analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/

Full analysis: https://app.any.run/tasks/680a9be8-5c98-41c0-949c-e784ba990708
Verdict: Malicious activity
Analysis date: August 12, 2022, 21:35:05
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

F7F65E89A785DC99FC24F84B9DCAD010

SHA1:

E87FBC3E3F951CB444EDCD249DF0E1A81B8B5F9F

SHA256:

23C1B981A6DF184CE99C6D87F20915B156C46FDE0AC9FBF319EC48EA8F631AA6

SSDEEP:

3:N8FXpKHXCpoec3vOuxKPQK:2tpKHhvOyk

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1240)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1448)
      • iexplore.exe (PID: 1240)
    • Reads the computer name

      • iexplore.exe (PID: 1448)
      • iexplore.exe (PID: 1240)
    • Application launched itself

      • iexplore.exe (PID: 1448)
    • Changes internet zones settings

      • iexplore.exe (PID: 1448)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1240)
      • iexplore.exe (PID: 1448)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1448)
      • iexplore.exe (PID: 1240)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1448)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1448)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1240)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1448"C:\Program Files\Internet Explorer\iexplore.exe" "https://threatpost.com/malformed-url-prefix-phishing-attacks-spike-6000/164132/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1240"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1448 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\iertutil.dll
Total events
17 191
Read events
17 065
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
37
Text files
120
Unknown types
43

Dropped files

PID
Process
Filename
Type
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:953BBBF2C62EB6DFC48AAC1AA78AA47F
SHA256:FB2030E7F3083D281DA52246BD5AD19971B1A2A7B9FA91F8ACDD1C4E0F43AF3C
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:7D273DA1E0109208345EFB57443E3675
SHA256:DE2CE615F72A78B7A5C408D8CF4A68AF9AD794FBECE18374C5B25333CAA62880
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_E2D9EE934240D78D8CC03D02BC7480ABder
MD5:33CCD72BE84907189F71A144492049BE
SHA256:2FF051F17C92C97659BAE61B94B7BA19B5F2AED6D25D72311FA63237E66DB8CA
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:541C9AEC8285D9513159CCBF522F2EE0
SHA256:3F82FC7231065AC2F0928FC70B4847980C9A98AC3A151E1025B28A68AAD2FD84
1240iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\targeting[1].jstext
MD5:B0B3942064A7AAAB5B8816D838857DE4
SHA256:03CC687F0C8A2D1694E509B91FCD6C62C0FBDBDBDB850B8007B8052F649C7F77
1240iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\164132[1].htmhtml
MD5:9BFFA48EDC7D834538C8849920546A23
SHA256:E3612AA93A4A0869138853899B15CCA0795B7E73F346AC9D43A0C50819300913
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:FF03034DB43BA9C176ABB889150D2095
SHA256:83DA39D6068BE54CB58A7F57432C54863CE07CFBD6F28E6A3D0197E3D66DD060
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:61A0DAA1B2804AFA80EB4344549E2560
SHA256:1E48EFC677F276ABD155926F7CE98C596A71C55951E3D61E46A23AE5154F1E3C
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_E2D9EE934240D78D8CC03D02BC7480ABbinary
MD5:39DCFB9D57DC5AF293A0AEC399B76699
SHA256:FFA06CD0D981F3BF753B2C309D97CAE3BCBC68411FAEDC3E77C7CC2F852E1D5E
1240iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27binary
MD5:2EF9AF1CE9C4B62D12E6137563FB3B5F
SHA256:D7F90F8CAE3A1BDDE94AAA31A210C5BE704C217E3976255292DCF6624D5A57DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
35
TCP/UDP connections
154
DNS requests
50
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1240
iexplore.exe
GET
13.225.84.66:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
whitelisted
1240
iexplore.exe
GET
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
US
whitelisted
1240
iexplore.exe
GET
142.250.185.227:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
whitelisted
1240
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
1240
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA4pYwSemmzzY620EQqw7IM%3D
US
der
471 b
whitelisted
1240
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1240
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
1240
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA1s6mM7M65JSJenrBIW2A0%3D
US
der
471 b
whitelisted
1240
iexplore.exe
GET
200
142.250.185.227:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1240
iexplore.exe
GET
200
192.124.249.23:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1448
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1448
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1240
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1240
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
1240
iexplore.exe
35.173.160.135:443
threatpost.com
Amazon.com, Inc.
US
unknown
1240
iexplore.exe
172.67.68.250:443
qd.admetricspro.com
US
unknown
1240
iexplore.exe
172.217.16.194:443
www.googletagservices.com
Google Inc.
US
whitelisted
1240
iexplore.exe
185.85.15.23:443
media.kaspersky.com
Kaspersky Lab AO
RU
unknown
1240
iexplore.exe
142.250.185.68:443
www.google.com
Google Inc.
US
whitelisted
1240
iexplore.exe
13.225.78.40:443
tagan.adlightning.com
US
malicious

DNS requests

Domain
IP
Reputation
threatpost.com
  • 35.173.160.135
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
tagan.adlightning.com
  • 13.225.78.40
  • 13.225.78.107
  • 13.225.78.66
  • 13.225.78.59
whitelisted
www.googletagservices.com
  • 172.217.16.194
whitelisted
qd.admetricspro.com
  • 172.67.68.250
  • 104.26.7.218
  • 104.26.6.218
unknown
media.kasperskycontenthub.com
  • 13.225.78.53
  • 13.225.78.106
  • 13.225.78.4
  • 13.225.78.120
whitelisted
media.threatpost.com
  • 13.225.78.127
  • 13.225.78.122
  • 13.225.78.41
  • 13.225.78.119
whitelisted

Threats

PID
Process
Class
Message
1240
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1240
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info