analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://catmailohio-my.sharepoint.com/:o:/g/personal/ks603017_ohio_edu/EktZncWt5AhKtILlVcnelPgBZZMWynEC13R6TI8M9-g-Lg?e=hgQR9O

Full analysis: https://app.any.run/tasks/6b1006eb-8dca-425f-a9c9-fdd09b84334a
Verdict: Malicious activity
Analysis date: December 06, 2019, 17:44:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

439126F47138ACAC69B4CD29D04132D2

SHA1:

9579B12697F3059DD7BB930C2B38A9A9AA5E37DB

SHA256:

05D126B7A66A6F8178A95E73CAC284AA3E38393F20658B4E3436D09F64AE7CDA

SSDEEP:

3:N8ZRnQArL5+KVFSOX3NFgOZy7RIkw12qLN55X33b:2vQAfNrMtyk/Gh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2580)

    • Changes internet zones settings

      • iexplore.exe (PID: 2580)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3488)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2580)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3488)
      • iexplore.exe (PID: 2580)

    • Creates files in the user directory

      • iexplore.exe (PID: 3488)
      • opera.exe (PID: 408)
      • opera.exe (PID: 3716)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2580)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2580)

    • Manual execution by user

      • opera.exe (PID: 408)
      • opera.exe (PID: 3716)

    • Dropped object may contain Bitcoin addresses

      • opera.exe (PID: 408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe opera.exe opera.exe

Process information

PID
CMD
Path
Indicators
Parent process
2580"C:\Program Files\Internet Explorer\iexplore.exe" "https://catmailohio-my.sharepoint.com/:o:/g/personal/ks603017_ohio_edu/EktZncWt5AhKtILlVcnelPgBZZMWynEC13R6TI8M9-g-Lg?e=hgQR9O"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3488"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2580 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
408"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Exit code:
0
Version:
1748
3716"C:\Program Files\Opera\opera.exe" C:\Program Files\Opera\opera.exe
explorer.exe
User:
admin
Company:
Opera Software
Integrity Level:
MEDIUM
Description:
Opera Internet Browser
Version:
1748
Total events
928
Read events
668
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
69
Text files
112
Unknown types
22

Dropped files

PID
Process
Filename
Type
2580iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
2580iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:7A4F4AB1E70EEED59D2C8CCBD42C20D3
SHA256:90ECAA9EFFD799A8064CB52544B7EBA595B08A156A57395D4DB1199313E4EE9A
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9CQ0ZCUE\initstrings[1].jstext
MD5:F3DD4BBCB0B29298C399965AFE363196
SHA256:8738756CF1F86BB9524D1F67ADFA02D9AAB26D917802F4CA58BE0404A922FE0D
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019120620191207\index.datdat
MD5:4A048399CAF31B09FAAC11095A8F882F
SHA256:67A1B002CD93928D2FE983B8F29CC72588948FC5ADBE96832A7EF3CC2B809844
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:E2A1ACDCACB0DC49A37629744C608B14
SHA256:CFF6E0AD37547DF694E5E803E81ECDC5A3EE34A770C2BA2E3C5691DA74B5AC35
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9CQ0ZCUE\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3488iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.datdat
MD5:3EB745C78895095E52AC776D6C78F235
SHA256:E15C9A170FC7BB1CA53BC32AADB5785A3B58A21A5781BB69FE735DE90094597E
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9CQ0ZCUE\init[1].jstext
MD5:A08F97A7C88BD861A9B085CBF9FA94D9
SHA256:03815D08480FB6A4309AD81D306DF2B316B84D712AB77FEF5D2CA38415330B1F
3488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9CQ0ZCUE\sp.res[1].jstext
MD5:13F04B7CD95261BCB241ACDD46215471
SHA256:C5E91D5AAF60AB2D1A7BABDF63AC4C824427DB9E6EE8D5622206ADB4B1211A1F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
73
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
408
opera.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
5.13 Kb
whitelisted
408
opera.exe
GET
200
93.184.220.29:80
http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
US
der
564 b
whitelisted
408
opera.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
581 b
whitelisted
408
opera.exe
GET
200
104.18.24.243:80
http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPC1vZt9qvn7bzY3Iidtbhla4mKQQUWIif1tycSCK3FD7%2FhIjo5oX%2F%2Bn0CE3sAAvTsRon4%2BRVzrdwAAAAC9Ow%3D
US
der
1.79 Kb
whitelisted
2580
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2580
iexplore.exe
92.122.253.105:443
c1-onenote-15.cdn.office.net
GTT Communications Inc.
unknown
2580
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3488
iexplore.exe
13.107.6.171:443
onenote.officeapps.live.com
Microsoft Corporation
US
whitelisted
3488
iexplore.exe
104.146.188.37:443
catmailohio-my.sharepoint.com
Microsoft Corporation
US
unknown
3488
iexplore.exe
104.108.55.117:443
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
3488
iexplore.exe
104.108.60.51:443
static.sharepointonline.com
Akamai Technologies, Inc.
NL
whitelisted
3488
iexplore.exe
2.18.233.62:443
www.microsoft.com
Akamai International B.V.
whitelisted
3488
iexplore.exe
104.111.217.23:443
support.office.com
Akamai International B.V.
NL
unknown
3488
iexplore.exe
2.16.186.41:443
statics-marketingsites-neu-ms-com.akamaized.net
Akamai International B.V.
whitelisted
3488
iexplore.exe
2.16.186.27:443
statics-marketingsites-neu-ms-com.akamaized.net
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
catmailohio-my.sharepoint.com
  • 104.146.188.37
  • 13.107.136.9
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
static.sharepointonline.com
  • 104.108.60.51
whitelisted
onenote.officeapps.live.com
  • 13.107.6.171
whitelisted
c1-onenote-15.cdn.office.net
  • 92.122.253.105
whitelisted
go.microsoft.com
  • 104.108.55.117
whitelisted
support.office.com
  • 104.111.217.23
whitelisted
www.microsoft.com
  • 2.18.233.62
whitelisted
az725175.vo.msecnd.net
  • 152.199.19.160
whitelisted
statics-marketingsites-neu-ms-com.akamaized.net
  • 2.16.186.41
  • 2.16.186.27
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://catmailohio-my.sharepoint.com/:o:/g/personal/ks603017_ohio_edu/EktZncWt5AhKtILlVcnelPgBZZMWynEC13R6TI8M9-g-Lg?e=hgQR9O