analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://neowo.ru/NeoWo.exe

Full analysis: https://app.any.run/tasks/8cfde90e-0dde-4c52-becc-03bd921f59d0
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:35:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

40CAA3D8E8C5732BC1D7EC65F9285E3A

SHA1:

1DEB6A7D41EEDDDC8E1F878D5E27F42D175D3464

SHA256:

FB42FEB535545B33D2AE3E98B5E1F9A42FC487F7A5A113F6D4A2664BDE0C7C0D

SSDEEP:

3:N8kG+VdAn:2kG+VdA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 2840)
    • Application was dropped or rewritten from another process

      • NeoWo.exe (PID: 1108)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1472)
    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 2840)
    • Drops a file with a compile date too recent

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 2840)
    • Checks supported languages

      • NeoWo.exe (PID: 1108)
      • javaw.exe (PID: 1964)
      • javaw.exe (PID: 984)
    • Check for Java to be installed

      • NeoWo.exe (PID: 1108)
    • Creates files in the program directory

      • javaw.exe (PID: 984)
    • Executes JAVA applets

      • javaw.exe (PID: 984)
      • NeoWo.exe (PID: 1108)
    • Application launched itself

      • javaw.exe (PID: 984)
    • Uses ICACLS.EXE to modify access control list

      • javaw.exe (PID: 984)
    • Reads the computer name

      • javaw.exe (PID: 1964)
    • Creates files in the user directory

      • javaw.exe (PID: 1964)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2840)
    • Checks supported languages

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 2840)
      • explorer.exe (PID: 3584)
      • icacls.exe (PID: 4036)
    • Reads the computer name

      • iexplore.exe (PID: 2840)
      • iexplore.exe (PID: 1472)
      • explorer.exe (PID: 3584)
      • icacls.exe (PID: 4036)
    • Changes internet zones settings

      • iexplore.exe (PID: 2840)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 2840)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1472)
      • iexplore.exe (PID: 2840)
    • Reads the date of Windows installation

      • iexplore.exe (PID: 2840)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2840)
    • Manual execution by user

      • explorer.exe (PID: 3584)
      • NeoWo.exe (PID: 1108)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2840)
    • Creates files in the user directory

      • iexplore.exe (PID: 2840)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2840)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe explorer.exe no specs neowo.exe no specs javaw.exe no specs icacls.exe no specs javaw.exe

Process information

PID
CMD
Path
Indicators
Parent process
2840"C:\Program Files\Internet Explorer\iexplore.exe" "https://neowo.ru/NeoWo.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1472"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2840 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\iertutil.dll
3584"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
c:\windows\system32\rpcrt4.dll
1108"C:\Users\admin\Downloads\NeoWo.exe" C:\Users\admin\Downloads\NeoWo.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
GravitLauncher 5.2.11
Exit code:
0
Version:
5.2.11, build 1
Modules
Images
c:\users\admin\downloads\neowo.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shell32.dll
c:\windows\system32\gdi32.dll
984"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -jar "C:\Users\admin\Downloads\NeoWo.exe"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exeNeoWo.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Exit code:
0
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
4036C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MC:\Windows\system32\icacls.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\icacls.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ntmarta.dll
c:\windows\system32\wldap32.dll
1964"C:\Program Files\Java\jre1.8.0_271\bin\javaw.exe" -Djdk.attach.allowAttachSelf -XX:+DisableAttachMechanism -Dlauncher.stacktrace=false -Dlauncher.dev=false -Dlauncher.debug=false -Xmx256M -cp C:\Users\admin\Downloads\NeoWo.exe pro.gravit.launcher.nEoWOmAUGMhsmeC:\Program Files\Java\jre1.8.0_271\bin\javaw.exe
javaw.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.2710.9
Modules
Images
c:\program files\java\jre1.8.0_271\bin\javaw.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
Total events
19 444
Read events
19 333
Write events
108
Delete events
3

Modification events

(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30968337
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30968337
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2840) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
2
Suspicious files
17
Text files
18
Unknown types
26

Dropped files

PID
Process
Filename
Type
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4CFB.tmpcompressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
1472iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4CE9.tmpcompressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4CEA.tmpcat
MD5:2D8A5090656DE9FB55DD0F3BA20F9299
SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E
2840iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF769DC5491650D26E.TMPgmc
MD5:82FB3DBA66990742D790F021E11CE209
SHA256:CCBFC8B7A90A2997482546166BA27F1126C6624C3877F69394E57452BED2FF70
1472iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:144F66EABBF4CCA67897EF09BD2756DA
SHA256:4564A86A26C35CB73F912424DAC7E5CE5A199583C725884C116A4838B31A678C
2840iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:B0B4AC917A7BF89EC53D1A4B3CFE24C9
SHA256:2C0F4346C7363C4E61E2CBBCFF4BED4189C21BA3605092E3C1179D3ABAA3CFB4
1472iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NeoWo[1].exeexecutable
MD5:1AB85A3DAEF0D39213B1162E95876D0D
SHA256:1C33080661F66E826534E6527F8D74611D84CAA1F98D9FA3AE4C496578307734
1472iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:E8F6FD9228B3C06BE0EEF4A539C1416D
SHA256:C8C871ED7812BA180D5B73B2AA1BAE986928596AC28E0E0A83804FF81920C7D6
1472iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4CFC.tmpcat
MD5:2D8A5090656DE9FB55DD0F3BA20F9299
SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
30
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1964
javaw.exe
GET
101
65.21.234.160:25572
http://65.21.234.160:25572/api
US
suspicious
1472
iexplore.exe
GET
200
104.117.200.9:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
1472
iexplore.exe
GET
200
92.123.195.28:80
http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRegWa1N8j0goIjPeCEe7MEdw%3D%3D
unknown
der
344 b
whitelisted
2840
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
1472
iexplore.exe
GET
200
92.123.195.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24f056ead05b76ad
unknown
compressed
60.0 Kb
whitelisted
1472
iexplore.exe
GET
200
92.123.195.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?30cb96e3f8934f44
unknown
compressed
60.0 Kb
whitelisted
2840
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2840
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1472
iexplore.exe
GET
200
92.123.195.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?faf6517b13f69e34
unknown
compressed
4.70 Kb
whitelisted
1472
iexplore.exe
GET
200
92.123.195.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e8b152a9340abcc5
unknown
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2840
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1472
iexplore.exe
104.117.200.9:80
x1.c.lencr.org
TPG Telecom Limited
US
unknown
1472
iexplore.exe
104.21.77.46:443
neowo.ru
Cloudflare Inc
US
unknown
2840
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1472
iexplore.exe
92.123.195.41:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
1472
iexplore.exe
92.123.195.35:80
e1.o.lencr.org
Akamai International B.V.
whitelisted
2840
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1964
javaw.exe
65.21.234.160:25572
US
suspicious
1472
iexplore.exe
92.123.195.28:80
e1.o.lencr.org
Akamai International B.V.
suspicious
2840
iexplore.exe
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
neowo.ru
  • 104.21.77.46
  • 172.67.204.122
unknown
ctldl.windowsupdate.com
  • 92.123.195.41
  • 92.123.195.57
whitelisted
x1.c.lencr.org
  • 104.117.200.9
whitelisted
x2.c.lencr.org
  • 104.117.200.9
whitelisted
e1.o.lencr.org
  • 92.123.195.35
  • 92.123.195.28
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

Found threats are available for the paid subscriptions
2 ETPRO signatures available at the full report
No debug info