URL: | http://91.196.149.97:81/ridi.exe |
Full analysis: | https://app.any.run/tasks/47a64f1f-1da8-4a36-aff1-4b16c367a663 |
Verdict: | Malicious activity |
Threats: | GandCrab is probably one of the most famous Ransomware. A Ransomware is a malware that asks the victim to pay money in order to restore access to encrypted files. If the user does not cooperate the files are forever lost. |
Analysis date: | December 06, 2018, 05:29:58 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 3F27B4137D61909E7E9AAFD3F15F80E6 |
SHA1: | 2C629ECB3F21B0D87F0AB974ACA545C3F510937E |
SHA256: | 9FAA3ABC087B2017899D5248AA650833151B94241F5DAC1D0647A62A4DB4B8DA |
SSDEEP: | 3:N1K0K+NwMJ:C0HN3 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3484 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3764 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3484 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
3872 | "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe" | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe | iexplore.exe | ||||||||||||
User: admin Company: Delivery Hero Integrity Level: MEDIUM Description: Datarowview Privilege Transmitting Version: 7.6.3.3 Modules
| |||||||||||||||
384 | "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete | C:\Windows\system32\wbem\wmic.exe | — | ridi[1].exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 2147749908 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3484 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF38E52253EF69DC0A.TMP | — | |
MD5:— | SHA256:— | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFCF6133C275DF7DDD.TMP | — | |
MD5:— | SHA256:— | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{01BEE863-F918-11E8-834A-5254004A04AF}.dat | — | |
MD5:— | SHA256:— | |||
3872 | ridi[1].exe | C:\Users\admin\AppData\Local\Temp\11507584 | — | |
MD5:— | SHA256:— | |||
3872 | ridi[1].exe | C:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamp | — | |
MD5:— | SHA256:— | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{01BEE864-F918-11E8-834A-5254004A04AF}.dat | binary | |
MD5:E369CDFCC2089FEC5579A00078280A32 | SHA256:BC1E82F48CDAB304283B0406D11212ACA9D1FD560F9958BB5416A8EF88636803 | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\ridi[1].exe | executable | |
MD5:F1CE1708A8BB8F6B0079918C62843E6B | SHA256:624AB619850E287CA913B7F535B310C97164AA1311D3C206FFCA491D8DE35C1B | |||
3484 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\ridi[1].exe:Zone.Identifier | text | |
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B | SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3872 | ridi[1].exe | GET | — | 78.46.77.98:80 | http://www.2mmotorsport.biz/ | DE | — | — | suspicious |
3872 | ridi[1].exe | GET | 200 | 217.26.53.161:80 | http://www.haargenau.biz/ | CH | html | 13.3 Kb | malicious |
3872 | ridi[1].exe | GET | — | 212.59.186.61:80 | http://www.hotelweisshorn.com/ | CH | — | — | malicious |
3872 | ridi[1].exe | GET | 302 | 192.185.159.253:80 | http://www.pizcam.com/ | US | — | — | malicious |
3872 | ridi[1].exe | GET | 301 | 80.244.187.247:80 | http://www.hotelfarinet.com/ | GB | — | — | suspicious |
3872 | ridi[1].exe | GET | 301 | 83.138.82.107:80 | http://www.swisswellness.com/ | DE | — | — | whitelisted |
3872 | ridi[1].exe | GET | — | 217.26.53.37:80 | http://www.hrk-ramoz.com/ | CH | — | — | malicious |
3872 | ridi[1].exe | GET | 301 | 104.24.22.22:80 | http://www.belvedere-locarno.com/ | US | — | — | shared |
3764 | iexplore.exe | GET | 200 | 91.196.149.97:81 | http://91.196.149.97:81/ridi.exe | UA | executable | 497 Kb | suspicious |
3872 | ridi[1].exe | GET | 301 | 83.166.138.7:80 | http://www.whitepod.com/ | CH | — | — | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3484 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3872 | ridi[1].exe | 78.46.77.98:443 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
3764 | iexplore.exe | 91.196.149.97:81 | — | Maximum-Net LLC | UA | suspicious |
3872 | ridi[1].exe | 217.26.53.161:80 | www.haargenau.biz | Hostpoint AG | CH | malicious |
3872 | ridi[1].exe | 78.46.77.98:80 | www.2mmotorsport.biz | Hetzner Online GmbH | DE | suspicious |
3872 | ridi[1].exe | 74.220.215.73:80 | www.bizziniinfissi.com | Unified Layer | US | malicious |
3872 | ridi[1].exe | 192.185.159.253:80 | www.pizcam.com | CyrusOne LLC | US | malicious |
3872 | ridi[1].exe | 83.138.82.107:80 | www.swisswellness.com | hostNET Medien GmbH | DE | suspicious |
3872 | ridi[1].exe | 138.201.162.99:80 | www.fliptray.biz | Hetzner Online GmbH | DE | malicious |
3872 | ridi[1].exe | 192.185.159.253:443 | www.pizcam.com | CyrusOne LLC | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
www.2mmotorsport.biz |
| unknown |
www.haargenau.biz |
| unknown |
www.bizziniinfissi.com |
| malicious |
www.holzbock.biz |
| unknown |
www.fliptray.biz |
| malicious |
www.pizcam.com |
| unknown |
www.swisswellness.com |
| whitelisted |
www.hotelweisshorn.com |
| unknown |
www.whitepod.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3764 | iexplore.exe | A Network Trojan was detected | ET INFO Executable Download from dotted-quad Host |
3764 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY PE EXE or DLL Windows file download HTTP |
3872 | ridi[1].exe | A Network Trojan was detected | ET TROJAN [eSentire] Win32/GandCrab v4/5 Ransomware CnC Activity |
3872 | ridi[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3872 | ridi[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3872 | ridi[1].exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |
3872 | ridi[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3872 | ridi[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3872 | ridi[1].exe | A Network Trojan was detected | MALWARE [PTsecurity] Win32/GandCrab Ransomware CnC Activity |
3872 | ridi[1].exe | A Network Trojan was detected | ET POLICY Data POST to an image file (gif) |