download:

1.txt

Full analysis: https://app.any.run/tasks/b9e55407-932a-4e69-89ec-2f1832f00bb9
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: November 16, 2019, 21:34:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
loader
evasion
ransomware
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

E3621F82CD4226495FA5EFD0C1826FF7

SHA1:

E8BC7001DB6F8D64FB50C44E8EA867DFD07F1AEE

SHA256:

E136324BEA920C1F8F8CC7A90AB0BD355239035F9160FB6212FB25AD1A2F8D20

SSDEEP:

3:rIBZCFKSVOXbJJFsLTzTH3x8fRARGAi3OlAQSQqXJAFHBuxtmAC26MFH2fxtmACd:sCpQ9YzLh8fmgAi3OlAqylqtMFsqd

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • 1[1].exe (PID: 2776)
      • ctfmon.exe (PID: 2060)
      • ctfmon.exe (PID: 3712)

    • Changes the autorun value in the registry

      • 1[1].exe (PID: 2776)

    • Changes settings of System certificates

      • ctfmon.exe (PID: 2060)
      • 1[1].exe (PID: 2776)

    • Renames files like Ransomware

      • ctfmon.exe (PID: 3712)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 2184)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2184)
      • 1[1].exe (PID: 2776)
      • iexplore.exe (PID: 4088)

    • Creates files in the user directory

      • 1[1].exe (PID: 2776)

    • Starts itself from another location

      • 1[1].exe (PID: 2776)

    • Adds / modifies Windows certificates

      • ctfmon.exe (PID: 2060)

    • Application launched itself

      • ctfmon.exe (PID: 2060)

    • Creates files like Ransomware instruction

      • ctfmon.exe (PID: 3712)

    • Creates files in the program directory

      • ctfmon.exe (PID: 3712)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 2184)

    • Manual execution by user

      • iexplore.exe (PID: 4088)

    • Application launched itself

      • iexplore.exe (PID: 4088)

    • Changes internet zones settings

      • iexplore.exe (PID: 4088)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4088)
      • iexplore.exe (PID: 2184)

    • Creates files in the user directory

      • iexplore.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start drop and start notepad.exe no specs iexplore.exe iexplore.exe 1[1].exe ctfmon.exe notepad.exe no specs ctfmon.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
896notepad.exeC:\Windows\system32\notepad.exe1[1].exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3735943886
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1248notepad.exeC:\Windows\system32\notepad.exectfmon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
3735943886
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
2060"C:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe" -startC:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe
1[1].exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3735943886
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\ctfmon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2172"C:\Windows\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\1.txtC:\Windows\system32\NOTEPAD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2184"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4088 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2776"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1[1].exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\1[1].exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3735943886
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\lh043oam\1[1].exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
3712"C:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe" -agent 0C:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exectfmon.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\roaming\microsoft\windows\ctfmon.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
4088"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
1 218
Read events
1 071
Write events
139
Delete events
8

Modification events

(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{E5FCB513-08B8-11EA-AB41-5254004A04AF}
Value:
0
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(4088) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E3070B0006001000150022002A007302
Executable files
3
Suspicious files
80
Text files
1 640
Unknown types
6

Dropped files

PID
Process
Filename
Type
4088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
4088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
27761[1].exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\ctfmon.exe\:Zone.Identifier:$DATA
MD5:
SHA256:
2184iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
3712ctfmon.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm
MD5:
SHA256:
3712ctfmon.exe\Device\HarddiskVolume2\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Benioku.htm.11F-431-BD0
MD5:
SHA256:
2184iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\B915FKJX\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3712ctfmon.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm
MD5:
SHA256:
3712ctfmon.exe\Device\HarddiskVolume2\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\Berime.htm.11F-431-BD0
MD5:
SHA256:
3712ctfmon.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat Reader DC\IrakHau.htm
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
9
DNS requests
6
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2776
1[1].exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/USERTrustRSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
2776
1[1].exe
GET
301
158.69.65.151:80
http://geoiptool.com/
CA
html
184 b
whitelisted
2776
1[1].exe
GET
200
91.199.212.52:80
http://crt.usertrust.com/GoGetSSLRSADVCA.crt
GB
der
1.46 Kb
whitelisted
2060
ctfmon.exe
GET
301
158.69.65.151:80
http://geoiptool.com/
CA
html
184 b
whitelisted
2184
iexplore.exe
GET
200
120.136.14.25:80
http://ocean-v.com/wp-content/1.exe
JP
executable
477 Kb
malicious
2060
ctfmon.exe
GET
301
88.99.66.31:80
http://iplogger.org/1i8r57.jpg
DE
html
178 b
shared
4088
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4088
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2184
iexplore.exe
120.136.14.25:80
ocean-v.com
SAKURA Internet Inc.
JP
malicious
2776
1[1].exe
158.69.65.151:80
geoiptool.com
OVH SAS
CA
suspicious
2776
1[1].exe
158.69.65.151:443
geoiptool.com
OVH SAS
CA
suspicious
2776
1[1].exe
91.199.212.52:80
crt.usertrust.com
Comodo CA Ltd
GB
suspicious
2060
ctfmon.exe
158.69.65.151:80
geoiptool.com
OVH SAS
CA
suspicious
2060
ctfmon.exe
88.99.66.31:80
iplogger.org
Hetzner Online GmbH
DE
malicious
2060
ctfmon.exe
158.69.65.151:443
geoiptool.com
OVH SAS
CA
suspicious
2060
ctfmon.exe
88.99.66.31:443
iplogger.org
Hetzner Online GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocean-v.com
  • 120.136.14.25
malicious
geoiptool.com
  • 158.69.65.151
whitelisted
geodatatool.com
  • 158.69.65.151
suspicious
crt.usertrust.com
  • 91.199.212.52
whitelisted
iplogger.org
  • 88.99.66.31
shared

Threats

PID
Process
Class
Message
2184
iexplore.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
2184
iexplore.exe
A Network Trojan was detected
ET TROJAN EXE Download Request To Wordpress Folder Likely Malicious
2184
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
2776
1[1].exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
2060
ctfmon.exe
Potential Corporate Privacy Violation
ET POLICY Geo Location IP info online service (geoiptool.com)
4 ETPRO signatures available at the full report
No debug info