analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php

Full analysis: https://app.any.run/tasks/7b11286a-fcc6-40d8-b699-eac9a2cd2002
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 08, 2019, 15:59:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
trojan
loader
ransomware
maze
Indicators:
MD5:

00687731AC25ED56C3E5FD86BDBE82C9

SHA1:

64352667125CAAEC965123137C3676C35034E2F2

SHA256:

5510D6366146E1825FF07378FECD56E9DC4BAD8977DEE7F203CA054E51380DA3

SSDEEP:

3:N1KdIqGvOlAQrF6FPsTGJ9MV:CKqGvOlAkFmaEU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 250608.dat (PID: 784)
      • 22191.dat (PID: 2600)

    • Downloads executable files from the Internet

      • WScript.exe (PID: 3804)

    • Deletes shadow copies

      • 250608.dat (PID: 784)

    • Writes to a start menu file

      • 250608.dat (PID: 784)

    • Actions looks like stealing of personal data

      • 250608.dat (PID: 784)

    • Writes file to Word startup folder

      • 250608.dat (PID: 784)

    • MAZE was detected

      • 250608.dat (PID: 784)

    • Renames files like Ransomware

      • 250608.dat (PID: 784)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 4056)
      • WScript.exe (PID: 3804)
      • WScript.exe (PID: 3496)

    • Executed via COM

      • sdiagnhost.exe (PID: 2888)

    • Creates files in the user directory

      • WScript.exe (PID: 3804)
      • WScript.exe (PID: 3496)
      • 250608.dat (PID: 784)

    • Starts application with an unusual extension

      • WScript.exe (PID: 3804)
      • WScript.exe (PID: 3496)

    • Executes scripts

      • WinRAR.exe (PID: 3572)

    • Creates files in the program directory

      • 250608.dat (PID: 784)

    • Reads the cookies of Mozilla Firefox

      • 250608.dat (PID: 784)

    • Creates files like Ransomware instruction

      • 250608.dat (PID: 784)

    • Connects to server without host name

      • 250608.dat (PID: 784)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1560)

    • Application launched itself

      • iexplore.exe (PID: 1560)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2556)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2556)

    • Creates files in the user directory

      • iexplore.exe (PID: 2556)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1560)

    • Dropped object may contain TOR URL's

      • 250608.dat (PID: 784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
50
Monitored processes
11
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs winrar.exe no specs wscript.exe #MAZE 250608.dat wscript.exe 22191.dat no specs wmic.exe no specs wmic.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1560"C:\Program Files\Internet Explorer\iexplore.exe" "http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2556"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1560 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
4056 -modal 262460 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF29F4.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2888C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3572"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PCD6MQLD\86798[1].zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3804"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3572.39664\Camera_595934025.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
784C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\250608.datC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\250608.dat
WScript.exe
User:
admin
Integrity Level:
MEDIUM
3496"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3572.40870\Camera_595934025.js" C:\Windows\System32\WScript.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
2600C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\22191.datC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\22191.datWScript.exe
User:
admin
Integrity Level:
MEDIUM
2080"C:\vxwq\..\Windows\wdp\npt\..\..\system32\mhnaf\bcydn\..\..\wbem\u\l\..\..\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe250608.dat
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
2147749908
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 692
Read events
1 469
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
341
Text files
273
Unknown types
11

Dropped files

PID
Process
Filename
Type
1560iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1560iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2556iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:6BBCDC157B9712BAC11B84D7A6210EAB
SHA256:0B4CC10672DF2A6685E63B09A88772E6F46913F25492AE61BA0BE737C9077865
2556iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:5B62C13D97D3E9A8A72D46CA5136DCAB
SHA256:4F053C5055E702BB748E9931D4931CC3474C241F98C488FD3D9F49D2B0DDB238
2556iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:5FA5F250AAD12127D3FC5B179CD4E768
SHA256:EE7EB9E729CDA5C81A4CE8776E3AD0667D2E19E706E91DCBC130A63101EC7E8C
1560iexplore.exeC:\Users\admin\AppData\Local\Temp\NDF29F4.tmpbinary
MD5:B3D0AC0283F5F0C97236B75EBA66EEA5
SHA256:A7ECACA2C8474BB8BF00FAC2DA958A163C3C62CCC12E750E0CC8823651B8C455
2556iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GAZWPQ24\ErrorPageTemplate[1]text
MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
SHA256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
1560iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
2556iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CCGJG3VU\errorPageStrings[1]text
MD5:1A0563F7FB85A678771450B131ED66FD
SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C
2556iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\GAZWPQ24\background_gradient[1]image
MD5:20F0110ED5E4E0D5384A496E4880139B
SHA256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
48
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2556
iexplore.exe
GET
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/footer_logos.png
US
malicious
2556
iexplore.exe
GET
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/Photographic_banner.jpg
US
malicious
2556
iexplore.exe
GET
302
52.116.231.90:80
http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php
US
unknown
2556
iexplore.exe
GET
200
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/logo.png
US
image
20.8 Kb
malicious
2556
iexplore.exe
GET
200
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/bg.png
US
image
401 b
malicious
2556
iexplore.exe
GET
200
147.139.137.244:80
http://hl19.ukparkingctrl.com/october/indata/cam/select_opt/select.php?module=captcha
US
image
2.85 Kb
malicious
1000
svchost.exe
GET
302
52.116.231.90:80
http://cmokc.com/
US
html
243 b
unknown
2556
iexplore.exe
GET
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/img_border.png
US
malicious
2556
iexplore.exe
GET
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/Photographic_bg.jpg
US
malicious
2556
iexplore.exe
GET
200
147.139.137.244:80
http://hl19.ukparkingctrl.com/70/assets/top_bg.png
US
html
1.91 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2556
iexplore.exe
52.116.231.90:80
cmokc.com
US
unknown
1560
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1000
svchost.exe
134.249.116.78:80
Kyivstar PJSC
UA
suspicious
2556
iexplore.exe
147.139.137.244:80
fy04.ukparkingctrl.com
US
malicious
1000
svchost.exe
52.116.231.90:80
cmokc.com
US
unknown
3496
WScript.exe
111.90.156.64:80
www.highlevelsuccess.monster
MY
malicious
3804
WScript.exe
111.90.156.64:80
www.highlevelsuccess.monster
MY
malicious
784
250608.dat
91.218.114.11:80
Mir Telematiki Ltd
RU
malicious
784
250608.dat
91.218.114.32:80
Mir Telematiki Ltd
RU
malicious
784
250608.dat
91.218.114.26:80
Mir Telematiki Ltd
RU
malicious

DNS requests

Domain
IP
Reputation
cmokc.com
  • 52.116.231.90
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fy04.ukparkingctrl.com
  • 147.139.137.244
malicious
hl19.ukparkingctrl.com
  • 147.139.137.244
malicious
www.highlevelsuccess.monster
  • 111.90.156.64
malicious

Threats

PID
Process
Class
Message
2556
iexplore.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
3804
WScript.exe
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
3804
WScript.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3804
WScript.exe
Misc activity
ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
3496
WScript.exe
A Network Trojan was detected
ET TROJAN Possible Malicious Macro DL EXE Feb 2016
784
250608.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
784
250608.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
784
250608.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
784
250608.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
784
250608.dat
A Network Trojan was detected
MALWARE [PTsecurity] Maze Ransomware
2 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php