Analysis

Category Package Started Completed Duration Log
URL ie 2020-02-13 12:40:28 2020-02-13 12:41:39 71 seconds Show Log
2020-02-13 13:40:41,000 [root] INFO: Date set to: 02-13-20, time set to: 12:40:41, timeout set to: 200
2020-02-13 13:40:41,046 [root] DEBUG: Starting analyzer from: C:\nhucnzt
2020-02-13 13:40:41,046 [root] DEBUG: Storing results at: C:\zUbOsHdmd
2020-02-13 13:40:41,046 [root] DEBUG: Pipe server name: \\.\PIPE\kPBIHnwS
2020-02-13 13:40:41,046 [root] DEBUG: No analysis package specified, trying to detect it automagically.
2020-02-13 13:40:41,046 [root] INFO: Automatically selected analysis package "ie"
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Browser
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Curtain
2020-02-13 13:40:42,578 [modules.auxiliary.digisig] DEBUG: Skipping authenticode validation, analysis is not a file.
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module DigiSig
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Disguise
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Human
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Screenshots
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Sysmon
2020-02-13 13:40:42,578 [root] DEBUG: Started auxiliary module Usage
2020-02-13 13:40:42,578 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL option
2020-02-13 13:40:42,578 [root] INFO: Analyzer: Package modules.packages.ie does not specify a DLL_64 option
2020-02-13 13:40:42,625 [lib.api.process] INFO: Successfully executed process from path "C:\Program Files\Internet Explorer\iexplore.exe" with arguments ""sendto.pjrt.hu"" with pid 1052
2020-02-13 13:40:43,125 [lib.api.process] INFO: 32-bit DLL to inject is C:\nhucnzt\dll\xXMFSbww.dll, loader C:\nhucnzt\bin\rSiQRYL.exe
2020-02-13 13:40:43,530 [root] DEBUG: ReadConfig: Successfully loaded pipe name \\.\PIPE\kPBIHnwS.
2020-02-13 13:40:43,546 [root] DEBUG: Loader: Injecting process 1052 (thread 1848) with C:\nhucnzt\dll\xXMFSbww.dll.
2020-02-13 13:40:43,546 [root] DEBUG: Process image base: 0x003C0000
2020-02-13 13:40:43,546 [root] DEBUG: InjectDllViaIAT: IAT patching with dll name C:\nhucnzt\dll\xXMFSbww.dll.
2020-02-13 13:40:43,546 [root] DEBUG: InjectDllViaIAT: Successfully patched IAT.
2020-02-13 13:40:43,546 [root] DEBUG: Successfully injected DLL C:\nhucnzt\dll\xXMFSbww.dll.
2020-02-13 13:40:43,562 [lib.api.process] INFO: Injected into suspended 32-bit process with pid 1052
2020-02-13 13:40:46,203 [lib.api.process] INFO: Successfully resumed process with pid 1052
2020-02-13 13:40:48,280 [root] DEBUG: Terminate processes on terminate_event disabled.
2020-02-13 13:40:48,280 [root] INFO: Added new process to list with pid: 1052
2020-02-13 13:40:49,905 [root] INFO: Disabling sleep skipping.
2020-02-13 13:40:49,905 [root] INFO: Disabling sleep skipping.
2020-02-13 13:40:49,905 [root] DEBUG: RestoreHeaders: Restored original import table.
2020-02-13 13:40:49,905 [root] INFO: Disabling sleep skipping.
2020-02-13 13:40:50,765 [root] INFO: Disabling sleep skipping.
2020-02-13 13:40:50,765 [root] DEBUG: CAPE initialised: 32-bit monitor loaded in process 1052 at 0x6a2c0000, image base 0x3c0000, stack from 0x132000-0x140000
2020-02-13 13:40:50,812 [root] DEBUG: Commandline: C:\Users\Rebecca\AppData\Local\Temp\"C:\Program Files\Internet Explorer\iexplore.exe" "sendto.pjrt.hu".
2020-02-13 13:40:50,828 [root] INFO: Monitor successfully loaded in process with pid 1052.
2020-02-13 13:40:50,828 [root] DEBUG: DLL unloaded from 0x75290000.
2020-02-13 13:40:50,828 [root] DEBUG: DLL loaded at 0x74AC0000: C:\Windows\system32\CRYPTBASE (0xc000 bytes).
2020-02-13 13:40:50,890 [root] DEBUG: DLL loaded at 0x6DCB0000: C:\Windows\system32\api-ms-win-downlevel-shell32-l1-1-0 (0x4000 bytes).
2020-02-13 13:40:50,890 [root] DEBUG: DLL loaded at 0x76200000: C:\Windows\system32\shell32 (0xc4c000 bytes).
2020-02-13 13:40:50,890 [root] DEBUG: DLL loaded at 0x6E030000: C:\Windows\system32\IEFRAME (0xd12000 bytes).
2020-02-13 13:40:50,905 [root] DEBUG: DLL loaded at 0x76160000: C:\Windows\system32\OLEAUT32 (0x91000 bytes).
2020-02-13 13:40:50,905 [root] DEBUG: DLL loaded at 0x72A90000: C:\Windows\system32\WINHTTP (0x58000 bytes).
2020-02-13 13:40:50,905 [root] DEBUG: DLL loaded at 0x72430000: C:\Windows\system32\webio (0x50000 bytes).
2020-02-13 13:40:50,905 [root] DEBUG: DLL loaded at 0x73AF0000: C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\comctl32 (0x19e000 bytes).
