analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://click.message.sfmta.com/?qs=ef41940dc13f468282e10ec267211b4a649571e2fad0ae504a0d73bce2eaa0e3622b2f8bf1a2d066665f16f423dd336c8aef42b7e65fbeb4

Full analysis: https://app.any.run/tasks/b0b822ff-3440-4639-a4d1-269699bc20f2
Verdict: Malicious activity
Analysis date: August 12, 2022, 18:37:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

71575DBEE0758EB2657FBF5941057115

SHA1:

CEDCC5E348B415DB0717D1F4B7A3BDC2C48715B5

SHA256:

1BD685649B708EAE3D2715518EDBB9E25EB0536F549490513406E9B14D8A5AF5

SSDEEP:

3:N8UEIA4ELGGagmyfUWDHVAMEUbu1VlWnm/3DKE3cDUTgBMdpMHy:2UE+ELGN5y8UqMKz/3uTDU81y

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3124)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1284)
      • iexplore.exe (PID: 3124)
    • Reads the computer name

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 1284)
    • Application launched itself

      • iexplore.exe (PID: 1284)
    • Changes internet zones settings

      • iexplore.exe (PID: 1284)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3124)
      • iexplore.exe (PID: 1284)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1284)
      • iexplore.exe (PID: 3124)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3124)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1284"C:\Program Files\Internet Explorer\iexplore.exe" "https://click.message.sfmta.com/?qs=ef41940dc13f468282e10ec267211b4a649571e2fad0ae504a0d73bce2eaa0e3622b2f8bf1a2d066665f16f423dd336c8aef42b7e65fbeb4"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3124"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1284 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
Total events
12 285
Read events
12 180
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
5
Unknown types
9

Dropped files

PID
Process
Filename
Type
1284iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:EE87BB11E233C12009CC11725035DBDC
SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27binary
MD5:F5D9F40936850CBDB202055428C5ACEF
SHA256:13C3188D2765299AFBCF0E332A04B81EBE919916C36BCEAF22FAFB5C29BF02F4
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27der
MD5:9839A043052095E8F22D3FD89D44151F
SHA256:E6139623A492D2D9064331913C9E6118E58E99989DE22882C5BADA3092971447
1284iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
1284iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
1284iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:B1DE81903B329CD24226F469C045F0BE
SHA256:D80CC486F180C491E54F19FFB76169F0F4448911E56FABC01A053D311A4D990B
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:A7CDC811501D83BAF917E463902F4013
SHA256:0B35FBEE1934DC85028A604A80A7D13C273B6DB9B17AB7FF79F8F5BD561B3979
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:135F0D81A42A8E52D7305355C4C4F52C
SHA256:F5DB28EC4892577B3520EA7312628CD68E257EFF9CBF766B0E13A837652DD326
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:EDB786605AA8DF91F68F6C5D9ABD2F65
SHA256:59E2BA0E91B95770785CEC912204803787E4C4D7DA53EE9AD0538F2CCAFDC967
3124iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_7CC09CFE040B6272A1F5086C8D2FB8AAbinary
MD5:AF80A0DE00B39CB9CB517A0706AFC243
SHA256:8D705CD993A3E86CFD26FB8DB8AFF1799A97151FC7B0D0B7D9C5147641FAC2B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
21
DNS requests
31
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3124
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAlrgulzmZS6%2FVWwIdvHyL8%3D
US
der
278 b
whitelisted
1284
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3124
iexplore.exe
GET
200
52.222.250.112:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3124
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
US
der
471 b
whitelisted
3124
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3124
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAtKvYuM0TWF6C8uvUNnQvM%3D
US
der
471 b
whitelisted
3124
iexplore.exe
GET
200
52.222.250.185:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3124
iexplore.exe
GET
200
108.138.2.195:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3124
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6f8e3fd3a43d76ba
US
compressed
4.70 Kb
whitelisted
3124
iexplore.exe
GET
200
18.66.121.98:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEAJRJcPyb7UmwrcKbdnPRcE%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3124
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3124
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1284
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3124
iexplore.exe
13.111.180.238:443
click.message.sfmta.com
US
unknown
3124
iexplore.exe
18.66.112.26:443
www.surveymonkey.com
Massachusetts Institute of Technology
US
suspicious
1284
iexplore.exe
23.39.160.113:443
www.bing.com
TELECOM ITALIA SPARKLE S.p.A.
NL
unknown
3124
iexplore.exe
108.138.2.195:80
o.ss2.us
BellSouth.net Inc.
US
unknown
3124
iexplore.exe
52.222.250.185:80
ocsp.rootca1.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3124
iexplore.exe
104.17.25.14:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
3124
iexplore.exe
52.222.250.112:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
click.message.sfmta.com
  • 13.111.180.238
unknown
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 23.39.160.113
whitelisted
www.surveymonkey.com
  • 18.66.112.26
whitelisted
o.ss2.us
  • 108.138.2.195
whitelisted
ocsp.rootg2.amazontrust.com
  • 52.222.250.112
whitelisted
ocsp.rootca1.amazontrust.com
  • 52.222.250.185
shared
cdnjs.cloudflare.com
  • 104.17.25.14
whitelisted

Threats

No threats detected
No debug info