analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://192.236.161.152/novoo.exe

Full analysis: https://app.any.run/tasks/0f254c36-cd63-4363-b3f9-7f391b1e9c61
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: February 21, 2020, 16:13:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
loader
Indicators:
MD5:

8731B5CBBF477D11620202C3FBFF5498

SHA1:

F4473BC46BC4E34722DE13FB35F7A096EF924350

SHA256:

34E49904C4BE4AAFA6513080E7833BC427BBE575A15F04C88A7519BCC0FE5316

SSDEEP:

3:N1KkXWUYLJasyC:CkxsyC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • novoo.exe (PID: 3400)

    • Downloads executable files from the Internet

      • iexplore.exe (PID: 3216)

    • Downloads executable files from IP

      • iexplore.exe (PID: 3216)

    • Changes settings of System certificates

      • novoo.exe (PID: 3400)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 4040)

    • Reads Internet Cache Settings

      • novoo.exe (PID: 3400)

    • Creates files in the user directory

      • novoo.exe (PID: 3400)

    • Adds / modifies Windows certificates

      • novoo.exe (PID: 3400)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4040)
      • iexplore.exe (PID: 3216)

    • Application launched itself

      • iexplore.exe (PID: 4040)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 4040)

    • Changes internet zones settings

      • iexplore.exe (PID: 4040)

    • Creates files in the user directory

      • iexplore.exe (PID: 4040)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 4040)

    • Changes settings of System certificates

      • iexplore.exe (PID: 4040)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 4040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start iexplore.exe iexplore.exe novoo.exe

Process information

PID
CMD
Path
Indicators
Parent process
4040"C:\Program Files\Internet Explorer\iexplore.exe" "http://192.236.161.152/novoo.exe"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3216"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:4040 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3400"C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\novoo.exe" C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\novoo.exe
iexplore.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\microsoft\windows\temporary internet files\content.ie5\b6qgx7lp\novoo.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\comctl32.dll
c:\windows\system32\gdi32.dll
Total events
10 811
Read events
694
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
16
Text files
4
Unknown types
6

Dropped files

PID
Process
Filename
Type
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\novoo[1].exe
MD5:
SHA256:
3216iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\novoo.exe.7fkn8kj.partial
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFBDD98BCEB6025B81.TMP
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\novoo.exe.7fkn8kj.partial:Zone.Identifier
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab55C4.tmp
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar55C5.tmp
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver572E.tmp
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\XHQFNNPK.txt
MD5:
SHA256:
4040iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\QKHOWTNQ.txt
MD5:
SHA256:
3400novoo.exeC:\Users\admin\AppData\Local\Temp\Cab73CC.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
13
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
4040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
4040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3216
iexplore.exe
GET
200
192.236.161.152:80
http://192.236.161.152/novoo.exe
US
executable
2.96 Mb
suspicious
3400
novoo.exe
GET
200
216.58.204.99:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3400
novoo.exe
GET
200
216.58.204.99:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEA%2Fh3wHkYFwrCAAAAAAucVw%3D
US
der
471 b
whitelisted
3400
novoo.exe
GET
200
216.58.204.99:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDu3mVgzTXArwIAAAAAWXG3
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3400
novoo.exe
216.58.213.142:443
drive.google.com
Google Inc.
US
whitelisted
4040
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3216
iexplore.exe
192.236.161.152:80
Hostwinds LLC.
US
suspicious
4040
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
3400
novoo.exe
216.58.198.193:443
doc-10-7s-docs.googleusercontent.com
Google Inc.
US
whitelisted
3400
novoo.exe
216.58.204.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
drive.google.com
  • 216.58.213.142
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
ocsp.pki.goog
  • 216.58.204.99
whitelisted
doc-10-7s-docs.googleusercontent.com
  • 216.58.198.193
shared

Threats

PID
Process
Class
Message
3216
iexplore.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://192.236.161.152/novoo.exe