analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://blog.naver.com/PostView.nhn?blogId=ezne&logNo=150155478326&redirect=Dlog&widgetTypeCall=true&topReferer=https%3A%2F%2Fblog.naver.com%2Fnotify-Notice_Blog%3FaHR0cHM6Ly9ibG9nLm5hdmVyLmNvbS9lem5lLzE1MDE1NTQ3ODMyNj9wcm94eVJlZmVyZXI9aHR0cHMlM0ElMkYlMkZlem5lLmJsb2cubWUlMkZub3RpZnktU2Ftc3VuZyUzRmFIUjBjSE02THk5bGVtNWxMbUpzYjJjdWJXVXZNVFV3TVRVMU5EYzRNekkyJTNCbVRRZFo1SG81bUpjbmxqZjREQ3VjV2tBZE1YU1NNM3FaWjE5anNVRk9XWSUzRA%3D%3D%3BNlp5aQnR3k9RjzVJKuLSBuXjfeSRCjFziw6kMO5bqVE%3D&directAccess=false

Full analysis: https://app.any.run/tasks/8db34a3f-0c71-48ae-83e9-829654386d73
Verdict: Malicious activity
Threats:

Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying.

Malware Trends Tracker     >>>
Analysis date: November 29, 2020, 23:55:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
Indicators:
MD5:

A5E2BE25F0F7AEADEE240A1F1D598CF6

SHA1:

506ED0B4A47AA31E31C4A11631515C39B903C084

SHA256:

520D0BA6061F499539575776D74C06819389ED7E1DB4C6391E0BCC5155108A77

SSDEEP:

12:2Zj4iDXlSAWREnQmqYRy3Oo69gfa3FRG8rbC3YgWNI4:2Z8oEyBwWKmBacI4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • HanKey_Change.exe (PID: 1112)

  • SUSPICIOUS

    • Creates files like Ransomware instruction

      • WinRAR.exe (PID: 2748)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2748)

    • Starts Internet Explorer

      • HanKey_Change.exe (PID: 1112)

  • INFO

    • Reads settings of System Certificates

      • chrome.exe (PID: 1888)
      • iexplore.exe (PID: 3320)

    • Reads the hosts file

      • chrome.exe (PID: 2612)
      • chrome.exe (PID: 1888)

    • Manual execution by user

      • HanKey_Change.exe (PID: 1112)

    • Application launched itself

      • chrome.exe (PID: 2612)
      • iexplore.exe (PID: 3092)

    • Creates files in the user directory

      • iexplore.exe (PID: 3092)
      • iexplore.exe (PID: 3320)

    • Changes internet zones settings

      • iexplore.exe (PID: 3092)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
14
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe chrome.exe no specs hankey_change.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2612"C:\Program Files\Google\Chrome\Application\chrome.exe" --disk-cache-dir=null --disk-cache-size=1 --media-cache-size=1 --disable-gpu-shader-disk-cache --disable-background-networking "https://blog.naver.com/PostView.nhn?blogId=ezne&logNo=150155478326&redirect=Dlog&widgetTypeCall=true&topReferer=https%3A%2F%2Fblog.naver.com%2Fnotify-Notice_Blog%3FaHR0cHM6Ly9ibG9nLm5hdmVyLmNvbS9lem5lLzE1MDE1NTQ3ODMyNj9wcm94eVJlZmVyZXI9aHR0cHMlM0ElMkYlMkZlem5lLmJsb2cubWUlMkZub3RpZnktU2Ftc3VuZyUzRmFIUjBjSE02THk5bGVtNWxMbUpzYjJjdWJXVXZNVFV3TVRVMU5EYzRNekkyJTNCbVRRZFo1SG81bUpjbmxqZjREQ3VjV2tBZE1YU1NNM3FaWjE5anNVRk9XWSUzRA%3D%3D%3BNlp5aQnR3k9RjzVJKuLSBuXjfeSRCjFziw6kMO5bqVE%3D&directAccess=false"C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
2732"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6c3fa9d0,0x6c3fa9e0,0x6c3fa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2724"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2648 --on-initialized-event-handle=316 --parent-handle=320 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
4076"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1040,16443960075025965485,14261255936935710199,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgACAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14572672945902452556 --mojo-platform-channel-handle=948 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1888"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1040,16443960075025965485,14261255936935710199,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=3233448111902275547 --mojo-platform-channel-handle=1456 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
408"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,16443960075025965485,14261255936935710199,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13058547289194533564 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2156 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,16443960075025965485,14261255936935710199,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=23888046775691736 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2176 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2180"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,16443960075025965485,14261255936935710199,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=18344780167426425575 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2296 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2696"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1040,16443960075025965485,14261255936935710199,131072 --enable-features=PasswordImport --disable-gpu-compositing --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3370428494543426980 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2748"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\HanKey_Change.zip"C:\Program Files\WinRAR\WinRAR.exe
chrome.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Total events
1 485
Read events
1 369
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
47
Text files
97
Unknown types
16

