analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn.krnl.rocks/getkey.php

Full analysis: https://app.any.run/tasks/33ca5211-6a97-4256-b843-7c1006af5a96
Verdict: Malicious activity
Analysis date: February 11, 2021, 19:02:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

98E13F84FCECE70371B72FFF241CF36B

SHA1:

9B24026234DF5966550F447766E910B1FE55FAA3

SHA256:

07A2FB1895B591FEA57441D4906F1B150EBE73368A7DEE805F3C8F17E2F0AEAD

SSDEEP:

3:N8cAL9KCpx:2c2Kax

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes settings of System certificates

      • iexplore.exe (PID: 2800)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2800)
    • Changes internet zones settings

      • iexplore.exe (PID: 2800)
    • Application launched itself

      • iexplore.exe (PID: 2800)
    • Creates files in the user directory

      • iexplore.exe (PID: 2140)
      • iexplore.exe (PID: 2800)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2140)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2800)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2800"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.krnl.rocks/getkey.phpC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2140"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2800 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
911
Read events
831
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
26
Text files
7
Unknown types
11

Dropped files

PID
Process
Filename
Type
2800iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabB771.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarB772.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_8E951DA6A0241FD49B38A76FD526157Dbinary
MD5:7D5700F79373BA4757023BE3ACE3E191
SHA256:7554EFE254151F295B45E4CF76830EACFDE9D36041B5CFC93D162739F8EC661B
2800iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab6E9C.tmp
MD5:
SHA256:
2140iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:37FB436059407994D7558F8BEDA123F5
SHA256:8150967BADA522A97406B1DEBD81BB91C7C3084CDEE6C4022D399CBB8B67B5D4
2140iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\TJC2MQUJ.txttext
MD5:B94D0888261EBAEEECDA320001E56A06
SHA256:F054B3627CD4575F76495CE565CDC3D86E0C71E559E6D8507A29427231B2E76D
2140iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC197601BE0898B7B0FCC91FA15D8A69_574AC7B4D0DE52C7720FF13A12C65DB5binary
MD5:2F9AA540DFEA5112E5E88292FA2DDDFF
SHA256:DCC86E7A74124568B8888E416E08BE5810E0F9494D491B9166A28CC02FA321FE
2140iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\css[1].csstext
MD5:33AAA56C0F0C5FB17885CFC9FF9B9ACB
SHA256:0240A5B70B5952524E73C472F1A046A5D18DF7F5031A5ACB346E640BDD93E4A4
2140iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_8E951DA6A0241FD49B38A76FD526157Dder
MD5:454A050525A74B16F36EFF54FE32E05B
SHA256:8E11FECF469AF7B03BC4A81E0CF79E735C5D50CC7DEEDE346FF65D1AD27E692A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
46
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2140
iexplore.exe
GET
200
142.250.185.67:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
950 b
whitelisted
2140
iexplore.exe
GET
200
142.250.185.67:80
http://crl.pki.goog/gsr2/gsr2.crl
US
der
950 b
whitelisted
2140
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.30 Kb
whitelisted
2800
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2800
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2800
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2140
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEE%2FYp%2FAP0In4AwAAAADLQKc%3D
US
der
471 b
whitelisted
2140
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDeVQQCjPy%2BvggAAAAAcLPy
US
der
472 b
whitelisted
2140
iexplore.exe
GET
200
142.250.185.67:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
2800
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2140
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2140
iexplore.exe
142.250.185.100:443
www.google.com
Google Inc.
US
whitelisted
2800
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2140
iexplore.exe
142.250.185.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2140
iexplore.exe
142.250.185.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted
104.21.85.124:443
cdn.krnl.rocks
Cloudflare Inc
US
suspicious
2140
iexplore.exe
172.67.205.182:443
cdn.krnl.rocks
US
suspicious
2140
iexplore.exe
192.99.34.107:443
superlabs.app
OVH SAS
CA
suspicious
2800
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2800
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
cdn.krnl.rocks
  • 172.67.205.182
  • 104.21.85.124
malicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
fonts.googleapis.com
  • 142.250.185.170
whitelisted
superlabs.app
  • 192.99.34.107
malicious
www.google.com
  • 142.250.185.100
whitelisted
ocsp.pki.goog
  • 142.250.185.67
whitelisted
crl.pki.goog
  • 142.250.185.67
whitelisted

Threats

PID
Process
Class
Message
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2140
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info