analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.google.com/url?rct=j&sa=t&url=http://cggm.go-to.fr/uber-product-metrics.html&ct=ga&cd=CAEYACoTOTc4ODYwNjczNDkwNTI4MjEzMzIaYmRhM2M4ZjVkN2UyNmU5Yzpjb206ZW46VVM&usg=AFQjCNHu0p_4GxdzgZBeuZLigcYDzX2Pag

Full analysis: https://app.any.run/tasks/be992e16-49c6-4c6a-a2b2-4d23935e322c
Verdict: Malicious activity
Analysis date: September 10, 2019, 21:59:55
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

B88C08F56389F12A55035D0FBF2B05B5

SHA1:

016D7DD4EE381559B84CB18F822C8F1EFD290718

SHA256:

0AB0F03E7B53DE2E7CCEA3121C4D6F3F7DD17C7F6C0407DAC25A986246ABB24C

SSDEEP:

6:2OLI2AtURdCTfQQI7HKj2OxsHMIv0/PrCC:2V2SJCHK65HMbuC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3432)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3908)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3432)
      • iexplore.exe (PID: 3908)
    • Creates files in the user directory

      • iexplore.exe (PID: 3432)
      • iexplore.exe (PID: 3908)
    • Application launched itself

      • iexplore.exe (PID: 3432)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3432"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.google.com/url?rct=j&sa=t&url=http://cggm.go-to.fr/uber-product-metrics.html&ct=ga&cd=CAEYACoTOTc4ODYwNjczNDkwNTI4MjEzMzIaYmRhM2M4ZjVkN2UyNmU5Yzpjb206ZW46VVM&usg=AFQjCNHu0p_4GxdzgZBeuZLigcYDzX2Pag"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3908"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3432 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
415
Read events
354
Write events
59
Delete events
2

Modification events

(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000092000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{5C4A103F-D416-11E9-B86F-5254004A04AF}
Value:
0
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
2
(PID) Process:(3432) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307090002000A00160000000C00E002
Executable files
0
Suspicious files
11
Text files
139
Unknown types
14

Dropped files

PID
Process
Filename
Type
3432iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
3432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OFB72WKN\url[1].txt
MD5:
SHA256:
3908iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txt
MD5:
SHA256:
3908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OFB72WKN\uber-product-metrics[1].htmlhtml
MD5:B6F4A88197C1C90F165548E8E25F38F3
SHA256:AB94A54DEC196505B6F6B6BEF8AE0AC33EA076A72189F103D565381BE2A3378F
3908iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@go-to[1].txttext
MD5:C0762C3B39E322DCD8EE7BAE4D314ECA
SHA256:6FEC5577995681046F0040A4D63A35584D93919EDE0F8AC8DFE4BE34B987F048
3908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OFB72WKN\url[1].htmhtml
MD5:662F3AEC2C726385B7D30370D76D7340
SHA256:93E6F9365D5297FBA5CF838CEA16240F19351054747C5560E881DAAE3D2998F9
3908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\95XW1Z8H\main[1].csstext
MD5:CAD4B1C4A43D79A7886E806EDA0B7CBA
SHA256:F17E93AB6B17187CBB2561FE2A77C6E39E9AEDAAEFB02F8D416F4C66F3F99FA0
3908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A5D94ACDA8E85534B8B54C35E4677395
SHA256:C02AFB425C52E7A029B7BA33C2021139E384389310C561D1F773DB3C544439F5
3908iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@google[1].txttext
MD5:FC085FEB7AB4CD4011CDAC8D87D3CB62
SHA256:806F089A385BCAC4E3CAB2FA5059F4EA16121036DB6FDB6D981FC836DB0EE29B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
132
TCP/UDP connections
608
DNS requests
239
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/css/base.css
US
text
2.98 Kb
shared
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/css/main.css
US
text
12.1 Kb
shared
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/css/vendor.css
US
text
7.29 Kb
shared
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/uber-product-metrics.html
US
html
11.3 Kb
shared
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/css/fonts.css
US
text
505 b
shared
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/js/modernizr.js
US
text
3.27 Kb
shared
3908
iexplore.exe
GET
404
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/fonts/librebaskerville/librebaskerville-regular-webfont.woff2)%20format(%22woff2%22),%20url(../fonts/librebaskerville/librebaskerville-regular-webfont.woff)%20format(%22woff%22
US
html
202 b
shared
3908
iexplore.exe
GET
200
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/js/pace.min.js
US
text
4.18 Kb
shared
3432
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3908
iexplore.exe
GET
404
104.28.28.89:80
http://cggm.go-to.fr/templates/IMG_4/fonts/librebaskerville/librebaskerville-italic-webfont.woff2)%20format(%22woff2%22),%20url(../fonts/librebaskerville/librebaskerville-italic-webfont.woff)%20format(%22woff%22
US
html
202 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
35.184.61.224:443
eng.uber.com
Google Inc.
US
unknown
3432
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3908
iexplore.exe
93.184.220.70:443
pbs.twimg.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
151.101.0.207:443
s.thestreet.com
Fastly
US
unknown
3908
iexplore.exe
104.197.241.218:443
hackernoon.com
Google Inc.
US
unknown
166.78.238.159:443
www.business2community.com
Rackspace Ltd.
US
unknown
3908
iexplore.exe
13.225.78.75:443
res.infoq.com
US
malicious
3908
iexplore.exe
104.28.28.89:80
cggm.go-to.fr
Cloudflare Inc
US
shared
3908
iexplore.exe
2.18.232.232:443
www.bigcommerce.com
Akamai International B.V.
whitelisted
3908
iexplore.exe
172.217.18.4:443
www.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 172.217.18.4
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cggm.go-to.fr
  • 104.28.28.89
  • 104.28.29.89
unknown
s.thestreet.com
  • 151.101.0.207
  • 151.101.64.207
  • 151.101.128.207
  • 151.101.192.207
unknown
static01.nyt.com
  • 151.101.1.164
  • 151.101.65.164
  • 151.101.129.164
  • 151.101.193.164
whitelisted
amp.businessinsider.com
  • 151.101.1.171
  • 151.101.65.171
  • 151.101.129.171
  • 151.101.193.171
suspicious
image.slidesharecdn.com
  • 2.18.232.80
suspicious
eng.uber.com
  • 35.184.61.224
unknown
www.bigcommerce.com
  • 2.18.232.232
unknown
res.infoq.com
  • 13.225.78.75
  • 13.225.78.18
  • 13.225.78.69
  • 13.225.78.86
malicious

Threats

No threats detected
No debug info