Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

http://feedproxy.google.com/~r/rdgahz/~3/KxTOprzA7Go/databank.php?param1=param1&c=dfoster@edgewortheconomics.com

URL

initial url

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{5C0FE4AC-CAB2-11EB-90E4-ECF4BB862DED}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5C0FE4AE-CAB2-11EB-90E4-ECF4BB862DED}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{5C0FE4AF-CAB2-11EB-90E4-ECF4BB862DED}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\ErrorPageTemplate[1]

UTF-8 Unicode (with BOM) text, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\bullet[1]

PNG image data, 15 x 15, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\http_404[1]

HTML document, UTF-8 Unicode (with BOM) text, with very long lines, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\MEEXW4H4\info_48[1]

PNG image data, 47 x 48, 8-bit/color RGBA, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\down[1]

PNG image data, 15 x 15, 8-bit colormap, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PSUEOSZZ\errorPageStrings[1]

UTF-8 Unicode (with BOM) text, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\background_gradient[1]

JPEG image data, JFIF standard 1.02, aspect ratio, density 100x100, segment length 16, baseline, precision 8, 1x800, frames 3

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\databank[1].htm

gzip compressed data, from FAT filesystem (MS-DOS, OS/2, NT)

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\httpErrorPagesScripts[1]

UTF-8 Unicode (with BOM) text, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Temp\~DF11EE74CB7DC9C1BE.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF2B32E0794A59CB53.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DFB95526EF5CC5F7CB.TMP

data

dropped

There are 6 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\internet explorer\iexplore.exe

'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	5340
Target ID:	1
Parent PID:	792
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files\internet explorer\iexplore.exe
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Size:	823560
MD5:	6465CB92B25A7BC1DF8E01D8AC5E7596
Time:	05:41:36
Date:	11/06/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff737ad0000
Modulesize:	831488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2

Details

Is windows:	true
Is dropped:	false
PID:	2416
Target ID:	2
Parent PID:	5340
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5340 CREDAT:17410 /prefetch:2
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	05:41:37
Date:	11/06/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1320000
Modulesize:	827392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://ganbiya.com/databank.php?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A

unknown

Domains

Name

Malicious

ganbiya.com

94.130.229.185

Details

Name:	ganbiya.com
IP:	94.130.229.185
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Performs DNS lookups	Networking	Application Layer Protocol Non-Application Layer Protocol
URLs found in memory or binary data	Networking
Uses secure TLS version for HTTPS connections	Compliance, Networking

IPs

Domain

Country

Malicious

94.130.229.185

ganbiya.com

Germany

Details

IP:	94.130.229.185
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	Germany
Countrycode:	DEU
ASN number:	24940
ASN name:	HETZNER-ASDE
Private:	false
Domain:	ganbiya.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\internet explorer\iexplore.exe

{5C0FE4AC-CAB2-11EB-90E4-ECF4BB862DED}

C:\Program Files\internet explorer\iexplore.exe

AdminActive

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

There are 10 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

1E563A02000

unkown

page read and write

7FF500F72000

unkown

page readonly

1E56325E000

unkown

page read and write

1E563213000

unkown

page read and write

7FF500FFC000

unkown

page readonly

7FF500FEC000

unkown

page readonly

1E56325C000

unkown

page read and write

1E563308000

unkown

page read and write

A7207F7000

unkown

page read and write

1E563870000

unkown

page readonly

1E563272000

unkown

page read and write

A7206FB000

unkown

page read and write

7FF500E8D000

unkown

page readonly

1E563880000

unkown

page read and write

7FF501071000

unkown

page readonly

1E563200000

unkown

page read and write

7FF500B70000

unkown

page readonly

1E563229000

unkown

page read and write

7FF500EB1000

unkown

page readonly

7FF500D9A000

unkown

page readonly

1E5630C0000

heap private

page read and write

7FF500FF6000

unkown

page readonly

7FF500717000

unkown

page readonly

7FF500EB7000

unkown

page readonly

A7204FF000

unkown

page read and write

7FF500EEC000

unkown

page readonly

7FF500B80000

unkown

page readonly

A7201AB000

unkown

page read and write

1E563265000

unkown

page read and write

1E563F40000

unkown

page readonly

7FF501079000

unkown

page readonly

7FF500F86000

unkown

page readonly

1E563120000

heap default

page read and write

7FF500FBF000

unkown

page readonly

7FF500E68000

unkown

page readonly

1E563130000

unkown

page readonly

7FF501010000

unkown

page readonly

1E56325D000

unkown

page read and write

7FF501005000

unkown

page readonly

7FF500812000

unkown

page readonly

A7209FE000

unkown

page read and write

7FF501017000

unkown

page readonly

1E563302000

unkown

page read and write

7FF500E83000

unkown

page readonly

1E563258000

unkown

page read and write

7FF500B6A000

unkown

page readonly

A72047F000

unkown

page read and write

A7205F5000

unkown

page read and write

1E563400000

unkown

page readonly

1E563C00000

unkown

page readonly

7FF500DFF000

unkown

page readonly

7FF500FDD000

unkown

page readonly

7FF500E3E000

unkown

page readonly

1E563290000

unkown

page read and write

7FF500F9A000

unkown

page readonly

7FF500FAE000

unkown

page readonly

1E563300000

unkown

page read and write

1E563272000

unkown

page read and write

7FF500F88000

unkown

page readonly

A7208FF000

unkown

page read and write

7FF501079000

unkown

page readonly

7FF500F70000

unkown

page readonly

7FF500FC9000

unkown

page readonly

7FF500E4A000

unkown

page readonly

1E563260000

unkown

page read and write

7FF501014000

unkown

page readonly

1E563600000

unkown

page readonly

7FF500FE6000

unkown

page readonly

1E563252000

unkown

page read and write

1E563257000

unkown

page read and write

7FF500FB5000

unkown

page readonly

1E563268000

unkown

page read and write

1E56323C000

unkown

page read and write

1E563313000

unkown

page read and write

7FF50106E000

unkown

page readonly

1E563288000

unkown

page read and write

7FF500F82000

unkown

page readonly

There are 67 hidden memdumps, click here to show them.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps