Analysis

Category Package Started Completed Duration Log
URL ie 2020-02-11 16:52:59 2020-02-11 16:54:07 68 seconds Show Log
2020-02-11 17:53:10,000 [root] INFO: Date set to: 02-11-20, time set to: 16:53:10, timeout set to: 200
2020-02-11 17:53:10,046 [root] DEBUG: Starting analyzer from: C:\igygjrfw
2020-02-11 17:53:10,046 [root] DEBUG: Storing results at: C:\BPPqpx
2020-02-11 17:53:10,046 [root] DEBUG: Pipe server name: \\.\PIPE\YZEhzs
2020-02-11 17:53:10,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-11 17:53:10,046 [root] INFO: Automatically selected analysis package "ie"
2020-02-11 17:53:34,733 [root] DEBUG: Started auxiliary module Browser
2020-02-11 17:53:34,733 [root] DEBUG: Started auxiliary module Curtain
2020-02-11 17:53:34,733 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2020-02-11 17:53:34,733 [root] DEBUG: Started auxiliary module DigiSig
2020-02-11 17:53:34,750 [root] DEBUG: Started auxiliary module Disguise
2020-02-11 17:53:34,750 [root] DEBUG: Started auxiliary module Human
2020-02-11 17:53:34,750 [root] DEBUG: Started auxiliary module Screenshots
2020-02-11 17:53:34,750 [root] DEBUG: Started auxiliary module Sysmon
2020-02-11 17:53:34,750 [root] DEBUG: Started auxiliary module Usage
2020-02-11 17:53:34,750 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2020-02-11 17:53:34,750 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2020-02-11 17:53:34,842 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Internet Explorer\iexplore.exe" with arguments ""www.gepeszrendszer.hu"" with pid 2796
2020-02-11 17:53:34,905 [lib.api.process] INFO: 32-bit DLL to inject is C:\igygjrfw\dll\dUsMxl.dll, loader C:\igygjrfw\bin\SkYTqDr.exe
2020-02-11 17:53:35,092 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\YZEhzs.
2020-02-11 17:53:35,092 [root] DEBUG: Loader: Injecting process 2796 (thread 1056) with C:\igygjrfw\dll\dUsMxl.dll.
2020-02-11 17:53:35,108 [root] DEBUG: Process image base: 0x00EB0000
2020-02-11 17:53:35,108 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\igygjrfw\dll\dUsMxl.dll.
2020-02-11 17:53:35,140 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-11 17:53:35,155 [root] DEBUG: Successfully injected DLL C:\igygjrfw\dll\dUsMxl.dll.
2020-02-11 17:53:35,155 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 2796
2020-02-11 17:53:38,842 [lib.api.process] INFO: Successfully resumed process with pid 2796
2020-02-11 17:53:39,687 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-11 17:53:39,687 [root] INFO: Added new process to list with pid: 2796
2020-02-11 17:53:40,358 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-11 17:53:40,375 [root] INFO: Disabling sleep skipping.
2020-02-11 17:53:40,375 [root] INFO: Disabling sleep skipping.
2020-02-11 17:53:40,405 [root] INFO: Disabling sleep skipping.
2020-02-11 17:53:40,453 [root] INFO: Disabling sleep skipping.
2020-02-11 17:53:40,453 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 2796 at 0x6cdd0000, image base 0xeb0000, stack from 0x232000-0x240000
2020-02-11 17:53:40,562 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Program Files\Internet Explorer\iexplore.exe" "www.gepeszrendszer.hu".
2020-02-11 17:53:40,562 [root] INFO: Monitor successfully loaded in process with pid 2796.
2020-02-11 17:53:40,562 [root] DEBUG: DLL unloaded from 0x77E50000.
2020-02-11 17:53:40,562 [root] DEBUG: DLL loaded at 0x75920000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-11 17:53:40,592 [root] DEBUG: DLL loaded at 0x6EAF0000: C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-02-11 17:53:40,592 [root] DEBUG: DLL loaded at 0x77060000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-02-11 17:53:40,592 [root] DEBUG: DLL loaded at 0x6EE80000: C:\Windows\system32\IEFRAME (0xd12000 bytes).
2020-02-11 17:53:40,592 [root] DEBUG: DLL loaded at 0x76020000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-11 17:53:40,592 [root] DEBUG: DLL loaded at 0x73BA0000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-02-11 17:53:40,608 [root] DEBUG: DLL loaded at 0x73780000: C:\Windows\system32\webio (0x50000 bytes).
2020-02-11 17:53:40,608 [root] DEBUG: DLL loaded at 0x74950000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-02-11 17:53:40,717 [root] DEBUG: DLL loaded at 0x6D530000: C:\Program Files\Internet Explorer\IEShims (0x4b000 bytes).
2020-02-11 17:53:40,812 [root] DEBUG: DLL loaded at 0x765E0000: C:\Windows\system32\comdlg32 (0x7b000 bytes).
2020-02-11 17:53:40,828 [root] DEBUG: DLL loaded at 0x76970000: C:\Windows\system32\urlmon (0x150000 bytes).
2020-02-11 17:53:40,842 [root] DEBUG: DLL loaded at 0x75B30000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-11 17:53:41,062 [root] DEBUG: DLL loaded at 0x76C20000: C:\Windows\system32\WININET (0x437000 bytes).
2020-02-11 17:53:41,062 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-11 17:53:41,062 [root] DEBUG: DLL loaded at 0x75A40000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-11 17:53:41,092 [root] DEBUG: DLL loaded at 0x6D4F0000: C:\Program Files\Internet Explorer\sqmapi (0x39000 bytes).
2020-02-11 17:53:41,390 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-11 17:53:41,390 [root] DEBUG: DLL loaded at 0x71D70000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-02-11 17:53:41,390 [root] DEBUG: DLL loaded at 0x6D870000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-02-11 17:53:41,453 [root] DEBUG: DLL loaded at 0x73EB0000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x76180000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x73E70000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x73B50000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x76190000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x73B20000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-11 17:53:41,467 [root] DEBUG: DLL unloaded from 0x75EB0000.
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x753F0000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL loaded at 0x750C0000: C:\Windows\system32\credssp (0x8000 bytes).
2020-02-11 17:53:41,467 [root] DEBUG: DLL unloaded from 0x753F0000.
2020-02-11 17:53:41,483 [root] DEBUG: DLL loaded at 0x75BD0000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-11 17:53:41,515 [root] DEBUG: DLL loaded at 0x73B40000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-02-11 17:53:41,515 [root] DEBUG: DLL loaded at 0x74780000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-02-11 17:53:41,530 [root] DEBUG: DLL loaded at 0x74560000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-02-11 17:53:41,530 [root] DEBUG: DLL loaded at 0x74190000: C:\Windows\system32\netutils (0x9000 bytes).
2020-02-11 17:53:41,530 [root] DEBUG: DLL loaded at 0x75620000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-02-11 17:53:41,546 [root] DEBUG: DLL unloaded from 0x77CB0000.
2020-02-11 17:53:50,390 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 2796
2020-02-11 17:53:50,390 [root] DEBUG: GetHookCallerBase: failed to get return address.
2020-02-11 17:53:50,390 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x00EB0000.
2020-02-11 17:53:50,390 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-11 17:53:50,390 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x00EB0000.
2020-02-11 17:53:50,390 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001E00.
2020-02-11 17:53:50,437 [root] INFO: Added new CAPE file to list with path: C:\BPPqpx\CAPE\2796_43992378250332211222020
2020-02-11 17:53:50,453 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc3c00.
2020-02-11 17:53:50,453 [root] INFO: Notified of termination of process with pid 2796.
2020-02-11 17:53:50,546 [root] DEBUG: Terminate Event: Process 2796 has already been dumped(!)
2020-02-11 17:53:55,733 [root] INFO: Process list is empty, terminating analysis.
2020-02-11 17:53:56,733 [root] INFO: Created shutdown mutex.
2020-02-11 17:53:57,780 [root] INFO: Shutting down package.
2020-02-11 17:53:57,780 [root] INFO: Stopping auxiliary modules.
2020-02-11 17:53:58,155 [root] INFO: Finishing auxiliary modules.
2020-02-11 17:53:58,155 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-11 17:53:58,155 [root] WARNING: File at path "C:\BPPqpx\debugger" does not exist, skip.
2020-02-11 17:53:58,155 [root] INFO: Analysis completed.

