analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://covidlocal.org

Full analysis: https://app.any.run/tasks/3c46989f-99a2-408e-8576-885fdce98ab2
Verdict: Malicious activity
Analysis date: March 30, 2020, 23:00:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MD5:

33D9ED6A9C53D2034A1628DDF2E5B594

SHA1:

836BB30DF0992E142EDED77AC21D20D82FBB020A

SHA256:

2C41F07D8CC3BD889589401A5EF2CC6E7D6DB92F13A44DB86A13A0E1D38BB270

SSDEEP:

3:N1KdKTAvQ:CIko

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Changes IE settings (feature browser emulation)

      • AcroRd32.exe (PID: 2944)
    • Creates files in the program directory

      • AdobeARM.exe (PID: 2480)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 3988)
      • iexplore.exe (PID: 604)
      • AcroRd32.exe (PID: 2944)
      • AcroRd32.exe (PID: 3244)
    • Drops Coronavirus (possible) decoy

      • iexplore.exe (PID: 3088)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3088)
    • Changes internet zones settings

      • iexplore.exe (PID: 3988)
    • Application launched itself

      • iexplore.exe (PID: 3988)
      • RdrCEF.exe (PID: 1632)
    • Creates files in the user directory

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 3988)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 604)
    • Reads the hosts file

      • RdrCEF.exe (PID: 1632)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 604)
      • AcroRd32.exe (PID: 2944)
      • iexplore.exe (PID: 3988)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3988)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3988)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
12
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe acrord32.exe no specs acrord32.exe acrord32.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs rdrcef.exe no specs adobearm.exe no specs reader_sl.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3988"C:\Program Files\Internet Explorer\iexplore.exe" "http://covidlocal.org"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3088"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3988 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
604"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3988 CREDAT:1316104 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3392"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 604C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeiexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Exit code:
0
Version:
15.23.20070.215641
2944"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" /o /eo /l /b /id 604C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
iexplore.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
3244"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" --type=renderer /o /eo /l /b /id 604C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroRd32.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe Acrobat Reader DC
Version:
15.23.20070.215641
1632"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16448250C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeAcroRd32.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3364"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1632.0.367363977\974776538" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Exit code:
0
Version:
15.23.20053.211670
944"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1632.1.333469963\1820589419" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
3984"C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-3d-apis --disable-databases --disable-direct-npapi-requests --disable-file-system --disable-notifications --disable-shared-workers --disable-direct-write --lang=en-US --lang=en-US --log-severity=disable --product-version="ReaderServices/15.23.20053 Chrome/45.0.2454.85" --device-scale-factor=1 --enable-delegated-renderer --num-raster-threads=2 --gpu-rasterization-msaa-sample-count=8 --content-image-texture-target=3553 --video-image-texture-target=3553 --disable-accelerated-video-decode --disable-webrtc-hw-encoding --disable-gpu-compositing --channel="1632.2.397782104\56132409" --allow-no-sandbox-job /prefetch:673131151C:\Program Files\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exeRdrCEF.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
LOW
Description:
Adobe RdrCEF
Version:
15.23.20053.211670
Total events
6 556
Read events
1 291
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
58
Text files
36
Unknown types
49

Dropped files

PID
Process
Filename
Type
3988iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3088iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab95DF.tmp
MD5:
SHA256:
3088iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar95E0.tmp
MD5:
SHA256:
3088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:033082ABE7C330C0CFFBAEE41F22E24C
SHA256:03F72361FDAB98EF7B3523377C7B085B39DD4A01E61EE14E3E6051BE7F850375
3088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BCB67D7ECB470284AF35679F339E879Fder
MD5:323D542FFBAD27A19AAE2BD3EF2E15BA
SHA256:F96B21D7CF2FC1A7AC811A3D0203415279362DD10B2147509134DC8CADFB4BBE
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\8QU1CQCK.htmhtml
MD5:E4E384D6672787C1BB2A9B500114F1F5
SHA256:80785F5520097DDE3B28C617171415CD690CBF1E0353A5F3E348C83A4656EA0F
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NQKASD1D.htmhtml
MD5:A280E2C50CEB2745DA89C093CA5808C3
SHA256:BDEBAE570895AFA08C85796E1C13B1C2955C58E5AC38A27CA4DB38598D1D9019
3088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FC5A820A001B41D68902E051F36A5282_6C3B3AC0ED32B468B02634899BEC9406der
MD5:B69D96E1DCCD594A20FD5D40C7E06A61
SHA256:57A13C7045761010A5B9786197922A6FE853231857258153F54F0CEA59F24AE3
3088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879Fbinary
MD5:A5E0C7050D5D6EBD46D72E1C6F352343
SHA256:42C01239B9BEA560399C6732CA7593BB5A7409713445BC6DE0C8A8D19D3C4A27
3088iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4Fder
MD5:D64CFDDEC1AC83B9C563724061B4828B
SHA256:33E9AE472315740BECC8C3DA15CD79D611C47851ED76B4E699C47D8C0B0A2563
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
63
DNS requests
29
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3088
iexplore.exe
GET
301
52.222.167.42:80
http://covidlocal.org/
US
html
183 b
whitelisted
3088
iexplore.exe
GET
200
52.222.168.12:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3088
iexplore.exe
GET
200
52.222.168.37:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEA5ztvI05JLBCdarefXLuX4%3D
US
der
471 b
whitelisted
3088
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.trust-provider.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEENSAj%2F6qJAfE5%2Fj9OXBRE4%3D
US
der
471 b
whitelisted
3088
iexplore.exe
GET
200
52.222.168.87:80
http://crl.rootg2.amazontrust.com/rootg2.crl
US
der
608 b
whitelisted
3088
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3088
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
3088
iexplore.exe
GET
200
52.222.168.162:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3088
iexplore.exe
GET
200
52.222.168.83:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
3088
iexplore.exe
GET
200
216.58.208.35:80
http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFeh1L3VO0beCAAAAAAyCgc%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3988
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3088
iexplore.exe
52.222.168.83:80
o.ss2.us
Amazon.com, Inc.
US
unknown
3088
iexplore.exe
52.222.167.42:80
covidlocal.org
Amazon.com, Inc.
US
suspicious
3088
iexplore.exe
52.222.167.42:443
covidlocal.org
Amazon.com, Inc.
US
suspicious
3088
iexplore.exe
52.222.168.12:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3088
iexplore.exe
52.222.168.155:80
ocsp.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3088
iexplore.exe
52.222.168.87:80
crl.rootg2.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3088
iexplore.exe
52.222.168.37:80
ocsp.sca1b.amazontrust.com
Amazon.com, Inc.
US
whitelisted
3988
iexplore.exe
52.222.167.42:443
covidlocal.org
Amazon.com, Inc.
US
suspicious
3088
iexplore.exe
151.139.128.14:80
ocsp.trust-provider.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
covidlocal.org
  • 52.222.167.42
  • 52.222.167.135
  • 52.222.167.211
  • 52.222.167.169
whitelisted
o.ss2.us
  • 52.222.168.83
  • 52.222.168.11
  • 52.222.168.141
  • 52.222.168.140
whitelisted
ocsp.rootg2.amazontrust.com
  • 52.222.168.155
  • 52.222.168.162
  • 52.222.168.3
  • 52.222.168.12
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl.rootg2.amazontrust.com
  • 52.222.168.87
  • 52.222.168.50
  • 52.222.168.22
  • 52.222.168.212
whitelisted
ocsp.rootca1.amazontrust.com
  • 52.222.168.12
  • 52.222.168.3
  • 52.222.168.155
  • 52.222.168.162
shared
ocsp.sca1b.amazontrust.com
  • 52.222.168.37
  • 52.222.168.93
  • 52.222.168.161
  • 52.222.168.36
whitelisted
www.googletagmanager.com
  • 172.217.22.8
whitelisted
cdn.jsdelivr.net
  • 104.16.85.20
  • 104.16.88.20
  • 104.16.87.20
  • 104.16.89.20
  • 104.16.86.20
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Suspicious Domain Request for Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Possible COVID-19 Domain in SSL Certificate M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Possible COVID-19 Domain in SSL Certificate M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Possible COVID-19 Domain in SSL Certificate M2
No debug info