URL: | http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php |
Full analysis: | https://app.any.run/tasks/b19045b8-76c3-4bb0-b144-bef23641de9a |
Verdict: | Malicious activity |
Threats: | Maze is ransomware — a malware type that encrypts the victim’s files and restores the data in exchange for a ransom payment. One of the most distinguishable features of Maze is that it is one of the first malware of the kind to publicly release stolen data. |
Analysis date: | November 08, 2019, 15:30:29 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 00687731AC25ED56C3E5FD86BDBE82C9 |
SHA1: | 64352667125CAAEC965123137C3676C35034E2F2 |
SHA256: | 5510D6366146E1825FF07378FECD56E9DC4BAD8977DEE7F203CA054E51380DA3 |
SSDEEP: | 3:N1KdIqGvOlAQrF6FPsTGJ9MV:CKqGvOlAkFmaEU |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2128 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3380 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2128 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2820 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\885C78ZB\23018[1].zip" | C:\Program Files\WinRAR\WinRAR.exe | — | iexplore.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
1944 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2820.27434\Camera_595934025.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3544 | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\963451.dat | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\963451.dat | WScript.exe | |
User: admin Integrity Level: MEDIUM | ||||
792 | "C:\jr\..\Windows\d\..\system32\cca\pcce\..\..\wbem\woply\iruhn\..\..\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | 963451.dat |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
896 | "C:\bs\..\Windows\uakxr\ec\qbyvd\..\..\..\system32\msij\xilox\o\..\..\..\wbem\r\usru\..\..\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | 963451.dat |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2128 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2128 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ED3LN8I\select[1].php | — | |
MD5:— | SHA256:— | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QZJR0YN6\Default[1].txt | — | |
MD5:— | SHA256:— | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:EBA8A8BA119D1F46A617F069512EBDDB | SHA256:231E186E9B43C6B02F8EF70EDD8E3F4F06B532B1DBE48D12578E5BD4C3A9C1D6 | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\QZJR0YN6\Default[1].htm | html | |
MD5:B50F1D99B40FB5FC5037F45D5EC56B0D | SHA256:F58CA13524C834312EBBB2B5506F6BA7B63C1C212C1B8A52580ADECCA2525D8D | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ED3LN8I\style[1].css | text | |
MD5:818611D28959E79F9A9BA5C1061D84DA | SHA256:19BE5EAD117FB7D9B077526AFE8C32973326B45C2D551B679F420E1F1C92A43D | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\2G2IZTL2\modernizr.custom[1].js | html | |
MD5:FB210E16D7744126F7922387897DD495 | SHA256:CCD5DD62F81C022544BEC23E481204BF2085918F7A3D3A74FE62D62939FDBFE0 | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ED3LN8I\select[1].htm | html | |
MD5:F7B9C0D7952D8A329C501E75B664A736 | SHA256:FDE8627695AF58AB589C1CD4397BC7C789FD5FE957CCCEF86067BF2E2C9C631E | |||
3380 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:E3171C880B02FF82223BBD414F2BE69D | SHA256:AFABF10ADE7316701586D58E66FA4975B78049391DBE79D0AD8DB48238D7F73B |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3380 | iexplore.exe | GET | 302 | 52.116.231.90:80 | http://cmokc.com/wp-content/themes/gaukingo/9qph4uxbvqdfzv/wrqqfxwr.php | US | — | — | unknown |
3380 | iexplore.exe | GET | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/october/indata/cam/select_opt/select.php?module=captcha | US | — | — | malicious |
3380 | iexplore.exe | GET | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/70/assets/the_parking_pro.png | US | — | — | malicious |
3380 | iexplore.exe | GET | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/70/assets/logo.png | US | — | — | malicious |
3380 | iexplore.exe | GET | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/70/assets/bg.png | US | — | — | malicious |
3380 | iexplore.exe | GET | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/70/assets/top_bg.png | US | — | — | malicious |
3380 | iexplore.exe | GET | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/70/assets/Photographic_banner.jpg | US | — | — | malicious |
3380 | iexplore.exe | GET | 200 | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/october/indata/cam/select_opt/select.php | US | html | 1.92 Kb | malicious |
3380 | iexplore.exe | GET | 200 | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/70/assets/jquery-1.js | US | text | 32.6 Kb | malicious |
3380 | iexplore.exe | POST | — | 147.139.137.244:80 | http://b09v.ukparkingctrl.com/october/indata/cam/select_opt/select.php | US | — | — | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2128 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3380 | iexplore.exe | 152.199.19.160:443 | ajax.aspnetcdn.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3380 | iexplore.exe | 52.116.231.90:80 | cmokc.com | — | US | unknown |
3380 | iexplore.exe | 51.145.119.85:443 | www.ukpcappeals.co.uk | Microsoft Corporation | GB | unknown |
3380 | iexplore.exe | 147.139.137.244:80 | b09v.ukparkingctrl.com | — | US | malicious |
— | — | 51.145.119.85:443 | www.ukpcappeals.co.uk | Microsoft Corporation | GB | unknown |
2128 | iexplore.exe | 51.145.119.85:443 | www.ukpcappeals.co.uk | Microsoft Corporation | GB | unknown |
2128 | iexplore.exe | 147.139.137.244:80 | b09v.ukparkingctrl.com | — | US | malicious |
3544 | 963451.dat | 91.218.114.25:80 | — | Mir Telematiki Ltd | RU | malicious |
3544 | 963451.dat | 91.218.114.31:80 | — | Mir Telematiki Ltd | RU | malicious |
Domain | IP | Reputation |
---|---|---|
cmokc.com |
| unknown |
www.bing.com |
| whitelisted |
b09v.ukparkingctrl.com |
| malicious |
www.ukpcappeals.co.uk |
| unknown |
ajax.aspnetcdn.com |
| whitelisted |
www.highlevelsuccess.monster |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3380 | iexplore.exe | Misc activity | ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns) |
1944 | WScript.exe | A Network Trojan was detected | ET TROJAN Possible Malicious Macro DL EXE Feb 2016 |
1944 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
1944 | WScript.exe | Misc activity | ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging) |
3544 | 963451.dat | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
3544 | 963451.dat | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
3544 | 963451.dat | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
3544 | 963451.dat | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |
3544 | 963451.dat | A Network Trojan was detected | MALWARE [PTsecurity] Maze Ransomware |