analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://nutritionwallet.com/kmR.phtml?cPPvkqccdhVHcw1Nfccc8jcJcvFWVcfpBcbbb2m

Full analysis: https://app.any.run/tasks/ca51111f-d770-49db-87d3-fe188378b389
Verdict: Malicious activity
Analysis date: March 30, 2020, 16:39:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

25A11F40ECA9DAAA367FA013CF95F3F9

SHA1:

178DE01E7E9E8691926116DC73370C42AD970359

SHA256:

DE0CD284C96CB74E3EC32A9410B98BBBBBBD1E2046F0A6D67A6C02FA92219B03

SSDEEP:

3:N1KQEcxzULG27nRS30nXRKTTOqM4:CQzxzSpRS8RJa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the user directory

      • vlc.exe (PID: 3376)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2896)
    • Changes internet zones settings

      • iexplore.exe (PID: 2896)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2772)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2896)
      • iexplore.exe (PID: 2772)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2896)
    • Creates files in the user directory

      • iexplore.exe (PID: 2772)
      • iexplore.exe (PID: 2896)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2896)
      • iexplore.exe (PID: 2772)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2896)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe vlc.exe

Process information

PID
CMD
Path
Indicators
Parent process
2896"C:\Program Files\Internet Explorer\iexplore.exe" http://nutritionwallet.com/kmR.phtml?cPPvkqccdhVHcw1Nfccc8jcJcvFWVcfpBcbbb2mC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2896 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3376"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\tesler-step1.mp4"C:\Program Files\VideoLAN\VLC\vlc.exe
iexplore.exe
User:
admin
Company:
VideoLAN
Integrity Level:
MEDIUM
Description:
VLC media player
Version:
2.2.6
Total events
5 864
Read events
1 309
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
50
Text files
64
Unknown types
28

Dropped files

PID
Process
Filename
Type
2772iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7B24.tmp
MD5:
SHA256:
2772iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7B25.tmp
MD5:
SHA256:
2896iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2772iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\81TW19CB.txt
MD5:
SHA256:
2772iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PWOOD167.txt
MD5:
SHA256:
2772iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\7WTIJ3PW.txt
MD5:
SHA256:
2772iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_566B91FCA1A4E0D164DBAC4305A12E11der
MD5:FE3BCFDF82D391BF52F1A54CD0C19CC8
SHA256:4252F20C5090038CA9A347492C1CBEA30132CFBEA6DE3D6AAFADE9770D817962
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\clicks[1].htmhtml
MD5:2D0FF43E698497B2D3ED2A1C7D8BA630
SHA256:89FFDE10B11BDADCB3C7ADE460CB0DC31CC741DC61A1007736483FB92FE6DF3B
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\gtm[1].jstext
MD5:EE453631B02806102CE473EA16D14DF0
SHA256:3160BBFF4FC133F91F2F803368471EF798819DEE42B6DE76A0CB98757F31F7AE
2772iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\clicks[1].htmhtml
MD5:8B075C48D7EE7CA0694505AAC006DB54
SHA256:A1ACCD599FAB56BC02B617C94C5F1442919CFEFAD06C20372A77F878C77EB4F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
34
TCP/UDP connections
68
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2772
iexplore.exe
GET
63.34.215.116:80
http://nutritionwallet.com/kmR.phtml?cPPvkqccdhVHcw1Nfccc8jcJcvFWVcfpBcbbb2m
US
unknown
2772
iexplore.exe
GET
200
172.217.21.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2772
iexplore.exe
GET
200
172.217.21.195:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFeh1L3VO0beCAAAAAAyCgc%3D
US
der
471 b
whitelisted
2772
iexplore.exe
GET
200
23.254.88.36:80
http://hellogrand.com/clicks?cid=26385&pub=200996&sid1=1_8715_2451959&sid2=1514_297216_2344207_37&sid3=313037048
US
html
4.92 Kb
unknown
2772
iexplore.exe
GET
307
104.27.145.95:80
http://rapid-cdn.com/?flux_fts=ioxtixzzcotllizozxeiclzclcqzllcaqxxzi74b5b&pubid=200996&vert=&cid=
US
shared
2772
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrBBNpPfHTPX6Jy6BVzyBPnBWMnQQUPnQtH89FdQR%2BP8Cihz5MQ4NRE8YCEAbm5EhDjrXRrFJL5AxFXjA%3D
US
der
280 b
whitelisted
2772
iexplore.exe
GET
200
172.217.21.195:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFeh1L3VO0beCAAAAAAyCgc%3D
US
der
471 b
whitelisted
2772
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
2772
iexplore.exe
GET
200
172.217.21.195:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2772
iexplore.exe
GET
200
23.254.88.36:80
http://hellogrand.com/clicks/?cid=4740&pub=200996&prevcid=26385&sid1=1_8715_2451959&sid2=1514_297216_2344207_37&sid3=313037048&sid4=
US
html
4.94 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2772
iexplore.exe
172.217.21.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2772
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2896
iexplore.exe
104.18.47.132:443
offer-notavailable.com
Cloudflare Inc
US
shared
2772
iexplore.exe
104.18.47.132:443
offer-notavailable.com
Cloudflare Inc
US
shared
2772
iexplore.exe
23.254.88.36:80
hellogrand.com
ColoCrossing
US
unknown
2772
iexplore.exe
172.217.16.168:443
www.googletagmanager.com
Google Inc.
US
whitelisted
2772
iexplore.exe
63.34.215.116:80
nutritionwallet.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
unknown
2772
iexplore.exe
104.27.145.95:80
rapid-cdn.com
Cloudflare Inc
US
shared
2896
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2772
iexplore.exe
52.43.5.155:80
track.theincrediblemehtod.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
nutritionwallet.com
  • 63.34.215.116
unknown
hellogrand.com
  • 23.254.88.36
unknown
www.googletagmanager.com
  • 172.217.16.168
whitelisted
ocsp.pki.goog
  • 172.217.21.195
whitelisted
offer-notavailable.com
  • 104.18.47.132
  • 104.18.46.132
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
rapid-cdn.com
  • 104.27.145.95
  • 104.27.144.95
unknown
go.sanderea.com
  • 191.101.164.106
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .icu Domain
2772
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.icu) in TLS SNI
2772
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
2772
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.icu)
Process
Message
vlc.exe
core libvlc: one instance mode ENABLED
vlc.exe
core libvlc: Running vlc with the default interface. Use 'cvlc' to use vlc without interface.
vlc.exe
direct3d vout display error: Could not read adapter capabilities. (hr=0x8876086A)
vlc.exe
direct3d vout display error: Direct3D could not be initialized