analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.google.com

Full analysis: https://app.any.run/tasks/bb3145b9-e979-486e-8c10-8bba76fd83ac
Verdict: Malicious activity
Analysis date: March 30, 2020, 17:32:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MD5:

ED646A3334CA891FD3467DB131372140

SHA1:

738DDF35B3A85A7A6BA7B232BD3D5F1E4D284AD1

SHA256:

253D142703041DD25197550A0FC11D6AC03BEFC1E64A1320009F1EDF400C39AD

SSDEEP:

3:N1KJS4IK:Cc4IK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • iexplore.exe (PID: 3864)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3864)
      • iexplore.exe (PID: 2192)

    • Changes internet zones settings

      • iexplore.exe (PID: 2192)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3864)
      • iexplore.exe (PID: 2192)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3864)

    • Creates files in the user directory

      • iexplore.exe (PID: 3864)
      • iexplore.exe (PID: 2192)

    • Drops Coronavirus (possible) decoy

      • iexplore.exe (PID: 3864)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3864)

    • Dropped object may contain TOR URL's

      • iexplore.exe (PID: 3864)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2192)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2192"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.google.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3864"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2192 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
5 093
Read events
397
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
111
Text files
227
Unknown types
48

Dropped files

PID
Process
Filename
Type
3864iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab6FE9.tmp
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar6FEA.tmp
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1UAOJV3W.txt
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\453HF2UZ.txt
MD5:
SHA256:
3864iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8QU1CQCK.txttext
MD5:5F48C4F8ECF4FA7A15E968D864813CDA
SHA256:2A49CABC4679696FF2994EDE2D510C7FFDCA268FAFCF30B3F1A6BD50FA32AF0D
3864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\UJV80ULR.htmhtml
MD5:6E06FCDA0C7328CDC284A2C6ECF3B8A9
SHA256:13CFBF4E2349D7D262A89EEE7D668EBBD257175F0825999DCBD0AEFBDB1B2095
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bbinary
MD5:90B54080591D3CB86F61A1D86A964846
SHA256:4BFCD613430A94F0307980D957CEB2B127A5BB690A483F488FAAD475FD826E27
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_B4E256AEE3EBA21D6B1078B3E1B79532der
MD5:BC1B1DC02C5B3B36D7B746CEF55088B5
SHA256:C9A08E023C79449B4CAB9EE533A1CDB02353A64D9866D8E51DEDE4D09674F92A
3864iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BE8B021F9E811DFC8C8A28572A17C05A_0B97942EE72A6E3F514E8E84F294CC72der
MD5:F26B1B29960D99AD1C44E71E3D2ABE4C
SHA256:7910B27AFDEE20EA27C4FA19221B1B63E00235E261E1A3FB9F1FB3456CBBB7AC
3864iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\TKP7DMNH.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
61
TCP/UDP connections
175
DNS requests
71
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3864
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEC4G%2Bv2mHN8jAgAAAABcZ3g%3D
US
der
471 b
whitelisted
3864
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQD7nI1BmOkYLAgAAAAAMgsX
US
der
472 b
whitelisted
2192
iexplore.exe
GET
200
72.21.91.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3864
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEGFA%2F%2Fi5YNGTCAAAAAAyCrg%3D
US
der
471 b
whitelisted
2192
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3864
iexplore.exe
GET
200
104.27.182.185:80
http://peterjonny.com/optout/set/lat?jsonp=__mtz_cb_634479511&key=22ab99ef5bc624cbd8&cv=1585557294&t=1585557294320
US
malicious
3864
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69%2BAj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc%3D
US
der
727 b
whitelisted
3864
iexplore.exe
GET
204
88.99.151.223:80
http://cdn-javascript.net/api?key=a1ce18e5e2b4b1b1895a38130270d6d344d031c0&uid=8875x&format=arrjs&r=1585557295514
DE
malicious
2192
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
3864
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDL%2FQslYWVuogIAAAAAXGdc
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3864
iexplore.exe
172.217.22.68:80
Google Inc.
US
whitelisted
2192
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3864
iexplore.exe
172.217.22.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3864
iexplore.exe
216.58.206.3:443
www.google.dk
Google Inc.
US
whitelisted
3864
iexplore.exe
216.58.210.14:443
apis.google.com
Google Inc.
US
whitelisted
3864
iexplore.exe
172.217.23.110:443
consent.google.com
Google Inc.
US
whitelisted
3864
iexplore.exe
172.217.22.68:443
Google Inc.
US
whitelisted
2192
iexplore.exe
172.217.22.68:443
Google Inc.
US
whitelisted
3864
iexplore.exe
216.58.207.35:443
www.gstatic.com
Google Inc.
US
whitelisted
3864
iexplore.exe
172.217.16.162:443
adservice.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.google.com
  • 192.155.236.253
whitelisted
ocsp.pki.goog
  • 172.217.23.131
whitelisted
consent.google.com
  • 172.217.23.110
shared
ssl.gstatic.com
  • 172.217.22.35
whitelisted
www.gstatic.com
  • 216.58.207.35
whitelisted
www.google.dk
  • 216.58.206.3
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
apis.google.com
  • 216.58.210.14
whitelisted
ogs.google.com
  • 172.217.16.142
whitelisted

Threats

PID
Process
Class
Message
3864
iexplore.exe
A Network Trojan was detected
ET MALWARE LNKR CnC Activity M1
3864
iexplore.exe
A Network Trojan was detected
ET MALWARE LNKR CnC Activity M3
3864
iexplore.exe
A Network Trojan was detected
ET MALWARE LNKR Possible Response for LNKR js file
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.google.com