analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://zhongxi-chem.com/zj/204.html

Full analysis: https://app.any.run/tasks/58087764-606a-45ba-956c-1c0fa76d49ae
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: December 06, 2018, 16:54:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
ramnit
Indicators:
MD5:

3E8ACF3E0FFAF01AA620A921DBF58AD9

SHA1:

70D984316482F4DA60C5430B969A077633A37189

SHA256:

6CAE5A5D692334AA6F7CF26FF523E841235B4047E0C0F7F2D9C1C413AF250743

SSDEEP:

3:N1KEX1227LQ:CEJ8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • RAMNIT was detected

      • iexplore.exe (PID: 3716)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3440)

    • Creates files in the user directory

      • iexplore.exe (PID: 3716)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3716)

    • Changes internet zones settings

      • iexplore.exe (PID: 3440)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3716)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #RAMNIT iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3440"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3716"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3440 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
444
Read events
373
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
23
Unknown types
2

Dropped files

PID
Process
Filename
Type
3440iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3440iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\commendIcon[1].gifimage
MD5:1298FDFA9A34FCF0012FB4D17944E39D
SHA256:1EEC8D95556607833B28DC000C1894CDFF3E8A79399BF806E27A1C030B8ADE5A
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\calendar[1].jstext
MD5:8E0A2DB392C5235D8672255B95FC8315
SHA256:079606B9361F55A62585A3362EDD214E27D90172BFC5EACFB393F3AD1FB83197
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\list2014[1].pngimage
MD5:E1C5B7A9336C099718E71C4B1507FF86
SHA256:35674DD0FCD09ACE895B130A731413FB59686DC398033CB2CDFD62197334B029
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\contactbg[1].jpgimage
MD5:23E8E2B7841155F5E9FA154AAB7A9C5A
SHA256:D8D1A3933E0031061E86C3698EF75F98B96DA0AD79D28B1DC179D212022A0422
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\jsLibrary2014[1].jstext
MD5:F6F14F81515674D7132A91B864FA61E3
SHA256:FC6B88E9EB441F55F0EAE3A1FB616E6CB76F71C3778EC7E6E966D018F2168567
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\14DH950O30-14391_lit[1].jpgimage
MD5:C0852C3A5927D1DB2A29D2A7072A300F
SHA256:4079C4DFDBA7D712B5B31224CEFA6B6C0EA4779E2AAAE8AB6A50406BAA9B62D5
3716iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@zhongxi-chem[1].txttext
MD5:7918A12AD974ABD99D3F4E026710AEA8
SHA256:00419F88752FAA18A44583C0050B8E8D63990B53B793904EF13EAE61BCA9B5F0
3716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\newsshow[1].csstext
MD5:54336C08893245776F811FF9031F5AB4
SHA256:3B73121B74B583F74C78C552AD11ABF1C5CD2CF541E3E2A2762F9E049573DE24
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
16
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3716
iexplore.exe
GET
154.210.235.232:80
http://zhongxi-chem.com/css/newsshow.css
US
malicious
3716
iexplore.exe
GET
154.210.235.232:80
http://zhongxi-chem.com/js/jsLibrary2014.js
US
malicious
3716
iexplore.exe
GET
154.210.235.232:80
http://zhongxi-chem.com/js/jquery2.0.js
US
malicious
3716
iexplore.exe
GET
154.210.235.232:80
http://zhongxi-chem.com/js/calendar.js
US
malicious
3716
iexplore.exe
GET
200
154.210.235.232:80
http://zhongxi-chem.com/zj/204.html
US
html
184 Kb
malicious
3440
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3716
iexplore.exe
GET
200
111.206.37.189:80
http://api.share.baidu.com/s.gif?l=http://zhongxi-chem.com/zj/204.html
CN
whitelisted
3716
iexplore.exe
GET
200
154.210.235.232:80
http://zhongxi-chem.com/css/newsshow.css
US
text
4.80 Kb
malicious
3716
iexplore.exe
GET
200
154.210.235.232:80
http://zhongxi-chem.com/js/wb.js
US
text
33.3 Kb
malicious
3716
iexplore.exe
GET
200
154.210.235.232:80
http://zhongxi-chem.com/js/calendar.js
US
text
2.57 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3716
iexplore.exe
154.210.235.232:80
zhongxi-chem.com
MULTACOM CORPORATION
US
suspicious
3440
iexplore.exe
154.210.235.232:80
zhongxi-chem.com
MULTACOM CORPORATION
US
suspicious
3440
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3716
iexplore.exe
111.206.37.189:80
push.zhanzhang.baidu.com
China Unicom Beijing Province Network
CN
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
zhongxi-chem.com
  • 154.210.235.232
malicious
push.zhanzhang.baidu.com
  • 111.206.37.189
whitelisted
api.share.baidu.com
  • 111.206.37.189
whitelisted

Threats

PID
Process
Class
Message
3716
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS DRIVEBY EXE Embeded in Page Likely Evil M1
3716
iexplore.exe
A Network Trojan was detected
ET TROJAN PE EXE or DLL Windows file download Text
3716
iexplore.exe
A Network Trojan was detected
ET TROJAN RAMNIT.A M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://zhongxi-chem.com/zj/204.html