URL:

http://boomertravelers.net/hidaihfa

Full analysis: https://app.any.run/tasks/e575780b-8e07-43b3-9228-daafa6797021
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Malware Trends Tracker     >>>
Analysis date: January 18, 2019, 08:10:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
Indicators:
MD5:

A113D5C9FCD10743315F9ABF3CEF9615

SHA1:

B068633BA132A86FEBA72E29DC30800B4E7F4F58

SHA256:

2FA1F8E0634BED6B4FE858838FF23580E56C7FFBB55C184E9C776D0E0E18EDFF

SSDEEP:

3:N1KcuANOyMNY:Ccu0OyMY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • GandCrab keys found

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Actions looks like stealing of personal data

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Writes file to Word startup folder

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Renames files like Ransomware

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Dropped file may contain instructions of ransomware

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Deletes shadow copies

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Changes settings of System certificates

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3300)
      • iexplore.exe (PID: 2984)

    • Creates files in the program directory

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Reads the cookies of Mozilla Firefox

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Creates files like Ransomware instruction

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Reads Internet Cache Settings

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Adds / modifies Windows certificates

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

    • Creates files in the user directory

      • notepad++.exe (PID: 3252)
      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2984)

    • Application launched itself

      • iexplore.exe (PID: 2984)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3300)
      • iexplore.exe (PID: 2984)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3300)

    • Creates files in the user directory

      • iexplore.exe (PID: 3300)

    • Dropped object may contain TOR URL's

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3388)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
8
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe #GANDCRAB 11_dfdgdfb87740eqpd3pohyvdlb8ihwa[1].exe wmic.exe vssvc.exe no specs rundll32.exe no specs notepad++.exe gup.exe

Process information

PID
CMD
Path
Indicators
Parent process
2300"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
Modules
Images
c:\program files\notepad++\updater\gup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\notepad++\updater\libcurl.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\wldap32.dll
2808"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\moreparty.png.zngmugC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\rundll32.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\usp10.dll
c:\windows\system32\imagehlp.dll
2984"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2992"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3252"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\moreparty.png.zngmug"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO don.h@free.fr
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
Modules
Images
c:\program files\notepad++\notepad++.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\comctl32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
3300"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2984 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3388"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
iexplore.exe
User:
admin
Company:
Domo Technologies
Integrity Level:
MEDIUM
Description:
Vbprj Feed Folderbrowserdialog Livermre
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\rb73mz6y\11_dfdgdfb87740eqpd3pohyvdlb8ihwa[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
3804C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
851
Read events
751
Write events
96
Delete events
4

Modification events

(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{886935A1-1AF8-11E9-BAD8-5254004A04AF}
Value:
0
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(2984) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30701000500120008000A002400E203
Executable files
2
Suspicious files
428
Text files
329
Unknown types
13

Dropped files

PID
Process
Filename
Type
3300iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD9258ED6832CAEF8.TMP
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8E3BC1689CFFEBA8.TMP
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{886935A1-1AF8-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
338811_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exeC:\PerfLogs\Admin\ZNGMUG-DECRYPT.txttext
MD5:
SHA256:
2984iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{886935A2-1AF8-11E9-BAD8-5254004A04AF}.datbinary
MD5:
SHA256:
338811_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\boot.sdi
MD5:
SHA256:
3300iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[2].txttext
MD5:
SHA256:
338811_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim
MD5:
SHA256:
338811_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exeC:\Recovery\345b46fe-a9f9-11e7-a83c-e8a4f72b1d33\Winre.wim.zngmug
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
9
DNS requests
7
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3300
iexplore.exe
GET
302
185.159.80.108:80
http://185.159.80.108/zkNH48
NL
suspicious
3300
iexplore.exe
GET
301
205.185.125.109:80
http://boomertravelers.net/hidaihfa
US
html
236 b
suspicious
GET
200
2.16.106.50:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
unknown
der
471 b
whitelisted
GET
200
2.16.106.50:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEAXk3DuUOKs7hZfLpqGYUOM%3D
unknown
der
727 b
whitelisted
3388
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
GET
301
138.201.162.99:80
http://www.kakaocorp.link/
DE
html
162 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2984
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3300
iexplore.exe
205.185.125.109:80
boomertravelers.net
FranTech Solutions
US
suspicious
3300
iexplore.exe
185.159.80.108:80
Hosting Solution Ltd.
NL
suspicious
3300
iexplore.exe
172.217.23.142:443
drive.google.com
Google Inc.
US
whitelisted
3300
iexplore.exe
172.217.23.161:443
doc-04-bo-docs.googleusercontent.com
Google Inc.
US
whitelisted
3388
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
138.201.162.99:80
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
3388
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
138.201.162.99:443
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
2300
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted
2.16.106.50:80
ocsp.usertrust.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
boomertravelers.net
  • 205.185.125.109
suspicious
drive.google.com
  • 172.217.23.142
shared
doc-04-bo-docs.googleusercontent.com
  • 172.217.23.161
shared
www.kakaocorp.link
  • 138.201.162.99
malicious
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
ocsp.usertrust.com
  • 2.16.106.50
  • 2.16.106.80
whitelisted

Threats

PID
Process
Class
Message
3300
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible Keitaro TDS Redirect
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://boomertravelers.net/hidaihfa