| URL: | http://r20.rs6.net/tn.jsp?f=00149l14ksmaP3ToWE9foxYx_pue27dvWllLdJwxT8_3UHU_fs0RgjdUknWbaBznGJ0XcJ5lTjm03meKWsYcO5Elfzy7DemCJu8E1vIQLRhu1eKqx22lpQJjlmSEcVs6vH4wllbhL5EqajlobxvHj2IJdBR5Wg3qf7Y6R7sxXy8n5HiFfw3vahl46Xa1hBccsPSHnOYi2VbGhV4_inaOMCrnozqd4TJUflT&c=3AGVVr-YbeIhvx0KaYzNhuzLI0-drAmPZnFuZ88DmqwBh7roDwguIQ==&ch=VKLQG6gysOaeGOmzXCSoVKhv7Pm55xsaTbQ_d-Cqa4n2OU0hyuJSZA== |
| Full analysis: | https://app.any.run/tasks/faf70eb5-c1aa-418f-ab1a-85e4babc6a4a |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | July 11, 2019, 16:59:17 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 637DC5C750B511DA64E3C12CFB66640C |
| SHA1: | E6411BA753BE75FD2275A07713EB6150CC05DE84 |
| SHA256: | 8E860D0CFCC4CA99B3953576AD47D88D06D32531D7532B3BDFF9F1C2C5680C93 |
| SSDEEP: | 6:CMXVBTmRZ5M+9S8XkqAfwIvBxO3mvFiVx0dd8LW/izBI6XFad3/tqAZh:ZFBqRZ++1uBxOWzdSC/iVI6XAdfZh |
MALICIOUS
Downloads executable files from the Internet
- WScript.exe (PID: 2292)
Application was dropped or rewritten from another process
- ouwrj.exe (PID: 2920)
- JFHRсав.exe (PID: 3900)
- JFHRсав.exe (PID: 2812)
- LFHTсав.exe (PID: 3628)
Known privilege escalation attack
- DllHost.exe (PID: 3792)
Stops/Deletes Windows Defender service via SC.exe
- cmd.exe (PID: 4044)
- cmd.exe (PID: 2568)
- cmd.exe (PID: 3960)
- cmd.exe (PID: 588)
Disables Windows Defender
- JFHRсав.exe (PID: 2812)
- LFHTсав.exe (PID: 3628)
Executes PowerShell scripts
- cmd.exe (PID: 2932)
- cmd.exe (PID: 2372)
- cmd.exe (PID: 3736)
- cmd.exe (PID: 3232)
- cmd.exe (PID: 3940)
- cmd.exe (PID: 2144)
- cmd.exe (PID: 3060)
- cmd.exe (PID: 3636)
- cmd.exe (PID: 3044)
- cmd.exe (PID: 3764)
- cmd.exe (PID: 1256)
- cmd.exe (PID: 3700)
- cmd.exe (PID: 2560)
- cmd.exe (PID: 2280)
- cmd.exe (PID: 3860)
- cmd.exe (PID: 3576)
- cmd.exe (PID: 2660)
- cmd.exe (PID: 3960)
- cmd.exe (PID: 3716)
- cmd.exe (PID: 3192)
Loads the Task Scheduler COM API
- JFHRсав.exe (PID: 2812)
SUSPICIOUS
Executes scripts
- WinRAR.exe (PID: 3068)
Executable content was dropped or overwritten
- WScript.exe (PID: 2292)
- ouwrj.exe (PID: 2920)
- JFHRсав.exe (PID: 2812)
Creates files in the program directory
- ouwrj.exe (PID: 2920)
- LFHTсав.exe (PID: 3628)
Executed via COM
- DllHost.exe (PID: 3792)
Starts CMD.EXE for commands execution
- JFHRсав.exe (PID: 2812)
- LFHTсав.exe (PID: 3628)
Creates files in the user directory
- powershell.exe (PID: 2132)
- powershell.exe (PID: 3028)
- powershell.exe (PID: 3488)
- powershell.exe (PID: 2336)
- powershell.exe (PID: 3992)
- powershell.exe (PID: 3152)
- powershell.exe (PID: 4016)
- powershell.exe (PID: 4060)
- powershell.exe (PID: 2620)
- powershell.exe (PID: 3908)
- JFHRсав.exe (PID: 2812)
Executed via Task Scheduler
- LFHTсав.exe (PID: 3628)
INFO
Application launched itself
- iexplore.exe (PID: 2928)
Changes internet zones settings
- iexplore.exe (PID: 2928)
Reads Internet Cache Settings
- iexplore.exe (PID: 3236)
- iexplore.exe (PID: 2928)
Creates files in the user directory
- iexplore.exe (PID: 3236)
Reads settings of System Certificates
- iexplore.exe (PID: 2928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
116
Monitored processes
57
Malicious processes
23
Suspicious processes
5
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 588 | "C:\Windows\System32\cmd.exe" /c sc delete WinDefend | C:\Windows\System32\cmd.exe | — | LFHTсав.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1060 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 600 | powershell Set-MpPreference -ModerateThreatDefaultAction 6 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1256 | "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisablePrivacyMode $true | C:\Windows\System32\cmd.exe | — | LFHTсав.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2132 | powershell Set-MpPreference -DisableBehaviorMonitoring $true | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2144 | "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -LowThreatDefaultAction 6 | C:\Windows\System32\cmd.exe | — | JFHRсав.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2280 | "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableIOAVProtection $true | C:\Windows\System32\cmd.exe | — | LFHTсав.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
