analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Wire_Transfer_Debit _Advice_feebruaur19_2020.xxe

Full analysis: https://app.any.run/tasks/edfabb04-e20b-4a14-a369-9b1df4accfa4
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 17:04:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

78AEE4C0B2B74AC0C31C8208C270D447

SHA1:

8495E0E223019A23F24EAD380B07AC785A8F6FBE

SHA256:

9FF84134C08D66C3C1FB0942BFBD73373055BC1FF991C8EB55DA955BEC00DDA4

SSDEEP:

768:27/4pfmOlSuVy5e5uOGa+PrIsfyNPu7RT0+iLmQE1JjeQEWgs0d8SeQNtj+YKoKA:27wlmOll4e5uFIsG2FIKz4Wp0+ShiYKe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Wire_Transfer_Debit _Advice_feebruaur19_2020.scr (PID: 2748)

    • Changes the autorun value in the registry

      • ieinstal.exe (PID: 2848)

  • SUSPICIOUS

    • Reads Internet Cache Settings

      • ieinstal.exe (PID: 2848)

    • Executable content was dropped or overwritten

      • ieinstal.exe (PID: 2848)
      • WinRAR.exe (PID: 3100)

    • Creates files in the user directory

      • ieinstal.exe (PID: 2848)

  • INFO

    • Manual execution by user

      • Wire_Transfer_Debit _Advice_feebruaur19_2020.scr (PID: 2748)
      • taskmgr.exe (PID: 3296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe wire_transfer_debit _advice_feebruaur19_2020.scr no specs ieinstal.exe taskmgr.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3100"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Wire_Transfer_Debit _Advice_feebruaur19_2020.xxe"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2748"C:\Users\admin\Desktop\Wire_Transfer_Debit _Advice_feebruaur19_2020.scr" /SC:\Users\admin\Desktop\Wire_Transfer_Debit _Advice_feebruaur19_2020.screxplorer.exe
User:
admin
Company:
Bamsdaar
Integrity Level:
MEDIUM
Description:
LEARIERLI
Exit code:
0
Version:
1.00
2848"C:\Users\admin\Desktop\Wire_Transfer_Debit _Advice_feebruaur19_2020.scr" /SC:\Program Files\internet explorer\ieinstal.exe
Wire_Transfer_Debit _Advice_feebruaur19_2020.scr
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer Add-on Installer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3296"C:\Windows\system32\taskmgr.exe" C:\Windows\system32\taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Task Manager
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
523
Read events
481
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
6
Text files
0
Unknown types
3

Dropped files

PID
Process
Filename
Type
2848ieinstal.exeC:\Users\admin\AppData\Local\Temp\Cab66C.tmp
MD5:
SHA256:
2848ieinstal.exeC:\Users\admin\AppData\Local\Temp\Tar66D.tmp
MD5:
SHA256:
2848ieinstal.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E3FCAD4A425A5F708A84C255989CBE2Cder
MD5:CEB056E29696760B0B77C259D773D551
SHA256:F4AAFC830037E8364E67D669EA6965F7A644B9572FED4BE93EEAE96103528999
3100WinRAR.exeC:\Users\admin\Desktop\Wire_Transfer_Debit _Advice_feebruaur19_2020.screxecutable
MD5:8057B0467DDE6F5772251AAEC5CECF8E
SHA256:A258E7A6A93B758B489A2E3E8F92C53BCEBA20B1B1105783CABEC0CD6471DC6D
2848ieinstal.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:E5B4C4B7635BED65B43081B67A098BF2
SHA256:DC5E2574546F7BD8398B294686B305348047FEC459F929B13BE913E8A0E0F8E0
2848ieinstal.exeC:\Users\admin\ristin\Toolboxsy8.screxecutable
MD5:8057B0467DDE6F5772251AAEC5CECF8E
SHA256:A258E7A6A93B758B489A2E3E8F92C53BCEBA20B1B1105783CABEC0CD6471DC6D
2848ieinstal.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bbinary
MD5:F422948645AA74EBD495DEB574B2FF95
SHA256:EE64AD9A5BEDCEEC2D29A0CF2BE19E53EE39A7C09498F1BF5E7D5BFBE70E6121
2848ieinstal.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E3FCAD4A425A5F708A84C255989CBE2Cbinary
MD5:B8C78EB1D4E8D54C8FCD1DC7BBE49C4F
SHA256:F0B747DFB0FB555E4CFF127595B7B339F55FD82DCF519EC9A9AD7AAC178CD340
2848ieinstal.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dbinary
MD5:3F28A39EDB0EC40134BF8197FCD12616
SHA256:93F7CD2A40FA3E150472216BE2AFC074D92986AD20138D181BDABB3C648333EC
2848ieinstal.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9Bder
MD5:16351BC92441876E7107DB335595D0FF
SHA256:37D89976D154109BEF1DAA2212444E1CEA676F942BF08BC00EEAF9C30633259E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
4
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2848
ieinstal.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2848
ieinstal.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
2848
ieinstal.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEAt7Luhtp9V%2BIcfZTi4a23A%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
151.139.128.14:80
ocsp.usertrust.com
Highwinds Network Group, Inc.
US
suspicious
2848
ieinstal.exe
198.54.120.206:443
docxuploads.com
Namecheap, Inc.
US
malicious
2848
ieinstal.exe
79.134.225.108:7522
ddns.thingsthings.xyz
Andreas Fink trading as Fink Telecom Services
CH
malicious

DNS requests

Domain
IP
Reputation
docxuploads.com
  • 198.54.120.206
malicious
ocsp.usertrust.com
  • 151.139.128.14
whitelisted
ocsp.sectigo.com
  • 151.139.128.14
whitelisted
ddns.thingsthings.xyz
  • 79.134.225.108
malicious

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Wire_Transfer_Debit _Advice_feebruaur19_2020.xxe