URL: | https://neowo.ru/NeoWo.exe |
Full analysis: | https://app.any.run/tasks/8cfde90e-0dde-4c52-becc-03bd921f59d0 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 10:35:25 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 40CAA3D8E8C5732BC1D7EC65F9285E3A |
SHA1: | 1DEB6A7D41EEDDDC8E1F878D5E27F42D175D3464 |
SHA256: | FB42FEB535545B33D2AE3E98B5E1F9A42FC487F7A5A113F6D4A2664BDE0C7C0D |
SSDEEP: | 3:N8kG+VdAn:2kG+VdA |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2840 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://neowo.ru/NeoWo.exe" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 1 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1472 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2840 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3584 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1108 | "C:\Users\admin\Downloads\NeoWo.exe" | C:\Users\admin\Downloads\NeoWo.exe | — | Explorer.EXE | |||||||||||
User: admin Integrity Level: MEDIUM Description: GravitLauncher 5.2.11 Exit code: 0 Version: 5.2.11, build 1 Modules
| |||||||||||||||
984 | "C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\Downloads\NeoWo.exe" | C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe | — | NeoWo.exe | |||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Exit code: 0 Version: 8.0.2710.9 Modules
| |||||||||||||||
4036 | C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M | C:\Windows\system32\icacls.exe | — | javaw.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
1964 | "C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -Djdk.attach.allowAttachSelf -XX:+DisableAttachMechanism -Dlauncher.stacktrace=false -Dlauncher.dev=false -Dlauncher.debug=false -Xmx256M -cp C:\Users\admin\Downloads\NeoWo.exe pro.gravit.launcher.nEoWOmAUGMhsme | C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe | javaw.exe | ||||||||||||
User: admin Company: Oracle Corporation Integrity Level: MEDIUM Description: Java(TM) Platform SE binary Version: 8.0.2710.9 Modules
|
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30968337 | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30968337 | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2840) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab4CFB.tmp | compressed | |
MD5:308336E7F515478969B24C13DED11EDE | SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:308336E7F515478969B24C13DED11EDE | SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab4CE9.tmp | compressed | |
MD5:308336E7F515478969B24C13DED11EDE | SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar4CEA.tmp | cat | |
MD5:2D8A5090656DE9FB55DD0F3BA20F9299 | SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF769DC5491650D26E.TMP | gmc | |
MD5:82FB3DBA66990742D790F021E11CE209 | SHA256:CCBFC8B7A90A2997482546166BA27F1126C6624C3877F69394E57452BED2FF70 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:144F66EABBF4CCA67897EF09BD2756DA | SHA256:4564A86A26C35CB73F912424DAC7E5CE5A199583C725884C116A4838B31A678C | |||
2840 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8F | binary | |
MD5:B0B4AC917A7BF89EC53D1A4B3CFE24C9 | SHA256:2C0F4346C7363C4E61E2CBBCFF4BED4189C21BA3605092E3C1179D3ABAA3CFB4 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NeoWo[1].exe | executable | |
MD5:1AB85A3DAEF0D39213B1162E95876D0D | SHA256:1C33080661F66E826534E6527F8D74611D84CAA1F98D9FA3AE4C496578307734 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751 | binary | |
MD5:E8F6FD9228B3C06BE0EEF4A539C1416D | SHA256:C8C871ED7812BA180D5B73B2AA1BAE986928596AC28E0E0A83804FF81920C7D6 | |||
1472 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar4CFC.tmp | cat | |
MD5:2D8A5090656DE9FB55DD0F3BA20F9299 | SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1964 | javaw.exe | GET | 101 | 65.21.234.160:25572 | http://65.21.234.160:25572/api | US | — | — | suspicious |
1472 | iexplore.exe | GET | 200 | 104.117.200.9:80 | http://x1.c.lencr.org/ | US | der | 717 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 92.123.195.28:80 | http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRegWa1N8j0goIjPeCEe7MEdw%3D%3D | unknown | der | 344 b | whitelisted |
2840 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 92.123.195.41:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24f056ead05b76ad | unknown | compressed | 60.0 Kb | whitelisted |
1472 | iexplore.exe | GET | 200 | 92.123.195.41:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?30cb96e3f8934f44 | unknown | compressed | 60.0 Kb | whitelisted |
2840 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
2840 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
1472 | iexplore.exe | GET | 200 | 92.123.195.41:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?faf6517b13f69e34 | unknown | compressed | 4.70 Kb | whitelisted |
1472 | iexplore.exe | GET | 200 | 92.123.195.41:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e8b152a9340abcc5 | unknown | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2840 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
1472 | iexplore.exe | 104.117.200.9:80 | x1.c.lencr.org | TPG Telecom Limited | US | unknown |
1472 | iexplore.exe | 104.21.77.46:443 | neowo.ru | Cloudflare Inc | US | unknown |
2840 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1472 | iexplore.exe | 92.123.195.41:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
1472 | iexplore.exe | 92.123.195.35:80 | e1.o.lencr.org | Akamai International B.V. | — | whitelisted |
2840 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
1964 | javaw.exe | 65.21.234.160:25572 | — | — | US | suspicious |
1472 | iexplore.exe | 92.123.195.28:80 | e1.o.lencr.org | Akamai International B.V. | — | suspicious |
2840 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
neowo.ru |
| unknown |
ctldl.windowsupdate.com |
| whitelisted |
x1.c.lencr.org |
| whitelisted |
x2.c.lencr.org |
| whitelisted |
e1.o.lencr.org |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |