analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://subscriberhelp.govdelivery.com

Full analysis: https://app.any.run/tasks/bfe80e8a-8b93-4128-b97e-d6fab4148cbd
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:53:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8DA42EC14A747EDDE2088201B3B970A9

SHA1:

737B5A9FD9F375E56D055B9E5ACCFA85BFA25335

SHA256:

07D85B07395D471B5D47233465097519C370B8DDD86E745F4D5880574A49B303

SSDEEP:

3:N1KNQHWGXaTTBhzGKI:CC2zTTBFGT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2092)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3636)
      • iexplore.exe (PID: 2092)
    • Reads the computer name

      • iexplore.exe (PID: 3636)
      • iexplore.exe (PID: 2092)
    • Changes internet zones settings

      • iexplore.exe (PID: 3636)
    • Application launched itself

      • iexplore.exe (PID: 3636)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2092)
      • iexplore.exe (PID: 3636)
    • Creates files in the user directory

      • iexplore.exe (PID: 2092)
      • iexplore.exe (PID: 3636)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2092)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2092)
      • iexplore.exe (PID: 3636)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3636)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3636)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3636)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3636"C:\Program Files\Internet Explorer\iexplore.exe" "http://subscriberhelp.govdelivery.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3636 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
10 659
Read events
10 520
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
40
Unknown types
15

Dropped files

PID
Process
Filename
Type
2092iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C11083FD8BAD269CF864618FA59583AC_AB604FF73F022AED0290A83D85376B45binary
MD5:010FEA27C51B2155D34865B5FDA5AC1D
SHA256:553108B26D381F7531EF9D6B5C273969FE02F6479456AA4F02A14A3DD85C68BE
2092iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97Cbinary
MD5:CE0078EF271D6CEC2DAC755BDB65DCB4
SHA256:AC9C3F6288A52B77C1A262D30842DBFC973F5B1242E5D450B7CBFB78A4CF51C0
2092iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:CB68ABF4B41646E57F79E34CC1217A16
SHA256:0E25203551C74C9D521964B6C324308B01718FC65E921D1064E9FF1FAA975CDA
2092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\resources[1].jstext
MD5:77AD2083DD917E15B0C5DB3C5B37C07E
SHA256:D4574D6C907CD9109D1942304C76E4ECF8A7CC88F7AE543CDECCA1625D4A6EED
2092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\aura_prod_compat[1].jstext
MD5:5BB8A5AC9CF296BF67169DA12DC9D22C
SHA256:44E61533210A8DF24BF227CC0DFF11608F4AEE8C795B4CB8E13D11415455920B
2092iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_FB287BEB63DB9E8D59A799779773B97Cder
MD5:CCC044025FA54059762B72178D6E2230
SHA256:ACB9E5FAD10CB40F5F38A7A627AC2D25BDC4A62D3926F0A275E739584D7F793D
2092iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F0KTC6ME.txttext
MD5:CF6831352BA5E7EC4F584327DA1C52F1
SHA256:B72A8E25278C866934075159644EA97379860704E199FEE8BD9F29483D5EEF68
2092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\s[1].htmhtml
MD5:C03CA3DF5D2843C5F69E955FC4B8714E
SHA256:EEE0D76032C8C0391E374D080A5B191DBACA5F3444CF5EAC6BBCDBC2E55C625D
2092iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C11083FD8BAD269CF864618FA59583AC_AB604FF73F022AED0290A83D85376B45der
MD5:B627FA5E531AA9B633908E6E0D7CF8C6
SHA256:891CFF34E56E627DB6B1CE5E40FF190091951405D11A94200D7D2581AF265B49
2092iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\app[1].csstext
MD5:409B08142A4BC7EB84140B3980CDAF8E
SHA256:A09F133D7485610E0E03C69A88A28271BD4283330A33E43F5A4F2E518EF2A83C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
47
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2092
iexplore.exe
GET
301
209.134.144.139:80
http://subscriberhelp.govdelivery.com/
US
unknown
3636
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
US
der
471 b
whitelisted
2092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAhflMAthXvozBT%2FU%2B2iPio%3D
US
der
471 b
whitelisted
2092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEAIvMFtTDB3eRjMpJzrzQTM%3D
US
der
471 b
whitelisted
2092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAc67gCMSnxmaxvaen6mCDM%3D
US
der
471 b
whitelisted
3636
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSnxLiz3Fu1WB6n1%2FE6xWn1b0jXiQQUdIWAwGbH3zfez70pN6oDHb7tzRcCEArSciitnpC1JwE8DRiQlTU%3D
US
der
471 b
whitelisted
3636
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2092
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAvOYmhpfmrn98bflC66kUA%3D
US
der
471 b
whitelisted
3636
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3636
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2092
iexplore.exe
85.222.140.13:443
subscriberhelp.granicus.com
SALESFORCE
US
suspicious
2092
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2092
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
2092
iexplore.exe
209.134.144.139:80
subscriberhelp.govdelivery.com
VISI-AS
US
unknown
85.222.140.13:443
subscriberhelp.granicus.com
SALESFORCE
US
suspicious
2092
iexplore.exe
13.225.78.35:443
consent.trustarc.com
AMAZON-02
US
suspicious
3636
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2092
iexplore.exe
136.147.103.198:443
granicus--c.na47.content.force.com
SALESFORCE
US
unknown
2092
iexplore.exe
13.110.59.145:443
granicus--c.na149.content.force.com
SALESFORCE
US
unknown

DNS requests

Domain
IP
Reputation
subscriberhelp.govdelivery.com
  • 209.134.144.139
unknown
subscriberhelp.granicus.com
  • 85.222.140.13
  • 85.222.140.10
  • 85.222.140.11
unknown
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
consent.trustarc.com
  • 13.225.78.35
  • 13.225.78.26
  • 13.225.78.53
  • 13.225.78.57
shared
granicus--c.na47.content.force.com
  • 136.147.103.198
  • 13.110.249.35
  • 13.110.250.35
  • 136.147.111.62
  • 13.110.248.163
  • 13.110.249.163
  • 13.110.255.163
  • 13.110.253.99
suspicious
granicus--c.na149.content.force.com
  • 13.110.59.145
  • 13.110.62.145
  • 13.110.63.145
unknown
support.granicus.com
  • 85.222.140.11
  • 85.222.140.13
  • 85.222.140.6
unknown

Threats

No threats detected
No debug info