analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://viewstripo.email/template/69b6c1d6-360b-47af-bbec-994db5af551a

Full analysis: https://app.any.run/tasks/5d2e279e-3b19-407e-ae06-371a5170e805
Verdict: Malicious activity
Analysis date: May 20, 2022, 18:51:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

F628D62CE82E6AE66F3B9093B8B5075C

SHA1:

6DBB56D760CB5E3E55C379170FDE49BBF5C761DD

SHA256:

241B30A1C1E9F56FC47152EE7E89506BA34C6A1E6BC132B8A4087DCCCA7922B4

SSDEEP:

3:N8PLxUEmM2IRODhcRDMBE:2P521cRDyE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 2220)
    • Phishing background detected

      • iexplore.exe (PID: 3596)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 3596)
    • Drops a file with a compile date too recent

      • msdt.exe (PID: 2220)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 2220)
    • Executed via COM

      • sdiagnhost.exe (PID: 2652)
    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 2652)
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 3596)
      • msdt.exe (PID: 2220)
    • Reads the computer name

      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 3596)
      • msdt.exe (PID: 2220)
      • ipconfig.exe (PID: 1452)
      • sdiagnhost.exe (PID: 2652)
      • ROUTE.EXE (PID: 2068)
      • control.exe (PID: 1064)
      • rundll32.exe (PID: 3040)
    • Checks supported languages

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 3596)
      • msdt.exe (PID: 2220)
      • sdiagnhost.exe (PID: 2652)
      • ipconfig.exe (PID: 1452)
      • makecab.exe (PID: 2276)
      • ROUTE.EXE (PID: 2068)
      • control.exe (PID: 1064)
      • rundll32.exe (PID: 3040)
    • Changes internet zones settings

      • iexplore.exe (PID: 2944)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 3596)
    • Application launched itself

      • iexplore.exe (PID: 2944)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1952)
      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 3596)
      • msdt.exe (PID: 2220)
      • sdiagnhost.exe (PID: 2652)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2944)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2944)
    • Manual execution by user

      • rundll32.exe (PID: 3040)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2944)
    • Creates files in the user directory

      • iexplore.exe (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
49
Monitored processes
10
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs control.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\Internet Explorer\iexplore.exe" "https://viewstripo.email/template/69b6c1d6-360b-47af-bbec-994db5af551a"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1952"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3596"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:4134180 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2220 -modal 131374 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF61BA.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2652C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1452"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2068"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1064"C:\Windows\System32\control.exe" /name Microsoft.Troubleshooting /page "resultPage?keywords=+;NetworkDiagnostics"C:\Windows\System32\control.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3040"C:\Windows\System32\rundll32.exe" werconcpl.dll, LaunchErcApp -queuereportingC:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
22 381
Read events
22 187
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
51
Text files
64
Unknown types
15

Dropped files

PID
Process
Filename
Type
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\69b6c1d6-360b-47af-bbec-994db5af551a[1].htmhtml
MD5:E5611D2F1955589B530716ED63AD1713
SHA256:7B30BF54EB544397BE87BDD4200ED1A87CFBDC347112893EEEB344608EDA0C26
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:077DEDB96EE12618251778ECA1075DF5
SHA256:24C76BADAFA08F9626EF0A80CFD90D3F16943709385AF67855D316B86356C10E
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:5C1113B7526A7723B64400D44129FA78
SHA256:9ECC27C740862AB2712DA2C4FF31592E2C0A8643576E64551EE344A73FBE2494
1952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:C04F441D0220712231531A90823834DB
SHA256:055641D3987AE98E2DD627D3214EA8084AE773A3DF9592191B86977C752A29E7
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\r[1].jpgimage
MD5:8C8A4A396D40E59AA341FD6C759FE17B
SHA256:FB1B10A05DD0C4DA2BD5C6D6B917E1A7ECD2203C180CBBACB5067DC28940354D
1952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850Dder
MD5:93995AD095112907CFC088998C161574
SHA256:FD16D238BCAC3441688E7CA940C27BB02DF8F0BF43B26D8E551414A18748C1CC
3596iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A4EA4FF119723B56B4C64F398E2A7C2Cbinary
MD5:00CDBEB118A3AB64078B2B2EE34B7B19
SHA256:826732F6F2A9CFB406C059193F08E872B76B8FDF85E64B5C21FEF4E85539EC31
1952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\r[1].jpgimage
MD5:8C8A4A396D40E59AA341FD6C759FE17B
SHA256:FB1B10A05DD0C4DA2BD5C6D6B917E1A7ECD2203C180CBBACB5067DC28940354D
1952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Ebinary
MD5:58AFE70BF9F74C9C7971D24B7A67E1C9
SHA256:BBA84167381631A5686DBB5F478205550A8493872195256D059B3B8F9501D3A7
3596iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A4EA4FF119723B56B4C64F398E2A7C2Cder
MD5:04A0081B90A05F65A917B326C0D59767
SHA256:871ABE4BA2334B4D7C722FBFFA1734A0C7131DF68A76A49D69FEDEC77D90CC93
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
73
DNS requests
28
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3596
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2944
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3596
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
1952
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
471 b
whitelisted
2944
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
1952
iexplore.exe
GET
200
172.64.155.188:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3596
iexplore.exe
GET
200
92.123.224.28:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNDEJw8XjLXZHnIGDjxL10YiQ%3D%3D
unknown
der
503 b
shared
3596
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3596
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAF9LxfeRoa0ZPqxq7Z2wf0%3D
US
der
471 b
whitelisted
1952
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bad058f1d74c3935
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2944
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1952
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
2944
iexplore.exe
52.208.21.62:443
viewstripo.email
Amazon.com, Inc.
IE
suspicious
192.168.100.2:53
whitelisted
1952
iexplore.exe
172.64.155.188:80
ocsp.comodoca.com
US
suspicious
1952
iexplore.exe
52.208.21.62:443
viewstripo.email
Amazon.com, Inc.
IE
suspicious
1952
iexplore.exe
88.198.226.235:443
rqvhlz.stripocdn.email
Hetzner Online GmbH
DE
suspicious
3596
iexplore.exe
192.185.98.250:443
wonelect.gq
CyrusOne LLC
US
suspicious
52.208.21.62:443
viewstripo.email
Amazon.com, Inc.
IE
suspicious

DNS requests

Domain
IP
Reputation
viewstripo.email
  • 52.208.21.62
whitelisted
www.microsoft.com
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.usertrust.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
rqvhlz.stripocdn.email
  • 88.198.226.235
  • 95.216.206.83
  • 23.88.97.183
  • 95.217.22.118
  • 162.55.214.56
  • 88.198.151.113
suspicious
wonelect.gq
  • 192.185.98.250
suspicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .gq Domain
3596
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.gq) in TLS SNI
3596
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
828
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2944
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
2944
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.gq)
No debug info