analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

1.txt

Full analysis: https://app.any.run/tasks/b9e55407-932a-4e69-89ec-2f1832f00bb9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 16, 2019, 21:34:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
evasion
ransomware
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

E3621F82CD4226495FA5EFD0C1826FF7

SHA1:

E8BC7001DB6F8D64FB50C44E8EA867DFD07F1AEE

SHA256:

E136324BEA920C1F8F8CC7A90AB0BD355239035F9160FB6212FB25AD1A2F8D20

SSDEEP:

3:rIBZCFKSVOXbJJFsLTzTH3x8fRARGAi3OlAQSQqXJAFHBuxtmAC26MFH2fxtmACd:sCpQ9YzLh8fmgAi3OlAqylqtMFsqd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1[1].exe (PID: 2776)
      • ctfmon.exe (PID: 2060)
      • ctfmon.exe (PID: 3712)

    • Changes the autorun value in the registry

      • 1[1].exe (PID: 2776)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2184)

    • Changes settings of System certificates

      • ctfmon.exe (PID: 2060)
      • 1[1].exe (PID: 2776)

    • Renames files like Ransomware

      • ctfmon.exe (PID: 3712)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 4088)
      • iexplore.exe (PID: 2184)
      • 1[1].exe (PID: 2776)

    • Application launched itself

      • ctfmon.exe (PID: 2060)

    • Starts itself from another location

      • 1[1].exe (PID: 2776)

    • Creates files in the user directory

      • 1[1].exe (PID: 2776)

    • Adds / modifies Windows certificates

      • ctfmon.exe (PID: 2060)

    • Creates files like Ransomware instruction

      • ctfmon.exe (PID: 3712)

    • Creates files in the program directory

      • ctfmon.exe (PID: 3712)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 4088)

    • Manual execution by user

      • iexplore.exe (PID: 4088)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2184)
      • iexplore.exe (PID: 4088)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2184)

    • Changes internet zones settings

      • iexplore.exe (PID: 4088)

    • Creates files in the user directory

      • iexplore.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start notepad.exe no specs iexplore.exe iexplore.exe 1[1].exe ctfmon.exe notepad.exe no specs ctfmon.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2172"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\1.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4088"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2184"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4088 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2776"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3735943886
2060"C:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe" -startC:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe
1[1].exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3735943886
896notepad.exeC:\Windows\system32\notepad.exe1[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3735943886
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3712"C:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe" -agent 0C:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exectfmon.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1248notepad.exeC:\Windows\system32\notepad.exectfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3735943886
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 218
Read events
1 071
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
80
Text files
1 640
Unknown types
6

Dropped files

PID
Process
Filename
Type
4088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
4088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
27761[1].exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe\:Zone.Identifier:$DATA
MD5:
SHA256:
27761[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0968A1E3A40D2582E7FD463BAEB59CDbinary
MD5:9571E60096D15CE51E44EF17FC24F399
SHA256:9BCCBC53DC86108FFF10F8326832F15D123FD5714C1C787560967135B90B395C
2184iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B915FKJX\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3712ctfmon.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
MD5:
SHA256:
27761[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\564F5106D1B6452FFC2C012EF7A0C9F7binary
MD5:BB82E8641B16A33BFB5703208504FE18
SHA256:711095247EEABA1C77F04D84FA56A8988C72CE8CEA43E84952F36A67EE2F2F0C
27761[1].exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0968A1E3A40D2582E7FD463BAEB59CDder
MD5:DB78CBD190952735D940BC80AC2432C0
SHA256:1A5174980A294A528A110726D5855650266C48D9883BEA692B67B6D726DA98C5
4088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I1TKCJIG\1[1].exe:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
2184iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:42B7D85860E91E87B93601BF3906B3DE
SHA256:129DA23EFF6769DF743A1339ACA00551062002111A22CED7AA2753FDA0D11084
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
9
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2776
1[1].exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
4088
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2184
iexplore.exe
GET
200
120.136.14.25:80
http://ocean-v.com/wp-content/1.exe
JP
executable
477 Kb
malicious
2776
1[1].exe
GET
301
158.69.65.151:80
http://geoiptool.com/
CA
html
184 b
whitelisted
2776
1[1].exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/GoGetSSLRSADVCA.crt
GB
der
1.46 Kb
whitelisted
2060
ctfmon.exe
GET
301
158.69.65.151:80
http://geoiptool.com/
CA
html
184 b
whitelisted
2060
ctfmon.exe
GET
301
88.99.66.31:80
http://iplogger.org/1i8r57.jpg
DE
html
178 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4088
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2776
1[1].exe
158.69.65.151:80
geoiptool.com
OVH SAS
CA
suspicious
2776
1[1].exe
158.69.65.151:443
geoiptool.com
OVH SAS
CA
suspicious
2060
ctfmon.exe
158.69.65.151:80
geoiptool.com
OVH SAS
CA
suspicious
2184
iexplore.exe
120.136.14.25:80
ocean-v.com
SAKURA Internet Inc.
JP
malicious
2776
1[1].exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious
2060
ctfmon.exe
158.69.65.151:443
geoiptool.com
OVH SAS
CA
suspicious
2060
ctfmon.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious
2060
ctfmon.exe
88.99.66.31:80
iplogger.org
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocean-v.com
  • 120.136.14.25
malicious
geoiptool.com
  • 158.69.65.151
whitelisted
geodatatool.com
  • 158.69.65.151
suspicious
crt.usertrust.com
  • 91.199.212.52
whitelisted
iplogger.org
  • 88.99.66.31
shared

Threats

PID
Process
Class
Message
2184
iexplore.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2184
iexplore.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2184
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2776
1[1].exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
2060
ctfmon.exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
1.txt