MalScore

3.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
win7_2 win7_2 KVM 2020-02-11 16:52:59 2020-02-11 16:54:05

URL Details

URL
www.gepeszrendszer.hu

Signatures

Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

WHOIS Information

Name: None
Country: None
State: None
City: None
ZIP Code: None
Address: None

Orginization: None
Domain Name(s):
    None
Creation Date:
    None
Updated Date:
    None
Expiration Date:
    None
Email(s):
    None

Registrar(s):
    None
Name Server(s):
    None
Referral URL(s):
    None
This file is not on VirusTotal.

Process Tree


iexplore.exe, PID: 2796, Parent PID: 3032
Full Path: C:\Program Files\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" "www.gepeszrendszer.hu"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.2 51142 1.1.1.1 53
192.168.1.2 51584 1.1.1.1 53
192.168.1.2 64163 1.1.1.1 53
192.168.1.2 138 192.168.1.255 138
192.168.1.2 51142 8.8.8.8 53
192.168.1.2 51584 8.8.8.8 53
192.168.1.2 64163 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name iexplore.exe
PID 2796
Dump Size 801792 bytes
Module Path C:\Program Files\Internet Explorer\iexplore.exe
Type PE image: 32-bit executable
MD5 f00b41ea383d84d76667c93d1f7c7dbf
SHA1 0bdbd99481df5a5fd2dac29a5f5e3e8ba5951222
SHA256 ec7278a977ddc3e72dab7d562df526d8d0099136c1dcac1828cb1da4ac6811b1
CRC32 50093CDE
Ssdeep 24576:WwxMC7TbGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMUQ:WjMMHMMMvMMZMMMlmMMMiMMMYJMMHMMs
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename ec7278a977ddc3e72dab7d562df526d8d0099136c1dcac1828cb1da4ac6811b1
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted

Processing ( 5.935 seconds )

  • 5.033 Suricata
  • 0.387 ProcDump
  • 0.293 VirusTotal
  • 0.086 NetworkAnalysis
  • 0.071 Static
  • 0.053 Deduplicate
  • 0.009 AnalysisInfo
  • 0.003 Debug

Signatures ( 0.024 seconds )

  • 0.005 ransomware_files
  • 0.004 antiav_detectreg
  • 0.002 persistence_autorun
  • 0.002 antiav_detectfile
  • 0.002 infostealer_ftp
  • 0.002 ransomware_extensions
  • 0.001 antianalysis_detectfile
  • 0.001 browser_security
  • 0.001 disables_browser_warn
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_im
  • 0.001 infostealer_mail
  • 0.001 masquerade_process_name

Reporting ( 1.326 seconds )

  • 1.32 BinGraph
  • 0.006 JsonDump
Task ID 12663
Mongo ID 5e42dc38eb624717b5a789fb
Cuckoo release 1.3-CAPE
Delete