analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://parcel.v4svuu9r1i7mnhy.noit.ir/?PIZZZZZZZZAA=amFta2FAbXMuZ292LnBs

Full analysis: https://app.any.run/tasks/6051cfa4-9163-446a-a610-492712ef5f0f
Verdict: Malicious activity
Analysis date: September 30, 2020, 07:35:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

66BFF89940681824335A3E65D69C8DAD

SHA1:

4E7CB90389AB9F33531CD27C91895D1847732617

SHA256:

503AAAB319A1AC4E7F5D7196F9480C24B985698B97E5885122D14FBB36E73629

SSDEEP:

3:N1KOEX1Lr56LKQLIm3/H/kiI2WlUWn:COu69Im30iI2WlUW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executed via COM

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2096)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 956)
      • iexplore.exe (PID: 2608)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 956)
      • iexplore.exe (PID: 2608)

    • Changes internet zones settings

      • iexplore.exe (PID: 956)

    • Application launched itself

      • iexplore.exe (PID: 956)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2608)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2608)

    • Creates files in the user directory

      • iexplore.exe (PID: 2608)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2096)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 956)

    • Changes settings of System certificates

      • iexplore.exe (PID: 956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
956"C:\Program Files\Internet Explorer\iexplore.exe" http://parcel.v4svuu9r1i7mnhy.noit.ir/?PIZZZZZZZZAA=amFta2FAbXMuZ292LnBsC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2608"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:956 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2096C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
861
Read events
779
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
78
Text files
88
Unknown types
76

Dropped files

PID
Process
Filename
Type
2608iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7C2F.tmp
MD5:
SHA256:
2608iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7C30.tmp
MD5:
SHA256:
956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2608iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\RQNPG47C.htmhtml
MD5:0DD2B15968A7265C49C6412C5A7B4BFE
SHA256:5B1A84D2B1179EC5C24607A44600EE9A00BEA28A739398A41FF68231B44593CD
2608iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:4E3BB9CAFBD57BD729300DA56BEB9962
SHA256:EC5D4D3B64AE9CEAE31E1DCF58599F914B3BFB41DEDAF0EF152C1851153B554D
2608iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\24QXTK0Y.txttext
MD5:4301A52B8DDAAC15C9260DF87232A3CE
SHA256:DF43B03C5F7DF4EA040E54A450B3C4846B693E4F86AE678E7D5824253AFC5C11
2608iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\71B7A0C47F03497FE441237621DE7D69binary
MD5:053077481A066EEB273FF6BB94C9F713
SHA256:E3F6028FD9D17CE6BD16C053AB62315C26F6903FA83DF276880411A1097611DD
2608iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:3DE1CB23A5D040AD39109F37DB6347B0
SHA256:984D434B9E2FBF083C22967374A46090E9DF8646FCB84829A1A46C9AA53895DD
2608iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:ADA43BD74B0978591D479D83D44147FB
SHA256:866A8CF2CE2D3246A7E31A239EB083979964C2A221301D5210912254CF4132AA
2608iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\dpdpl[1].htmhtml
MD5:438B67B181279E0CF560251AEE5E2580
SHA256:25F3E4EBA70CE0249E2D60E18D8F9FC1FC035258CC544A2D762387839CFA33D1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
107
DNS requests
46
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2608
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2608
iexplore.exe
GET
301
104.239.174.59:80
http://parcel.v4svuu9r1i7mnhy.noit.ir/?PIZZZZZZZZAA=amFta2FAbXMuZ292LnBs
US
html
374 b
suspicious
2608
iexplore.exe
GET
200
2.16.107.43:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgNznKLhoTDz955T%2B7CL4xsVjg%3D%3D
unknown
der
527 b
whitelisted
2608
iexplore.exe
GET
200
2.16.107.80:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
956
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2608
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2608
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECED%2FzUI3tAun7U7CGnHDWrvg%3D
US
der
471 b
whitelisted
2608
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.sectigo.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECECMV6OzFoHDAfztRr3CGwpk%3D
US
der
471 b
whitelisted
2608
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
2608
iexplore.exe
GET
200
142.250.74.195:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEBK1mh3UyYM7CAAAAABXnzA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2608
iexplore.exe
35.208.231.76:443
ventriq.net
US
unknown
956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2608
iexplore.exe
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
2608
iexplore.exe
195.149.84.100:443
reported.com
World News PTE. LTD
GB
malicious
151.139.128.14:80
ocsp.comodoca.com
Highwinds Network Group, Inc.
US
suspicious
2608
iexplore.exe
195.149.84.100:80
reported.com
World News PTE. LTD
GB
malicious
2608
iexplore.exe
104.239.174.59:80
parcel.v4svuu9r1i7mnhy.noit.ir
Rackspace Ltd.
US
suspicious
2608
iexplore.exe
195.149.84.101:443
reported.com
World News PTE. LTD
GB
malicious
2608
iexplore.exe
2.16.107.80:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
2608
iexplore.exe
2.16.107.43:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
suspicious

DNS requests

Domain
IP
Reputation
parcel.v4svuu9r1i7mnhy.noit.ir
  • 104.239.174.59
suspicious
ventriq.net
  • 35.208.231.76
unknown
isrg.trustid.ocsp.identrust.com
  • 2.16.107.80
  • 2.16.107.73
whitelisted
reported.com
  • 195.149.84.100
  • 195.149.84.101
unknown
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.107.43
  • 2.16.107.114
whitelisted
wn.com
  • 195.149.84.101
  • 195.149.84.100
whitelisted
ocsp.comodoca.com
  • 151.139.128.14
whitelisted
ocsp.usertrust.com
  • 151.139.128.14
whitelisted

Threats

PID
Process
Class
Message
2608
iexplore.exe
Misc Attack
ET CINS Active Threat Intelligence Poor Reputation IP group 95
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://parcel.v4svuu9r1i7mnhy.noit.ir/?PIZZZZZZZZAA=amFta2FAbXMuZ292LnBs