analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://185.159.80.108/zkNH48

Full analysis: https://app.any.run/tasks/fdf43045-fad7-49dc-9e27-8ab4f132574c
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: January 18, 2019, 09:57:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
Indicators:
MD5:

C234BB205425C0C1147D581118D2E328

SHA1:

BC5E78BC69582E293AAF73DC4D1A3E318B52F3B2

SHA256:

442CE4CCD754DEF378C1664BF86C6977597230A1226D9EC03F54217BB8957EBA

SSDEEP:

3:N1Klk6bMdl:CfbMf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • GandCrab keys found

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Actions looks like stealing of personal data

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Writes file to Word startup folder

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Renames files like Ransomware

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Deletes shadow copies

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Changes settings of System certificates

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Dropped file may contain instructions of ransomware

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2848)
      • iexplore.exe (PID: 3764)
    • Creates files in the program directory

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Reads the cookies of Mozilla Firefox

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Creates files like Ransomware instruction

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Adds / modifies Windows certificates

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
    • Creates files in the user directory

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2848)
    • Application launched itself

      • iexplore.exe (PID: 2848)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2848)
      • iexplore.exe (PID: 3764)
    • Creates files in the user directory

      • iexplore.exe (PID: 3764)
    • Dropped object may contain TOR URL's

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 2208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe #GANDCRAB 11_dfdgdfb87740eqpd3pohyvdlb8ihwa[1].exe wmic.exe vssvc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2848"C:\Program Files\Internet Explorer\iexplore.exe" http://185.159.80.108/zkNH48C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3764"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2848 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2208"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
iexplore.exe
User:
admin
Company:
Domo Technologies
Integrity Level:
MEDIUM
Description:
Vbprj Feed Folderbrowserdialog Livermre
3400"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3324C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
799
Read events
712
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
413
Text files
325
Unknown types
19

Dropped files

PID
Process
Filename
Type
2848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3764iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF439AF47EC03A155D.TMP
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFA5D03E65C1130958.TMP
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{93A21109-1B07-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
2848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{93A2110A-1B07-11E9-BAD8-5254004A04AF}.datbinary
MD5:DD1B2F7AF2BBE25E638701F24AC983E1
SHA256:AEDCC41C0D00FFE45AA60BB33B8751D0628A5B26E2A31BD5A8746C8B8A7690FA
2848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exeexecutable
MD5:24F030B17DD8152A3CD04253DD648690
SHA256:57ACEA19D6B84C350A6C9CF2B55794377C7D12491B65AF1D06C7F857316F1D7B
2848iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011820190119\index.datdat
MD5:1632170D13CC71D3E792AA7B789548D2
SHA256:F1A85F5B92C1974A2BC472D878BE49E12CD8F604DB6B44FBA9FFF0A913DBA898
3764iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:B326E2C6843ACCE070A610953485BC6C
SHA256:458A929E55757EF50C629395748F47327C3FF29060EC1C27B6260E55C97BD315
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3764
iexplore.exe
GET
302
185.159.80.108:80
http://185.159.80.108/zkNH48
NL
suspicious
2208
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
GET
301
138.201.162.99:80
http://www.kakaocorp.link/
DE
html
162 b
malicious
2848
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2848
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2208
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
138.201.162.99:80
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
3764
iexplore.exe
185.159.80.108:80
Hosting Solution Ltd.
NL
suspicious
2208
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
138.201.162.99:443
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
3764
iexplore.exe
172.217.23.142:443
drive.google.com
Google Inc.
US
whitelisted
3764
iexplore.exe
172.217.23.161:443
doc-04-bo-docs.googleusercontent.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
drive.google.com
  • 172.217.23.142
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
doc-04-bo-docs.googleusercontent.com
  • 172.217.23.161
shared
www.kakaocorp.link
  • 138.201.162.99
malicious

Threats

PID
Process
Class
Message
3764
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible Keitaro TDS Redirect
No debug info