analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| URL: | https://cryptobinary-options.tradetoolsfx.com/administrator/cache/ural_726171.php |
| Full analysis: | https://app.any.run/tasks/85d55629-04ee-4ab2-9833-e7bec4f4b346 |
| Verdict: | Malicious activity |
| Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
| Analysis date: | May 24, 2019, 07:15:18 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 795424869AF6E1015957FC23FD075475 |
| SHA1: | D618E09AAEA3196244F42F5D3390DD615FDE937F |
| SHA256: | 5F337F1DA2E4982E9421B6A546BA12F5F3316B71215D02AD5C89EC8D6F64B378 |
| SSDEEP: | 3:N8K/JmWJfzbR3B5p6kTUnLVn:2K/kcX3Jcxn |
MALICIOUS
Application was dropped or rewritten from another process
- radCB21B.tmp (PID: 2116)
Changes settings of System certificates
- WScript.exe (PID: 2964)
Changes the autorun value in the registry
- radCB21B.tmp (PID: 2116)
TROLDESH was detected
- radCB21B.tmp (PID: 2116)
SUSPICIOUS
Executes scripts
- WinRAR.exe (PID: 1436)
Starts CMD.EXE for commands execution
- WScript.exe (PID: 2964)
Executable content was dropped or overwritten
- WScript.exe (PID: 2964)
- radCB21B.tmp (PID: 2116)
Starts application with an unusual extension
- cmd.exe (PID: 932)
Adds / modifies Windows certificates
- WScript.exe (PID: 2964)
Creates files in the program directory
- radCB21B.tmp (PID: 2116)
INFO
Manual execution by user
- WinRAR.exe (PID: 1436)
Reads Internet Cache Settings
- iexplore.exe (PID: 1708)
- iexplore.exe (PID: 900)
Changes internet zones settings
- iexplore.exe (PID: 900)
Creates files in the user directory
- iexplore.exe (PID: 1708)
Application launched itself
- iexplore.exe (PID: 900)
Dropped object may contain Bitcoin addresses
- radCB21B.tmp (PID: 2116)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
42
Monitored processes
6
Malicious processes
4
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 900 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
| 1708 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:900 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
| 1436 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\ural.zip" | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 2964 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa1436.17542\Подробности заказа ОАО Авиакомпания Уральские авиалинии.js" | C:\Windows\System32\WScript.exe | WinRAR.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
| 932 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\radCB21B.tmp | C:\Windows\System32\cmd.exe | — | WScript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2116 | C:\Users\admin\AppData\Local\Temp\radCB21B.tmp | C:\Users\admin\AppData\Local\Temp\radCB21B.tmp | cmd.exe | |
User: admin Company: Glarysoft Ltd Integrity Level: MEDIUM Description: Registry Defrag Version: 5.0.0.14 | ||||
Total events
1 480
Read events
1 337
Write events
0
Delete events
0
Modification events
Executable files
3
Suspicious files
3
Text files
13
Unknown types
4
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 900 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 900 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 900 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF501347221FAEE4BE.TMP | — | |
MD5:— | SHA256:— | |||
| 900 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFE4169631B9C67A3B.TMP | — | |
MD5:— | SHA256:— | |||
| 900 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{B85872C3-7DF3-11E9-B63D-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 1708 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PCFC6PMG\ural[1].zip | compressed | |
MD5:AC799004A0C2C98952A57F923AFC83F1 | SHA256:EB70D8B16D839AAAF225857C4872B7CAAA47A3163BEF1C5FDC141EE0412AF334 | |||
| 900 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{B85872C4-7DF3-11E9-B63D-5254004A04AF}.dat | binary | |
MD5:E2719F9FC8D5202019770C5203FCFD50 | SHA256:170A437BB5AD80B08A6D1D27161125BA76DCF9867D7F92EFE7F6EFB9BA414589 | |||
| 900 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
| 2116 | radCB21B.tmp | C:\Users\admin\AppData\Local\Temp\6893A5D897\state.tmp | — | |
MD5:— | SHA256:— | |||
| 2116 | radCB21B.tmp | C:\Users\admin\AppData\Local\Temp\6893A5D897\unverified-microdesc-consensus.tmp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
6
DNS requests
4
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2964 | WScript.exe | GET | 301 | 95.216.12.141:80 | http://kooolguru.com/wp-includes/ID3/1c.jpg | DE | — | — | suspicious |
900 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
900 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2116 | radCB21B.tmp | 193.23.244.244:443 | — | Chaos Computer Club e.V. | DE | malicious |
1708 | iexplore.exe | 85.93.145.251:443 | cryptobinary-options.tradetoolsfx.com | JSC Internet-Cosmos | RU | unknown |
2964 | WScript.exe | 95.216.12.141:80 | kooolguru.com | Hetzner Online GmbH | DE | suspicious |
2964 | WScript.exe | 188.165.53.185:443 | www.moroccotours.info | OVH SAS | FR | malicious |
— | — | 208.83.223.34:80 | — | Applied Operations, LLC | US | malicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
cryptobinary-options.tradetoolsfx.com |
| unknown |
kooolguru.com |
| unknown |
www.moroccotours.info |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2116 | radCB21B.tmp | Misc Attack | ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 273 |
2116 | radCB21B.tmp | Potential Corporate Privacy Violation | POLICY [PTsecurity] TOR SSL connection |