URL: | http://mononopu.xyz/?cep=on4a0PWkpRmMwbh65_RyyOvz62g6fcwe1n69809QX2CVP-qMIAQJq3XqiKn14Eqv4WjemyfKjDsISZYofObb3AwjQ83RnbfqmVPI3Bg3_o5dub5vl_z132vX5_HtdYshma_R1tNUPmFxzYDls7vr9qTVohlDZ6ln_4ObsOGX8ZdJAqY9ktgkhUkf-d57B7Lcw4ZD-siV5pF4wgs61lFQiTEYl1d54I6r0aQfiK0pacboN5idf9JTw33Zh5_so3d-_mFnkBGDMrS2sUxAyIXtnSVTVQ39KmZwNNZQv2ym8ZymFZhGiPHa0v0pFVVmODIGpqD8MzD0ttJ53dyzpQP2gMmRVN-x4gYf6gow6_jaD4Y |
Full analysis: | https://app.any.run/tasks/94578964-a2be-4743-b2ed-2d45b1aa0774 |
Verdict: | Malicious activity |
Analysis date: | September 30, 2020, 13:51:49 |
OS: | Windows 10 Professional (build: 16299, 64 bit) |
Tags: | |
Indicators: | |
MD5: | 5CF0AF2D3F6DEFA540B8BE4F60CB9B40 |
SHA1: | 4D9605854F8F814BBE0B33C52CEAC902CDFE297E |
SHA256: | 36BFEB710458606874837C01F45B5B6D794DDA9B85EE1A21315C7AF29BB473FC |
SSDEEP: | 12:7dQzskTHIGG6LMi5t+fsvbc7j2okdnWOA:7qxbG6LYkOknWOA |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3172 | "C:\Program Files\internet explorer\iexplore.exe" "http://mononopu.xyz/?cep=on4a0PWkpRmMwbh65_RyyOvz62g6fcwe1n69809QX2CVP-qMIAQJq3XqiKn14Eqv4WjemyfKjDsISZYofObb3AwjQ83RnbfqmVPI3Bg3_o5dub5vl_z132vX5_HtdYshma_R1tNUPmFxzYDls7vr9qTVohlDZ6ln_4ObsOGX8ZdJAqY9ktgkhUkf-d57B7Lcw4ZD-siV5pF4wgs61lFQiTEYl1d54I6r0aQfiK0pacboN5idf9JTw33Zh5_so3d-_mFnkBGDMrS2sUxAyIXtnSVTVQ39KmZwNNZQv2ym8ZymFZhGiPHa0v0pFVVmODIGpqD8MzD0ttJ53dyzpQP2gMmRVN-x4gYf6gow6_jaD4Y" | C:\Program Files\internet explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.16299.15 (WinBuild.160101.0800) | ||||
3940 | "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3172 CREDAT:9474 /prefetch:2 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.16299.15 (WinBuild.160101.0800) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5UIG5DSE\tilda-zoom-2.0.min[1].css | text | |
MD5:5BE9FE829E915D773E34492404B685A8 | SHA256:63D34DA22A99FFD5611DEF24ACC0FD58913912AF57D60E3A4DAAA425D878D517 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2I6MPL32\tild3032-3962-4834-b963-396635343166__-__resizeb__20x__A_fresh_and_simple_s[1].jpg | image | |
MD5:3545463836995F52519BDC04BC3BA80A | SHA256:459361B56C6937E2BE488AAD9B8C026BB2275D7CAA79F9319D3D5B94EDEA14DF | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2I6MPL32\tilda-animation-1.0.min[1].js | text | |
MD5:7E45048E2E38D3F9978870289CADAC99 | SHA256:BC2254E158E5414D8977587D1F65156FF158A6981E7C10641C1DEB0AF9EF0956 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5UIG5DSE\css[1].css | text | |
MD5:406BBD3793355E7C871DAE37CF8B5489 | SHA256:EF468096753B3695F402459C02814DBFBDE44B89209360E5F727318C9ED5ABE2 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\FZ4P8RAN\tilda-slds-1.4.min[1].js | text | |
MD5:CD4C37214A9B8FBBD931AF25BEC6B7A5 | SHA256:7303CFAE42A4DEE5269C5E2DA7ABA325968B6944B81300E618D8F7691CB5298D | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2I6MPL32\tilda-menusub-1.0.min[1].css | text | |
MD5:F59F2761F8CB4407A06DB2228B9AAE44 | SHA256:1BE946743DD2FFACF4DBEE1574B2BF9261D4C6527F5AD98919A01F4CBC792853 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\LD57I5PR\tilda-animation-1.0.min[1].css | text | |
MD5:5F03E23F22E1D9E026821622742B1CF1 | SHA256:D845AC461A77E54AF0E48CA2E3DCAC959F793205C2EEFBF1D698BC0F73998F34 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\FZ4P8RAN\lazyload-1.3.min[1].js | text | |
MD5:D25621918530754F3871FC7FC932FE52 | SHA256:50C864474414A4ACF9E8966BE969407E2D1FADBC82CCC1962D9D8F7DB9584A40 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\5UIG5DSE\tild6630-6438-4563-b437-666435303461__-__resizeb__20x__Travel_from_Tokyo_th[1].jpg | image | |
MD5:498D0AC744F1A7C1F86EF7570AC28D69 | SHA256:900EBF27F12973B43BE0CB9AD1809B23C1F658F1039D1F5D029BB8A3BB89BB79 | |||
3940 | IEXPLORE.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Low\IE\2I6MPL32\tild3461-6339-4334-a436-366266366532__-__resize__20x__25[1].jpg | image | |
MD5:186B55A1A0F5F01B447ABE1860969A6B | SHA256:7F94229ADC9D99891771139BCC159E323ADAC22E2D54BD770D91A76C77FCBCB0 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/css/tilda-zoom-2.0.min.css | RU | text | 5.33 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/css/tilda-blocks-2.12.css?t=1564213267 | RU | text | 57.5 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/tom.php | RU | text | 709 b | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/js/tilda-animation-1.0.min.js | RU | text | 16.9 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/js/tilda-slds-1.4.min.js | RU | text | 13.5 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/?cep=on4a0PWkpRmMwbh65_RyyOvz62g6fcwe1n69809QX2CVP-qMIAQJq3XqiKn14Eqv4WjemyfKjDsISZYofObb3AwjQ83RnbfqmVPI3Bg3_o5dub5vl_z132vX5_HtdYshma_R1tNUPmFxzYDls7vr9qTVohlDZ6ln_4ObsOGX8ZdJAqY9ktgkhUkf-d57B7Lcw4ZD-siV5pF4wgs61lFQiTEYl1d54I6r0aQfiK0pacboN5idf9JTw33Zh5_so3d-_mFnkBGDMrS2sUxAyIXtnSVTVQ39KmZwNNZQv2ym8ZymFZhGiPHa0v0pFVVmODIGpqD8MzD0ttJ53dyzpQP2gMmRVN-x4gYf6gow6_jaD4Y | RU | html | 14.8 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/js/tilda-zoom-2.0.min.js | RU | text | 9.89 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/js/tilda-scripts-2.8.min.js | RU | html | 39.5 Kb | suspicious |
3940 | IEXPLORE.EXE | GET | 200 | 109.248.11.77:80 | http://mononopu.xyz/js/tilda-blocks-2.7.js?t=1564213267 | RU | text | 7.88 Kb | suspicious |
3940 | IEXPLORE.EXE | POST | 200 | 137.117.228.253:443 | https://urs.microsoft.com/urs.asmx?MSURS-Client-Key=75BfgLSiwM5BktuYhyVsig%3d%3d&MSURS-MAC=lJn/zDCBXoc%3d | NL | text | 1.44 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3940 | IEXPLORE.EXE | 216.58.205.234:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
3940 | IEXPLORE.EXE | 172.217.16.195:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
3940 | IEXPLORE.EXE | 109.248.11.77:80 | mononopu.xyz | Business Consulting LLC | RU | suspicious |
3940 | IEXPLORE.EXE | 137.117.228.253:443 | urs.microsoft.com | Microsoft Corporation | NL | unknown |
3940 | IEXPLORE.EXE | 77.244.208.197:443 | stat.tildacdn.com | OOO Network of data-centers Selectel | RU | unknown |
3940 | IEXPLORE.EXE | 185.233.2.102:443 | curasao1.com | — | — | unknown |
3172 | iexplore.exe | 109.248.11.77:80 | mononopu.xyz | Business Consulting LLC | RU | suspicious |
Domain | IP | Reputation |
---|---|---|
mononopu.xyz |
| suspicious |
urs.microsoft.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
stat.tildacdn.com |
| shared |
fonts.gstatic.com |
| whitelisted |
curasao1.com |
| unknown |
PID | Process | Class | Message |
---|---|---|---|
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |
3940 | IEXPLORE.EXE | Potentially Bad Traffic | AV INFO HTTP Request to a *.xyz domain |