analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://taqbc.xh.white-gate.com/dol/#.8a82q.dGJsY3VzdG9tZXJzdXBwb3J0QHZmYy5jb20=

Full analysis: https://app.any.run/tasks/97ec7405-aeb4-450a-8328-0f4323de3d94
Verdict: Malicious activity
Analysis date: January 24, 2022, 18:48:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

EA4885BB70F5B6485F1E38DE1D06CDF3

SHA1:

290744C292FC607647A10CA88CDC4B3B50B8D944

SHA256:

03F30293487309B838FC4D6F97498A64DDCBD65AA5443D0AF3E87BA33E997358

SSDEEP:

3:N1KKEeG3SeRAIGLdxKTMUl9HB93VmBZC:CKcDmVLKTMW9Hwu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3892)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3464)
      • iexplore.exe (PID: 3892)
    • Reads the computer name

      • iexplore.exe (PID: 3892)
      • iexplore.exe (PID: 3464)
    • Changes internet zones settings

      • iexplore.exe (PID: 3464)
    • Application launched itself

      • iexplore.exe (PID: 3464)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3464)
      • iexplore.exe (PID: 3892)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3464)
      • iexplore.exe (PID: 3892)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3464)
    • Creates files in the user directory

      • iexplore.exe (PID: 3464)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3892)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3464)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3464"C:\Program Files\Internet Explorer\iexplore.exe" "http://taqbc.xh.white-gate.com/dol/#.8a82q.dGJsY3VzdG9tZXJzdXBwb3J0QHZmYy5jb20="C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3892"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3464 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
15 487
Read events
15 355
Write events
130
Delete events
2

Modification events

(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
61022608
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30937427
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
361030577
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30937427
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3464) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
14
Text files
20
Unknown types
10

Dropped files

PID
Process
Filename
Type
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:FC990EAA7247546FB67C18916A4CAC9B
SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993
3892iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4Fbinary
MD5:19939C04CC3184506BAB4FF8FE1B73E2
SHA256:4F4F9B4D67B613708DB4BC5A76CC65F0559ACCE6E9F4367F6088A79EF2ACDC34
3892iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:E9953511B806D96C85112D07C44DE02A
SHA256:86008864D275A5005CDEE88B0DF9E38009AB1F28E731673403DDCD89078A381B
3892iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6A2279C2CA42EBEE26F14589F0736E50der
MD5:8B153254225CF81983BAA0400492B53E
SHA256:A3EB96967C5F501B5E14CF4E0A2BB4B9DFA8933352C973A1EAE89C321804BC25
3892iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:0A14C16E1457628CDB18D989EBD105AA
SHA256:6730935A2A9311E95C7E226C835D41746CB60EEEC4681218B8BAA35115ADFD50
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:D4CE0E018FEE471B6E206D830924D289
SHA256:F5CC7D928D1F001D72305B252D647E5A4E50800567EAE44C061A88116EFDF4E6
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:00C47FA710FEC84D09D20E079EDC858A
SHA256:5FD009741AB0463FF63ADCFE2854F94FB7517FC45BE55BD836CC8F15F0720553
3464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3892iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:3DA88C64B294733C7FEC960388C8E03B
SHA256:4FEFBA4C6D9A42C55D2D6CA5398697E2486A7CDDCC9B0B2B9F5E26C37C3A51FF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
42
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3892
iexplore.exe
GET
200
162.0.232.109:80
http://taqbc.xh.white-gate.com/dol/
CA
compressed
403 b
malicious
3892
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3892
iexplore.exe
GET
200
18.66.92.210:80
http://s.ss2.us/r.crl
US
der
434 b
whitelisted
3892
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3892
iexplore.exe
GET
200
18.66.92.73:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3464
iexplore.exe
GET
200
95.140.236.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ff76e3cdd0b79548
GB
compressed
4.70 Kb
whitelisted
3892
iexplore.exe
GET
200
18.66.137.71:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3892
iexplore.exe
GET
200
18.66.107.5:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAebvagl9jZ43t8GJbkVRes%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3464
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3892
iexplore.exe
162.0.232.109:80
taqbc.xh.white-gate.com
AirComPlus Inc.
CA
malicious
3464
iexplore.exe
95.140.236.128:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
malicious
3464
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3464
iexplore.exe
178.79.242.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
whitelisted
3892
iexplore.exe
23.23.235.119:443
butternut-ruby-cell.glitch.me
Amazon.com, Inc.
US
suspicious
3892
iexplore.exe
188.114.96.7:443
cloud.webtype.com
Cloudflare Inc
US
malicious
3464
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3892
iexplore.exe
18.66.137.97:80
ocsp.rootg2.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
3892
iexplore.exe
18.66.92.210:80
s.ss2.us
Massachusetts Institute of Technology
US
unknown

DNS requests

Domain
IP
Reputation
taqbc.xh.white-gate.com
  • 162.0.232.109
malicious
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.0
  • 95.140.236.0
  • 95.140.236.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
butternut-ruby-cell.glitch.me
  • 23.23.235.119
  • 52.1.190.243
  • 3.234.98.145
  • 52.73.90.113
  • 52.44.125.193
  • 3.90.93.100
  • 3.86.152.72
  • 52.71.118.120
suspicious
o.ss2.us
  • 18.66.92.28
  • 18.66.92.73
  • 18.66.92.70
  • 18.66.92.207
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
s.ss2.us
  • 18.66.92.210
  • 18.66.92.225
  • 18.66.92.168
  • 18.66.92.52
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Suspicious Glitch Hosted DNS Request - Possible Phishing Landing
3892
iexplore.exe
Misc activity
ET INFO Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing
3892
iexplore.exe
Misc activity
ET INFO Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing
No debug info