=/aHR0cHM6Ly93d3cubWFya2V0cmVzZWFyY2hmdXR1cmUuY29tL3NhbXBsZV9yZXF1ZXN0Lzk4Nj9zb3VyY2U9Z29vZ2xlJm1lZGl1bT1sZWFkc3FfMTA4OA==/PLR9ueuKK9vDL9gp47YPvg==&merge_field_type=(?x-mi:(?%3C=href=)[%5Cs]*[%27%22](?%3Curl%3E[%5E%7B%22].+?)[%22])&href_id_source=vr2-href-id-source-14"" with pid 2256
2020-02-10 16:21:57,515 [lib.api.process] INFO: Option 'procdump' with value '1' sent to monitor
2020-02-10 16:21:57,515 [lib.api.process] INFO: 32-bit DLL to inject is C:\sjdfcqoz\dll\vneOgu.dll, loader C:\sjdfcqoz\bin\jCsxrGq.exe
2020-02-10 16:21:57,875 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\hNOxIrpMM.
2020-02-10 16:21:57,890 [root] DEBUG: Loader: Injecting process 2256 (thread 2100) with C:\sjdfcqoz\dll\vneOgu.dll.
2020-02-10 16:21:57,890 [root] DEBUG: Process image base: 0x01300000
2020-02-10 16:21:57,890 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\sjdfcqoz\dll\vneOgu.dll.
2020-02-10 16:21:57,967 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-10 16:21:57,967 [root] DEBUG: Successfully injected DLL C:\sjdfcqoz\dll\vneOgu.dll.
2020-02-10 16:21:57,967 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2256
2020-02-10 16:21:59,967 [lib.api.process] INFO: Successfully resumed process with pid 2256
2020-02-10 16:21:59,967 [root] INFO: Added new process to list with pid: 2256
2020-02-10 16:22:00,530 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-10 16:22:00,530 [root] DEBUG: Process dumps enabled.
2020-02-10 16:22:01,296 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-10 16:22:01,296 [root] INFO: Disabling sleep skipping.
2020-02-10 16:22:01,296 [root] INFO: Disabling sleep skipping.
2020-02-10 16:22:01,296 [root] INFO: Disabling sleep skipping.
2020-02-10 16:22:01,296 [root] INFO: Disabling sleep skipping.
2020-02-10 16:22:01,296 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2256 at 0x6d710000, image base 0x1300000, stack from 0x1d2000-0x1e0000
2020-02-10 16:22:01,296 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Program Files\Internet Explorer\iexplore.exe" "https:\cts.vrmailer1.com\click?sk=aDroB2JgejBKQeORbAOEF5KrJHLkeH2YG3hije8IBFdo=\aHR0cHM6Ly93d3cubWFya2V0cmVzZWFyY2hmdXR1cmUuY29tL3NhbXBsZV9yZXF1ZXN0Lzk4N
2020-02-10 16:22:01,296 [root] INFO: Monitor successfully loaded in process with pid 2256.
2020-02-10 16:22:01,296 [root] DEBUG: DLL unloaded from 0x77E50000.
2020-02-10 16:22:01,296 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x6EAF0000: C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x77060000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x6EE80000: C:\Windows\system32\IEFRAME (0xd12000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x76020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x73780000: C:\Windows\system32\webio (0x50000 bytes).
2020-02-10 16:22:01,562 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-02-10 16:22:03,530 [root] DEBUG: DLL loaded at 0x6D530000: C:\Program Files\Internet Explorer\IEShims (0x4b000 bytes).
2020-02-10 16:22:07,125 [root] DEBUG: DLL loaded at 0x765E0000: C:\Windows\system32\comdlg32 (0x7b000 bytes).
2020-02-10 16:22:07,500 [root] DEBUG: DLL loaded at 0x76970000: C:\Windows\system32\urlmon (0x150000 bytes).
2020-02-10 16:22:07,500 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-10 16:22:07,530 [root] DEBUG: DLL loaded at 0x76C20000: C:\Windows\system32\WININET (0x437000 bytes).
2020-02-10 16:22:07,530 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-10 16:22:07,530 [root] DEBUG: DLL loaded at 0x75A40000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-10 16:22:07,546 [root] DEBUG: DLL loaded at 0x700A0000: C:\Program Files\Internet Explorer\sqmapi (0x39000 bytes).
2020-02-10 16:22:07,546 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-10 16:22:07,546 [root] DEBUG: DLL loaded at 0x71D70000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-02-10 16:22:07,546 [root] DEBUG: DLL loaded at 0x6D870000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-02-10 16:22:07,578 [root] DEBUG: DLL loaded at 0x73EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-02-10 16:22:07,578 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-10 16:22:07,578 [root] DEBUG: DLL loaded at 0x73E70000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-02-10 16:22:07,578 [root] DEBUG: DLL loaded at 0x73B50000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-02-10 16:22:07,578 [root] DEBUG: DLL loaded at 0x76190000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-10 16:22:07,578 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-10 16:22:07,592 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-10 16:22:07,592 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-10 16:22:07,592 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-02-10 16:22:07,592 [root] DEBUG: DLL loaded at 0x750C0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-02-10 16:22:07,592 [root] DEBUG: DLL unloaded from 0x753F0000.
2020-02-10 16:22:07,592 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-10 16:22:07,625 [root] DEBUG: DLL loaded at 0x73B40000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-02-10 16:22:07,625 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-02-10 16:22:07,625 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-02-10 16:22:07,625 [root] DEBUG: DLL loaded at 0x74190000: C:\Windows\system32\netutils (0x9000 bytes).
2020-02-10 16:22:07,625 [root] DEBUG: DLL loaded at 0x75620000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-02-10 16:22:07,640 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-10 16:22:20,296 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2256
2020-02-10 16:22:20,296 [root] DEBUG: GetHookCallerBase: failed to get return address.
2020-02-10 16:22:20,296 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x01300000.
2020-02-10 16:22:20,296 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-10 16:22:20,296 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x01300000.
2020-02-10 16:22:20,296 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001E00.
2020-02-10 16:22:20,358 [root] INFO: Added new CAPE file to list with path: C:\DxIJQikaRb\CAPE\2256_181371674120422210122020
2020-02-10 16:22:20,375 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc3c00.
2020-02-10 16:22:20,375 [root] INFO: Notified of termination of process with pid 2256.
2020-02-10 16:22:20,467 [root] DEBUG: Terminate Event: Process 2256 has already been dumped(!)
2020-02-10 16:22:26,078 [root] INFO: Process list is empty, terminating analysis.
2020-02-10 16:22:27,108 [root] INFO: Created shutdown mutex.
2020-02-10 16:22:28,140 [root] INFO: Shutting down package.
2020-02-10 16:22:28,140 [root] INFO: Stopping auxiliary modules.
2020-02-10 16:22:28,515 [root] INFO: Finishing auxiliary modules.
2020-02-10 16:22:28,515 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-10 16:22:28,515 [root] WARNING: File at path "C:\DxIJQikaRb\debugger" does not exist, skip.
2020-02-10 16:22:28,515 [root] INFO: Analysis completed.