Dropped files

PID
Process
Filename
Type
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FC434F8-A34.pma
MD5:
SHA256:
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\d1049b85-51d9-4e81-a0a7-c83407abf328.tmp
MD5:
SHA256:
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:D4322EEBAC92D1B8F7A6F5E39F6264B7
SHA256:A3EEDF21B850DCC7CE5AE04395ECDD2D29DA4EA549C8A185DD9E8B552A87B8C2
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.old~RF15b0cb.TMPtext
MD5:D4322EEBAC92D1B8F7A6F5E39F6264B7
SHA256:A3EEDF21B850DCC7CE5AE04395ECDD2D29DA4EA549C8A185DD9E8B552A87B8C2
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\LOG.old~RF15b0ea.TMPtext
MD5:FB5B20517A0D1F7DAD485989565BEE5E
SHA256:99405F66EDBEB2306F4D0B4469DCADFF5293B5E1549C588CCFACEA439BB3B101
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\EventDB\LOG.oldtext
MD5:1C97B70A4BAD7C026F79467C7D496AFA
SHA256:C5A02E4984DE3F30DADFC0A89A93F45418C06653C3962EAA94C93909E51D272D
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old
MD5:
SHA256:
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
2612chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF15b129.TMPtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
44
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3320
iexplore.exe
GET
200
104.18.43.10:80
http://www.ezne.net/wp-content/themes/openness/genericons/genericons.css
US
text
16.0 Kb
shared
3320
iexplore.exe
GET
200
104.18.43.10:80
http://ezne.net/
US
html
245 b
shared
1888
chrome.exe
GET
223.130.195.148:80
http://blogattach.naver.net/089d14a7bcedec301cfa9dac9e740271da867c9d82/20130103_150_blogfile/ezne_1357192100209_0VqVPh_zip/HanKey_Change.zip?type=attachment
KR
suspicious
3320
iexplore.exe
GET
200
104.18.43.10:80
http://ezne.net/the-benefits-of-camrabbit-live-chat/
US
html
4.71 Kb
shared
3092
iexplore.exe
GET
404
104.18.43.10:80
http://ezne.net/favicon.ico
US
html
225 b
shared
3320
iexplore.exe
GET
200
104.18.43.10:80
http://www.ezne.net/wp-content/themes/openness/js/functions.js
US
text
1.85 Kb
shared
3320
iexplore.exe
GET
200
104.18.43.10:80
http://www.ezne.net/wp-content/uploads/2020/05/article_351391_h_2_2.jpg
US
image
11.1 Kb
shared
3320
iexplore.exe
GET
200
104.18.43.10:80
http://www.ezne.net/wp-content/uploads/2020/05/5-300x225.png
US
image
95.2 Kb
shared
3320
iexplore.exe
GET
200
104.18.43.10:80
http://www.ezne.net/wp-includes/js/jquery/jquery.js
US
text
32.9 Kb
shared
3320
iexplore.exe
GET
200
104.18.43.10:80
http://www.ezne.net/wp-includes/css/dist/block-library/style.min.css
US
text
7.80 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1888
chrome.exe
216.58.207.45:443
accounts.google.com
Google Inc.
US
whitelisted
1888
chrome.exe
216.58.208.46:443
clients1.google.com
Google Inc.
US
whitelisted
1888
chrome.exe
172.217.21.202:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
1888
chrome.exe
2.18.233.157:443
ssl.pstatic.net
Akamai International B.V.
whitelisted
1888
chrome.exe
104.75.88.197:443
blog.naver.com
Akamai Technologies, Inc.
NL
unknown
1888
chrome.exe
104.109.64.173:443
blog.like.naver.com
Akamai International B.V.
NL
whitelisted
1888
chrome.exe
2.18.233.171:443
blogimgs.pstatic.net
Akamai International B.V.
whitelisted
1888
chrome.exe
203.104.163.21:443
lcs.naver.com
NBP
KR
unknown
1888
chrome.exe
223.130.195.148:80
blogattach.naver.net
KR
suspicious
1888
chrome.exe
142.250.74.195:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
blog.naver.com
  • 104.75.88.197
whitelisted
accounts.google.com
  • 216.58.207.45
shared
ssl.pstatic.net
  • 2.18.233.157
whitelisted
blogimgs.pstatic.net
  • 2.18.233.171
whitelisted
blog.like.naver.com
  • 104.109.64.173
whitelisted
postfiles.pstatic.net
  • 2.18.233.171
whitelisted
blogpfthumb-phinf.pstatic.net
  • 2.18.233.171
whitelisted
blogfiles.pstatic.net
  • 2.18.233.171
whitelisted
safebrowsing.googleapis.com
  • 172.217.21.202
whitelisted
sstatic-rmcnmv.pstatic.net
  • 2.18.233.171
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://blog.naver.com/PostView.nhn?blogId=ezne&logNo=150155478326&redirect=Dlog&widgetTypeCall=true&topReferer=https%3A%2F%2Fblog.naver.com%2Fnotify-Notice_Blog%3FaHR0cHM6Ly9ibG9nLm5hdmVyLmNvbS9lem5lLzE1MDE1NTQ3ODMyNj9wcm94eVJlZmVyZXI9aHR0cHMlM0ElMkYlMkZlem5lLmJsb2cubWUlMkZub3RpZnktU2Ftc3VuZyUzRmFIUjBjSE02THk5bGVtNWxMbUpzYjJjdWJXVXZNVFV3TVRVMU5EYzRNekkyJTNCbVRRZFo1SG81bUpjbmxqZjREQ3VjV2tBZE1YU1NNM3FaWjE5anNVRk9XWSUzRA%3D%3D%3BNlp5aQnR3k9RjzVJKuLSBuXjfeSRCjFziw6kMO5bqVE%3D&directAccess=false