2020-02-13 13:40:51,296 [root] DEBUG: DLL loaded at 0x6A410000: C:\Program Files\Internet Explorer\IEShims (0x4b000 bytes).
2020-02-13 13:40:51,405 [root] DEBUG: DLL loaded at 0x750A0000: C:\Windows\system32\comdlg32 (0x7b000 bytes).
2020-02-13 13:40:51,437 [root] DEBUG: DLL loaded at 0x75380000: C:\Windows\system32\urlmon (0x150000 bytes).
2020-02-13 13:40:51,437 [root] DEBUG: DLL loaded at 0x74E50000: C:\Windows\system32\api-ms-win-downlevel-ole32-l1-1-0 (0x4000 bytes).
2020-02-13 13:40:51,483 [root] DEBUG: DLL loaded at 0x75AE0000: C:\Windows\system32\WININET (0x437000 bytes).
2020-02-13 13:40:51,483 [root] DEBUG: DLL loaded at 0x74E20000: C:\Windows\system32\USERENV (0x17000 bytes).
2020-02-13 13:40:51,483 [root] DEBUG: DLL loaded at 0x74BE0000: C:\Windows\system32\profapi (0xb000 bytes).
2020-02-13 13:40:52,437 [root] DEBUG: DLL loaded at 0x6A0A0000: C:\Program Files\Internet Explorer\sqmapi (0x39000 bytes).
2020-02-13 13:40:52,437 [root] DEBUG: DLL unloaded from 0x75130000.
2020-02-13 13:40:52,453 [root] DEBUG: DLL loaded at 0x70D30000: C:\Windows\system32\api-ms-win-downlevel-advapi32-l2-1-0 (0x4000 bytes).
2020-02-13 13:40:52,453 [root] DEBUG: DLL loaded at 0x6CCB0000: C:\Windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0 (0x4000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x73060000: C:\Windows\system32\IPHLPAPI (0x1c000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x76FB0000: C:\Windows\system32\NSI (0x6000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x73020000: C:\Windows\system32\WINNSI (0x7000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x72D80000: C:\Windows\system32\dhcpcsvc6 (0xd000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x75340000: C:\Windows\system32\WS2_32 (0x35000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x72D30000: C:\Windows\system32\dhcpcsvc (0x12000 bytes).
2020-02-13 13:40:52,483 [root] DEBUG: DLL unloaded from 0x76E50000.
2020-02-13 13:40:52,483 [root] DEBUG: DLL unloaded from 0x75130000.
2020-02-13 13:40:52,483 [root] DEBUG: DLL loaded at 0x74590000: C:\Windows\system32\cryptsp (0x17000 bytes).
2020-02-13 13:40:52,500 [root] DEBUG: DLL loaded at 0x74260000: C:\Windows\system32\credssp (0x8000 bytes).
2020-02-13 13:40:52,500 [root] DEBUG: DLL unloaded from 0x74590000.
2020-02-13 13:40:52,500 [root] DEBUG: DLL loaded at 0x74D60000: C:\Windows\system32\CFGMGR32 (0x27000 bytes).
2020-02-13 13:40:52,578 [root] DEBUG: DLL loaded at 0x72C60000: C:\Windows\system32\SAMCLI (0xf000 bytes).
2020-02-13 13:40:52,578 [root] DEBUG: DLL loaded at 0x732C0000: C:\Windows\system32\WKSCLI (0xf000 bytes).
2020-02-13 13:40:52,578 [root] DEBUG: DLL loaded at 0x73740000: C:\Windows\system32\NETAPI32 (0x11000 bytes).
2020-02-13 13:40:52,578 [root] DEBUG: DLL loaded at 0x738B0000: C:\Windows\system32\netutils (0x9000 bytes).
2020-02-13 13:40:52,578 [root] DEBUG: DLL loaded at 0x74770000: C:\Windows\system32\srvcli (0x19000 bytes).
2020-02-13 13:40:52,592 [root] DEBUG: DLL unloaded from 0x76E50000.
2020-02-13 13:41:05,562 [root] DEBUG: NtTerminateProcess hook: Attempting to dump process 1052
2020-02-13 13:41:05,562 [root] DEBUG: GetHookCallerBase: failed to get return address.
2020-02-13 13:41:05,562 [root] DEBUG: DumpInterestingRegions: Dumping Imagebase at 0x003C0000.
2020-02-13 13:41:05,562 [root] DEBUG: DumpImageInCurrentProcess: Attempting to dump virtual PE image.
2020-02-13 13:41:05,562 [root] DEBUG: DumpProcess: Instantiating PeParser with address: 0x003C0000.
2020-02-13 13:41:05,562 [root] DEBUG: DumpProcess: Module entry point VA is 0x00001E00.
2020-02-13 13:41:05,625 [root] INFO: Added new CAPE file to list with path: C:\zUbOsHdmd\CAPE\1052_15924940175411813422020
2020-02-13 13:41:05,625 [root] DEBUG: DumpProcess: Module image dump success - dump size 0xc3c00.
2020-02-13 13:41:05,625 [root] INFO: Notified of termination of process with pid 1052.
2020-02-13 13:41:05,733 [root] DEBUG: Terminate Event: Process 1052 has already been dumped(!)
2020-02-13 13:41:10,812 [root] INFO: Process list is empty, terminating analysis.
2020-02-13 13:41:11,812 [root] INFO: Created shutdown mutex.
2020-02-13 13:41:12,812 [root] INFO: Shutting down package.
2020-02-13 13:41:12,812 [root] INFO: Stopping auxiliary modules.
2020-02-13 13:41:13,250 [root] INFO: Finishing auxiliary modules.
2020-02-13 13:41:13,250 [root] INFO: Shutting down pipe server and dumping dropped files.
2020-02-13 13:41:13,250 [root] WARNING: File at path "C:\zUbOsHdmd\debugger" does not exist, skip.
2020-02-13 13:41:13,250 [root] INFO: Analysis completed.