| 2292 | "C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3068.40227\7827_929_99.vbs" | C:\Windows\System32\WScript.exe | WinRAR.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.8.7600.16385 Modules
| |||||||||||||||
| 2300 | sc delete WinDefend | C:\Windows\system32\sc.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: A tool to aid in developing services for WindowsNT Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2336 | powershell Set-MpPreference -DisablePrivacyMode $true | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2372 | "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableBlockAtFirstSeen $true | C:\Windows\System32\cmd.exe | — | JFHRсав.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Command Processor Exit code: 1 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) Modules
| |||||||||||||||
Total events
3 818
Read events
3 166
Write events
649
Delete events
3
Modification events
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {4443BB79-A3FD-11E9-A9B1-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 1 | |||
| (PID) Process: | (2928) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E307070004000B0010003B002700B001 | |||
Executable files
3
Suspicious files
26
Text files
12
Unknown types
5
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2928 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2928 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2928 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFC9F03F6AF8B2CFB0.TMP | — | |
MD5:— | SHA256:— | |||
| 2928 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF8AD92045958C8346.TMP | — | |
MD5:— | SHA256:— | |||
| 2928 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{4443BB79-A3FD-11E9-A9B1-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
| 3236 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:— | SHA256:— | |||
| 3068 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3068.40227\7827_929_99.vbs | text | |
MD5:— | SHA256:— | |||
| 3236 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\JavaDeployReg.log | text | |
MD5:— | SHA256:— | |||
| 3236 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini | ini | |
MD5:4A3DEB274BB5F0212C2419D3D8D08612 | SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38 | |||
| 3488 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PL1KJC1QVP6IW36DYVBZ.temp | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
4
DNS requests
4
Threats
5
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
3236 | iexplore.exe | GET | 200 | 104.27.145.180:80 | http://img.mailinblue.com/1571019/attachments/main3828.zip?v=1562862706423 | US | compressed | 3.42 Kb | malicious |
3236 | iexplore.exe | GET | 302 | 208.75.122.11:80 | http://r20.rs6.net/tn.jsp?f=00149l14ksmaP3ToWE9foxYx_pue27dvWllLdJwxT8_3UHU_fs0RgjdUknWbaBznGJ0XcJ5lTjm03meKWsYcO5Elfzy7DemCJu8E1vIQLRhu1eKqx22lpQJjlmSEcVs6vH4wllbhL5EqajlobxvHj2IJdBR5Wg3qf7Y6R7sxXy8n5HiFfw3vahl46Xa1hBccsPSHnOYi2VbGhV4_inaOMCrnozqd4TJUflT&c=3AGVVr-YbeIhvx0KaYzNhuzLI0-drAmPZnFuZ88DmqwBh7roDwguIQ==&ch=VKLQG6gysOaeGOmzXCSoVKhv7Pm55xsaTbQ_d-Cqa4n2OU0hyuJSZA== | US | — | — | whitelisted |
2292 | WScript.exe | GET | 200 | 67.23.226.159:80 | http://alemanautos.cl/audipromo.php | US | executable | 402 Kb | malicious |
2928 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2928 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3236 | iexplore.exe | 104.27.145.180:80 | img.mailinblue.com | Cloudflare Inc | US | shared |
2292 | WScript.exe | 67.23.226.159:80 | alemanautos.cl | HostDime.com, Inc. | US | suspicious |
3236 | iexplore.exe | 208.75.122.11:80 | r20.rs6.net | Constant Contact, Inc | US | suspicious |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
r20.rs6.net |
| whitelisted |
img.mailinblue.com |
| malicious |
alemanautos.cl |
| malicious |
Threats
PID | Process | Class | Message |
|---|---|---|---|
3236 | iexplore.exe | Potentially Bad Traffic | ET WEB_CLIENT Suspicious Possible Zip DL containing single VBS script |
2292 | WScript.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
2292 | WScript.exe | A Network Trojan was detected | ET CURRENT_EVENTS WinHttpRequest Downloading EXE |
2292 | WScript.exe | Misc activity | ET INFO EXE - Served Attached HTTP |
1 ETPRO signatures available at the full report