analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.boomertravelers.net/hidaihfa

Full analysis: https://app.any.run/tasks/879ec0b1-d2da-480b-9eaa-f99d40488335
Verdict: Malicious activity
Threats:

GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost.

Analysis date: January 18, 2019, 06:49:44
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
ransomware
gandcrab
Indicators:
MD5:

D69B32C568EC192842C6799495F775DA

SHA1:

9D821B679A6358023711590C5EA028BAFCF01BC1

SHA256:

687A19FFDB242B4F81A6ABC4EC8E1E5B1E3653BA3424346A69A33C165A94B54A

SSDEEP:

3:N1KJS4qT0OyMNY:Cc4qT0OyMY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • GandCrab keys found

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Actions looks like stealing of personal data

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Writes file to Word startup folder

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Changes settings of System certificates

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Renames files like Ransomware

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Deletes shadow copies

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Dropped file may contain instructions of ransomware

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 3136)
      • iexplore.exe (PID: 2832)
    • Creates files in the program directory

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Adds / modifies Windows certificates

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Creates files like Ransomware instruction

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Reads the cookies of Mozilla Firefox

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
    • Creates files in the user directory

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2832)
    • Application launched itself

      • iexplore.exe (PID: 2832)
    • Creates files in the user directory

      • iexplore.exe (PID: 3136)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3136)
      • iexplore.exe (PID: 2832)
    • Dropped object may contain TOR URL's

      • 11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe (PID: 3124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe #GANDCRAB 11_dfdgdfb87740eqpd3pohyvdlb8ihwa[1].exe wmic.exe vssvc.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2832"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3136"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2832 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3124"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
iexplore.exe
User:
admin
Company:
Domo Technologies
Integrity Level:
MEDIUM
Description:
Vbprj Feed Folderbrowserdialog Livermre
2140"C:\Windows\system32\wbem\wmic.exe" shadowcopy deleteC:\Windows\system32\wbem\wmic.exe
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3268C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2852"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
813
Read events
727
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
424
Text files
323
Unknown types
19

Dropped files

PID
Process
Filename
Type
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3136iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFAC6566FD259294DF.TMP
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF4C7FD0C1E0E5477F.TMP
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4E2798E3-1AED-11E9-BAD8-5254004A04AF}.dat
MD5:
SHA256:
2832iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{4E2798E4-1AED-11E9-BAD8-5254004A04AF}.datbinary
MD5:6D82A37D355FDC395975704FD4AA0F3F
SHA256:2986FEF88CB1A44545FFC28910CFF1A709231DBC4818DAFD636B93704FD6B7C9
3136iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.logtext
MD5:4EA0AC15DE98494222F0299B5795B325
SHA256:65FBBC9CE7697B3A3483F7539A7A27CDA56999B114ACD012D890F9BDF03674CC
3136iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019011820190119\index.datdat
MD5:91A556A00208A1EE186E6E2B1E4AFA5D
SHA256:4102F98C5F81B41C6767D8F96015A7D76450C2A9EC027B8B54FDD5F113330F4B
312411_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exeC:\PerfLogs\JZLIFV-DECRYPT.txttext
MD5:B34D648A52E5D106041BEFD3A5C87D60
SHA256:B729EEE09BB8CFC338AC6C29D58AC23BE4BB311AA7541937EEF2FED434E4BEBB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3136
iexplore.exe
GET
302
185.159.80.108:80
http://185.159.80.108/zkNH48
NL
suspicious
3136
iexplore.exe
GET
301
205.185.125.109:80
http://www.boomertravelers.net/hidaihfa
US
html
236 b
suspicious
3124
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
GET
301
138.201.162.99:80
http://www.kakaocorp.link/
DE
html
162 b
malicious
2832
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2832
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3136
iexplore.exe
172.217.16.142:443
drive.google.com
Google Inc.
US
whitelisted
3136
iexplore.exe
205.185.125.109:80
www.boomertravelers.net
FranTech Solutions
US
suspicious
3136
iexplore.exe
172.217.23.161:443
doc-04-bo-docs.googleusercontent.com
Google Inc.
US
whitelisted
3136
iexplore.exe
185.159.80.108:80
Hosting Solution Ltd.
NL
suspicious
3124
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
138.201.162.99:80
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious
3124
11_dFDGDfb87740EqpD3pOHyVdLb8ihWa[1].exe
138.201.162.99:443
www.kakaocorp.link
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.boomertravelers.net
  • 205.185.125.109
suspicious
drive.google.com
  • 172.217.16.142
shared
doc-04-bo-docs.googleusercontent.com
  • 172.217.23.161
shared
www.kakaocorp.link
  • 138.201.162.99
malicious

Threats

PID
Process
Class
Message
3136
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible Keitaro TDS Redirect
No debug info