MalScore

3.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-10 15:21:01 2020-02-10 15:22:36

URL Details

URL
https://cts.vrmailer1.com/click?sk=aDroB2JgejBKQeORbAOEF5KrJHLkeH2YG3hije8IBFdo=/aHR0cHM6Ly93d3cubWFya2V0cmVzZWFyY2hmdXR1cmUuY29tL3NhbXBsZV9yZXF1ZXN0Lzk4Nj9zb3VyY2U9Z29vZ2xlJm1lZGl1bT1sZWFkc3FfMTA4OA==/PLR9ueuKK9vDL9gp47YPvg==&merge_field_type=(?x-mi:(?%3C=href=)[%5Cs]*[%27%22](?%3Curl%3E[%5E%7B%22].+?)[%22])&href_id_source=vr2-href-id-source-14

Signatures

Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

WHOIS Information

Name: PERFECT PRIVACY, LLC
Country: US
State: FL
City: Jacksonville
ZIP Code: 32256
Address: 5335 Gate Parkway

Orginization: None
Domain Name(s):
    VRMAILER1.COM
    vrmailer1.com
Creation Date:
    2013-07-29 19:51:37
Updated Date:
    2019-07-30 07:24:00
Expiration Date:
    2020-07-29 19:51:37
Email(s):
    [email protected]
    [email protected]
    [email protected]
    [email protected]

Registrar(s):
    Register.com, Inc.
Name Server(s):
    DEMI.NS.CLOUDFLARE.COM
    JAMES.NS.CLOUDFLARE.COM
    james.ns.cloudflare.com
    demi.ns.cloudflare.com
Referral URL(s):
    None
This file is not on VirusTotal.

Process Tree


iexplore.exe, PID: 2256, Parent PID: 3032
Full Path: C:\Program Files\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" "https://cts.vrmailer1.com/click?sk=aDroB2JgejBKQeORbAOEF5KrJHLkeH2YG3hije8IBFdo=/aHR0cHM6Ly93d3cubWFya2V0cmVzZWFyY2hmdXR1cmUuY29tL3NhbXBsZV9yZXF1ZXN0Lzk4Nj9zb3VyY2U9Z29vZ2xlJm1lZGl1bT1sZWFkc3FfMTA4OA==/PLR9ueuKK9vDL9gp47YPvg==&merge_field_type=(?x-mi:(?%3C=href=)[%5Cs]*[%27%22](?%3Curl%3E[%5E%7B%22].+?)[%22])&href_id_source=vr2-href-id-source-14"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138
192.168.1.2 51142 8.8.8.8 53
192.168.1.2 51584 8.8.8.8 53
192.168.1.2 64163 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name iexplore.exe
PID 2256
Dump Size 801792 bytes
Module Path C:\Program Files\Internet Explorer\iexplore.exe
Type PE image: 32-bit executable
MD5 eaeaeed06a209bc17a101f837c1e25f4
SHA1 cf9d752f8d1da75cc948b9eb0178f30c1765c326
SHA256 bc7504c8d0653c3043856891edae26957d9b0dd5ca4c9f62bbab481f5a17b352
CRC32 AB421209
Ssdeep 24576:64F4G7TbGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUQ:6HMMHMMMvMMZMMMlmMMMiMMMYJMMHMMs
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename bc7504c8d0653c3043856891edae26957d9b0dd5ca4c9f62bbab481f5a17b352
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted

Processing ( 6.783 seconds )

  • 5.025 Suricata
  • 0.721 VirusTotal
  • 0.655 Static
  • 0.246 ProcDump
  • 0.072 NetworkAnalysis
  • 0.055 Deduplicate
  • 0.007 AnalysisInfo
  • 0.002 Debug

Signatures ( 0.026 seconds )

  • 0.005 ransomware_files
  • 0.004 antiav_detectreg
  • 0.002 persistence_autorun
  • 0.002 antiav_detectfile
  • 0.002 infostealer_ftp
  • 0.002 ransomware_extensions
  • 0.001 tinba_behavior
  • 0.001 antianalysis_detectfile
  • 0.001 antianalysis_detectreg
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_im
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name

Reporting ( 1.057 seconds )

  • 1.05 BinGraph
  • 0.007 JsonDump
Task ID 12609
Mongo ID 5e41754853721bf3dba773bd
Cuckoo release 1.3-CAPE
Delete