analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.braintrainersuk.com/ONOLTDA-GD.exe

Full analysis: https://app.any.run/tasks/6a91f494-f257-401c-a0f6-9236aa9ce118
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 20, 2019, 19:02:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

A4925C167BE5DA351E5BE05BB9D78407

SHA1:

8B73E014912AF5EA192D0832D76C9504D766423F

SHA256:

1476F424B2A2ACB9C93F238DA4AC12F832EB51F73CC195748059BFA5F0122D7E

SSDEEP:

3:N1KJS43ECdIKqrChUhJ:Cc4zKxrC0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • ONOLTDA-GD[1].exe (PID: 2680)

    • Stops/Deletes Windows Defender service via SC.exe

      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 2868)
      • cmd.exe (PID: 3352)
      • cmd.exe (PID: 1876)

    • Executes PowerShell scripts

      • cmd.exe (PID: 4000)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2612)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2612)
      • iexplore.exe (PID: 3580)

    • Starts CMD.EXE for commands execution

      • ONOLTDA-GD[1].exe (PID: 2680)

    • Creates files in the user directory

      • powershell.exe (PID: 3836)
      • powershell.exe (PID: 3800)

    • Executes PowerShell scripts

      • cmd.exe (PID: 2368)

    • Executed via COM

      • DllHost.exe (PID: 3600)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3580)

    • Application launched itself

      • iexplore.exe (PID: 3580)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2612)
      • iexplore.exe (PID: 3580)

    • Creates files in the user directory

      • iexplore.exe (PID: 2612)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
16
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe onoltda-gd[1].exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs powershell.exe no specs cmd.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs cmd.exe no specs cmd.exe no specs sc.exe no specs powershell.exe no specs CMSTPLUA no specs

Process information

PID
CMD
Path
Indicators
Parent process
3580"C:\Program Files\Internet Explorer\iexplore.exe" http://www.braintrainersuk.com/ONOLTDA-GD.exeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2612"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3580 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2680"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ONOLTDA-GD[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\ONOLTDA-GD[1].exeiexplore.exe
User:
admin
Company:
NVIDIA Corporation
Integrity Level:
MEDIUM
Description:
NVIDIA PTX JIT Compiler, Version 430.39
Version:
26.21.14.3039
4000"C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\cmd.exeONOLTDA-GD[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2568"C:\Windows\System32\cmd.exe" /c sc stop WinDefendC:\Windows\System32\cmd.exeONOLTDA-GD[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2868"C:\Windows\System32\cmd.exe" /c sc delete WinDefendC:\Windows\System32\cmd.exeONOLTDA-GD[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3836powershell Set-MpPreference -DisableRealtimeMonitoring $trueC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1876/c sc stop WinDefendC:\Windows\system32\cmd.exeONOLTDA-GD[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
5
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3904sc stop WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1372sc delete WinDefendC:\Windows\system32\sc.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
A tool to aid in developing services for WindowsNT
Exit code:
5
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 436
Read events
1 265
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
11
Unknown types
5

Dropped files

PID
Process
Filename
Type
3580iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF426A912F0F3F9B36.TMP
MD5:
SHA256:
3580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3836powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4V5TSAA8CTDYHUPZ3U8N.temp
MD5:
SHA256:
2612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\24GAA6YI\ONOLTDA-GD[1].exeexecutable
MD5:E6DBE5E47DAB3B586A10F9B2BFD4312A
SHA256:A742DD1829BF43E23262D378D8E5219C5C9DA60C28BBC3C063274AAD4B961171
3580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019052020190521\index.datdat
MD5:541D2140AB0F440EAC2B3E2B9C560A65
SHA256:340896FF0D092F24A9D20A93F76A35266F4920394371C8123DB9A278AED5B829
3800powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\AVSSGXAYZFUJ4UHSZA03.temp
MD5:
SHA256:
2612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:8F5209DC72C0FEE5073BB9477ABB5B9C
SHA256:F19B4276B134D8A183E6F98FC084F4984FB1E3F39F3E2B2FC62DEF1022F1D55A
2612iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:B088EF9EFF5E0709FBFD74B7D2A423F0
SHA256:C4AF7F215354F84FA8822A55865B0B2F8457B7D2314BD3AD570A7781173400E8
3836powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF13abb4.TMPbinary
MD5:33B4C42BAF9E3CA295E3BDCD51C02EAF
SHA256:B4273C31A01B0B90869574075D54D52E8098519587F61AE756B69729D0AF86A5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2612
iexplore.exe
GET
200
68.66.248.28:80
http://www.braintrainersuk.com/ONOLTDA-GD.exe
US
executable
248 Kb
malicious
3580
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3580
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2612
iexplore.exe
68.66.248.28:80
www.braintrainersuk.com
A2 Hosting, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.braintrainersuk.com
  • 68.66.248.28
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
2612
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.braintrainersuk.com/ONOLTDA-GD.exe