Malware analysis http://bitcoinmaker.site/?utm_trc=Worldwide+ALL+WIN Malicious activity

Add for printing

URL:	http://bitcoinmaker.site/?utm_trc=Worldwide+ALL+WIN
Full analysis:	https://app.any.run/tasks/84539174-3ae2-48ab-b5c5-08f390c9c86d
Verdict:	Malicious activity
Analysis date:	July 18, 2019, 12:42:36
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:	5F040EF3D19EF57E53716BC7C380D6BB
SHA1:	3167655FDE85316B73D138A379F045D10E60822F
SHA256:	370364CBF82F1195EBDD24741F2C9D00ADF4BBF634BA83792E9483C7B894FDAF
SSDEEP:	3:N1KcQBnyLWcXh7:Cco7e7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - iexplore.exe (PID: 3864)
- Reads internet explorer settings
  - iexplore.exe (PID: 3620)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3620)
- Changes internet zones settings
  - iexplore.exe (PID: 3864)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
3864	"C:\Program Files\Internet Explorer\iexplore.exe" "http://bitcoinmaker.site/?utm_trc=Worldwide+ALL+WIN"	C:\Program Files\Internet Explorer\iexplore.exe	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3620	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3864 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

379

Read events

334

Write events

Delete events

Modification events


(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:	write	Name:	CompatibilityFlags
Value: 0
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	UNCAsIntranet
Value: 0
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:	write	Name:	AutoDetect
Value: 1
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:	write	Name:	SecuritySafe
Value: 1
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:	write	Name:	ProxyEnable
Value: 0
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:	write	Name:	SavedLegacySettings
Value: 4600000078000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:	write	Name:	{8DF1768D-A959-11E9-95C0-5254004A04AF}
Value: 0
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Type
Value: 4
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Count
Value: 2
(PID) Process:	(3864) iexplore.exe	Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:	write	Name:	Time
Value: E3070700040012000C002A0034005201

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3864	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico		—
		MD5:—	SHA256:—
3864	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\bitcoinmaker_site[1].txt		—
		MD5:—	SHA256:—
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\reset[1].css		text
		MD5:8F8FD5F8ECA2F8A2FCF698DE3A8B449F	SHA256:C147026DF6FC9D1DF82C90FCB4A1F613F40091902800A7E0E431E5BDD239655D
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PUF80D1U\isValidNumber[1].css		text
		MD5:38E62870D9E55E70F9681A983E536FBB	SHA256:A6C8229B04478E98615AB504CE425033B1F0E079D00034511B6E124D5631D60D
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:8311648E61132D7A2D3E8524479ED278	SHA256:B9C2C04551274F65CCA3FB49CC4CE8FCC0748B4AB55D6BDDB4A93455D1B56285
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\btn[1].png		image
		MD5:92315324D7FE9220083594CA6B4C669B	SHA256:972653CEA11E4A3464CCF2E48D369B438E0A577E10D7B291BFB6F4B76D86E116
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RIMVM10U\channels_logo_fullcolor[1].jpg		image
		MD5:4113941804515CE6DF86C275A4697E9C	SHA256:2D84BF921F53F6540587C4FCECD800C9141EC5F902DBD2ACB0568B94131DDB66
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\bitcoinmaker_site[1].htm		html
		MD5:0B2F86CA0B0E125CA570F75EA0239D72	SHA256:2E7AB994D6704212863848D5D58D9EDA9A5ECF03821C4AADA50E1E9F6F60F0FE
3620	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\8BW8CI0Y\rdrCookieModule[1].js		text
		MD5:DFDF78E40977633D32942C3BFCDB4D05	SHA256:FC5679EC5830380E7B9B81B956EDC4DFD7539D335DF73B27D7DC3D1E0A2FCC4A

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/css.css	RU	text	1013 b	suspicious
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/intlTelInput.min.css	RU	text	20.2 Kb	suspicious
3620	iexplore.exe	GET	404	185.220.33.14:80	http://bitcoinmaker.site/js/rdrCookieModule.js	unknown	html	219 b	malicious
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/style.css	RU	text	94.9 Kb	suspicious
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/reset.css	RU	text	649 b	suspicious
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/form_arrow.png	RU	image	14.9 Kb	suspicious
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/volume1.png	RU	image	136 Kb	suspicious
3620	iexplore.exe	GET	404	185.220.33.14:80	http://bitcoinmaker.site/js/form.js	unknown	html	208 b	malicious
3620	iexplore.exe	GET	200	5.23.49.230:80	http://sex-max.xyz/landers/bitcoin/index_files/btn.png	RU	image	1.82 Kb	suspicious
3620	iexplore.exe	GET	200	185.220.33.14:80	http://bitcoinmaker.site/?utm_trc=Worldwide+ALL+WIN	unknown	html	29.2 Kb	malicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
3864	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
—	—	185.220.33.14:80	bitcoinmaker.site	—	—	suspicious
3620	iexplore.exe	185.220.33.14:80	bitcoinmaker.site	—	—	suspicious
3620	iexplore.exe	5.23.49.230:80	sex-max.xyz	—	RU	suspicious
3620	iexplore.exe	205.185.208.52:443	code.jquery.com	Highwinds Network Group, Inc.	US	unknown

DNS requests

Domain	IP	Reputation
bitcoinmaker.site	185.220.33.14	malicious
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
sex-max.xyz	5.23.49.230	suspicious
code.jquery.com	205.185.208.52	whitelisted

Threats

PID	Process	Class	Message
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain
3620	iexplore.exe	Potentially Bad Traffic	AV INFO HTTP Request to a *.xyz domain

Add for printing

No debug info

General Info

http://bitcoinmaker.site/?utm_trc=Worldwide+ALL+WIN

5F040EF3D19EF57E53716BC7C380D6BB

3167655FDE85316B73D138A379F045D10E60822F

370364CBF82F1195EBDD24741F2C9D00ADF4BBF634BA83792E9483C7B894FDAF

3:N1KcQBnyLWcXh7:Cco7e7

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

Reads internet explorer settings

Reads Internet Cache Settings

Changes internet zones settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings