analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.purolator-efp.com/

Full analysis: https://app.any.run/tasks/e7cf15fc-bf87-443b-b9ad-a1ffc80376ff
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: January 17, 2020, 21:24:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
miner
coinminer
trojan
Indicators:
MD5:

33F0FCCF16253AFB484BEF93A5CA99DA

SHA1:

F3CBA95EAB7BFEF3D5E5AF135A2672AA47F44812

SHA256:

22FBED432CA65E1ACA9E136337EBF8C2994A5488954A00DA0F4BEC60C47778F8

SSDEEP:

3:N1KJS4bJ4KYmfIK:Cc42KYmf3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • COINMINER was detected

      • iexplore.exe (PID: 776)

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3788)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1560)

    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3788)
      • iexplore.exe (PID: 776)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 776)

    • Reads internet explorer settings

      • iexplore.exe (PID: 776)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 776)

    • Changes internet zones settings

      • iexplore.exe (PID: 1560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe #COINMINER iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1560"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
776"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1560 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3788C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
428
Read events
363
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
48
Unknown types
7

Dropped files

PID
Process
Filename
Type
1560iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1560iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][2].txt
MD5:
SHA256:
776iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:762ADE40A1734FA7BEA9987DAD7415A5
SHA256:2B6A8D88099C6BB336CFBC7ABE6CCE7140E989DD305E1297279FFCDA2A812AAB
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:4134C20E88EFF29CCEA6D37D30273E09
SHA256:8818FBB03AD973D509562A3437DFC7587E33B1F0F8A73A9B4CCAE22A1F94319D
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:9D27A92A5FD05A58D95ECCECB9209BC7
SHA256:5367118C7A7C7450295A35EB7530DC0706AB84507DAE15960D0CDC61997725C5
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5VKQI314\jquery.animate-colors-min[1].jstext
MD5:6CCBB96F9D82E1583DBA49FDD738C0F7
SHA256:40A15C25A8A912B02D3E2B73A14CA3F294D324ACCCE1C6C4D7519A976800AA2D
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FNTOAOTZ\portal[1].csstext
MD5:F564FE91B6E89839E8141B1716529DEE
SHA256:EE397DA7F07E1B978C65B46EBEA3146A087C63118D6EE0D12DE07B58917CD02B
776iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\000HKF6X\Style[1].csstext
MD5:8ADB530996525CEBDAE29E7EC052F7CA
SHA256:299CE6BF439229063B23FB1B14709052DA420095ACC38DA654A3BB2B01DC1706
776iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:63EECDAD167B41BC009A8F8A97D7C785
SHA256:F0C17AD5232C188D81C92B7025762C8B1016940B79B598597FFBA7C846EB31FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
36
TCP/UDP connections
12
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/
US
html
27.7 Kb
malicious
1560
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Portals/21/portal.css?cdv=881
US
text
610 b
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Resources/Shared/stylesheets/dnndefault/7.0.0/default.css?cdv=881
US
text
94.2 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Resources/libraries/jQuery-Migrate/01_02_01/jquery-migrate.js?cdv=881
US
text
16.7 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/DesktopModules/DNNGo_DNNGallery/Effects/Effect_03_SkitterSlideshow/js/jquery.animate-colors-min.js?cdv=05.02.00.881
US
text
4.16 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/DesktopModules/DNNGo_DNNGallery/Effects/Effect_03_SkitterSlideshow/js/jquery.skitter.js?cdv=05.02.00.881
US
html
98.0 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/DesktopModules/DNNGo_DNNGallery/Effects/Effect_03_SkitterSlideshow/Themes/Theme_03_Default/Style.css?cdv=05.02.00.881
US
text
6.35 Kb
malicious
776
iexplore.exe
GET
200
12.233.213.74:80
http://www.purolator-efp.com/Resources/Search/SearchSkinObjectPreview.css?cdv=881
US
text
2.79 Kb
malicious
776
iexplore.exe
GET
200
152.199.19.160:80
http://ajax.aspnetcdn.com/ajax/4.5.2/1/WebForms.js
US
text
4.50 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
776
iexplore.exe
152.199.19.160:80
ajax.aspnetcdn.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
776
iexplore.exe
172.217.16.174:80
www.google-analytics.com
Google Inc.
US
whitelisted
1560
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
776
iexplore.exe
81.171.8.134:443
www.hostingcloud.racing
LeaseWeb Netherlands B.V.
NL
malicious
776
iexplore.exe
12.233.213.74:80
www.purolator-efp.com
AT&T Data Communications Services
US
malicious
1560
iexplore.exe
12.233.213.74:80
www.purolator-efp.com
AT&T Data Communications Services
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.purolator-efp.com
  • 12.233.213.74
unknown
ajax.aspnetcdn.com
  • 152.199.19.160
whitelisted
www.hostingcloud.racing
  • 81.171.8.134
whitelisted
www.google-analytics.com
  • 172.217.16.174
whitelisted

Threats

PID
Process
Class
Message
776
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Coinhive/DeepMiner JavaScript Miner
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.purolator-efp.com/