MalScore

3.0

Suspicious

Machine

Name Label Manager Started On Shutdown On
win7_3 win7_3 KVM 2020-02-13 12:40:28 2020-02-13 12:41:38

URL Details

URL
sendto.pjrt.hu

Signatures

Queries or connects to DNS-Over-HTTPS/DNS-Over-TLS domain or IP address
ip: 1.1.1.1
Network activity detected but not expressed in API logs

Screenshots


Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

DNS

No domains contacted.


Summary

WHOIS Information

Name: None
Country: None
State: None
City: None
ZIP Code: None
Address: None

Orginization: None
Domain Name(s):
    None
Creation Date:
    None
Updated Date:
    None
Expiration Date:
    None
Email(s):
    None

Registrar(s):
    None
Name Server(s):
    None
Referral URL(s):
    None

Full Results

VirusTotal Result
CLEAN MX Clean Site
DNS8 Clean Site
VX Vault Clean Site
ZDB Zeus Clean Site
SCUMWARE_org Clean Site
AutoShun Unrated Site
ZCloudsec Clean Site
desenmascara_me Clean Site
CyRadar Clean Site
Comodo Valkyrie Verdict Unrated Site
PhishLabs Unrated Site
Zerofox Clean Site
K7AntiVirus Clean Site
Virusdie External Site Scan Clean Site
Spamhaus Clean Site
Quttera Clean Site
AegisLab WebGuard Clean Site
MalwareDomainList Clean Site
ZeusTracker Clean Site
zvelo Clean Site
Google Safebrowsing Clean Site
Kaspersky Unrated Site
BitDefender Clean Site
G-Data Clean Site
Segasec Unrated Site
CyberCrime Clean Site
Malware Domain Blocklist Clean Site
MalwarePatrol Clean Site
Trustwave Clean Site
Web Security Guard Clean Site
Dr_Web Clean Site
ADMINUSLabs Clean Site
Malwarebytes hpHosts Clean Site
Opera Clean Site
AlienVault Clean Site
Emsisoft Clean Site
Rising Clean Site
Malc0de Database Clean Site
BADWARE_INFO Clean Site
EonScope Clean Site
Malwared Clean Site
Avira Clean Site
NotMining Unrated Site
OpenPhish Clean Site
Antiy-AVL Clean Site
Forcepoint ThreatSeeker Unrated Site
FraudSense Clean Site
malwares_com URL checker Clean Site
URLhaus Clean Site
Comodo Site Inspector Clean Site
Malekal Clean Site
ESET Clean Site
Sophos Unrated Site
Yandex Safebrowsing Clean Site
SecureBrain Clean Site
Phishtank Clean Site
ZeroCERT Clean Site
Blueliv Clean Site
Nucleon Clean Site
Netcraft Unrated Site
CRDF Clean Site
ThreatHive Clean Site
FraudScore Clean Site
Tencent Clean Site
URLQuery Clean Site
StopBadware Unrated Site
Sucuri SiteCheck Clean Site
Fortinet Clean Site
ESTsecurity-Threat Inside Clean Site
Spam404 Clean Site
securolytics Clean Site
Baidu-International Clean Site

Process Tree


iexplore.exe, PID: 1052, Parent PID: 1736
Full Path: C:\Program Files\Internet Explorer\iexplore.exe
Command Line: "C:\Program Files\Internet Explorer\iexplore.exe" "sendto.pjrt.hu"

Hosts

Direct IP Country Name
Y 8.8.8.8 [VT] United States
Y 1.1.1.1 [VT] Australia

TCP

No TCP connections recorded.

UDP

Source Source Port Destination Destination Port
192.168.1.3 50933 1.1.1.1 53
192.168.1.3 56366 1.1.1.1 53
192.168.1.3 62840 1.1.1.1 53
192.168.1.3 62988 1.1.1.1 53
192.168.1.3 50933 8.8.8.8 53
192.168.1.3 56366 8.8.8.8 53
192.168.1.3 62840 8.8.8.8 53
192.168.1.3 62988 8.8.8.8 53

DNS

No domains contacted.

HTTP Requests

No HTTP requests performed.

SMTP traffic

No SMTP traffic performed.

IRC traffic

No IRC requests performed.

ICMP traffic

No ICMP traffic performed.

CIF Results

No CIF Results

Suricata Alerts

No Suricata Alerts

Suricata TLS

No Suricata TLS

Suricata HTTP

No Suricata HTTP

Sorry! No dropped Suricata Extracted files.

JA3

No JA3 hashes found.

Sorry! No dropped files.
Sorry! No CAPE files.
Process Name iexplore.exe
PID 1052
Dump Size 801792 bytes
Module Path C:\Program Files\Internet Explorer\iexplore.exe
Type PE image: 32-bit executable
MD5 427bd0052c746fd26631108a90c5a986
SHA1 d268f4acf24cefd5da21d5185950e10b262cca3d
SHA256 b2e0f3b0ec3de0c43f25626592ae29dbb0cafb537ce86b8baac631bc4b010b50
CRC32 62556591
Ssdeep 24576:HuArc37TbGLbMMHMMMvMMZMMMKzb6XmMMMiMMMz8JMMHMMM6MMZMMMeXNMMzMMMP:HhMMHMMMvMMZMMMlmMMMiMMMYJMMHMMs
ClamAV None
Yara None matched
CAPE Yara None matched
Dump Filename b2e0f3b0ec3de0c43f25626592ae29dbb0cafb537ce86b8baac631bc4b010b50
Download Download ZIP Submit file

BinGraph

JSON Report Download
MAEC Report Download

Comments



No comments posted

Processing ( 5.866 seconds )

  • 5.037 Suricata
  • 0.274 VirusTotal
  • 0.266 ProcDump
  • 0.127 Static
  • 0.093 NetworkAnalysis
  • 0.056 Deduplicate
  • 0.01 AnalysisInfo
  • 0.003 Debug

Signatures ( 0.019 seconds )

  • 0.004 antiav_detectreg
  • 0.004 ransomware_files
  • 0.002 antiav_detectfile
  • 0.002 ransomware_extensions
  • 0.001 persistence_autorun
  • 0.001 antianalysis_detectreg
  • 0.001 browser_security
  • 0.001 infostealer_bitcoin
  • 0.001 infostealer_ftp
  • 0.001 infostealer_im
  • 0.001 infostealer_mail

Reporting ( 0.751 seconds )

  • 0.743 BinGraph
  • 0.008 JsonDump
Task ID 12748
Mongo ID 5e45440b00ac943031667035
Cuckoo release 1.3-CAPE
Delete