analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.sj-software.de/mepla/mepla-50/install/sj_mepla_install.exe

Full analysis: https://app.any.run/tasks/631ee7e2-97a8-4e89-9f0a-abed9d5ff890
Verdict: Malicious activity
Analysis date: June 27, 2022, 08:56:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

26594F98C3D4166476498B151C2918EB

SHA1:

9BEF600700D83444C0489407400027F504FBE986

SHA256:

2C44F0746AAD7C9E1B8F5E36A8C74F3D81DE70FD5914D09BD7D9CE58E111D50E

SSDEEP:

3:N1KJS45pwJCpEHIQNqFN:Cc45prEoQkn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 924)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 2200)
    • Reads the computer name

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 2200)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2200)
    • Application launched itself

      • iexplore.exe (PID: 2200)
    • Changes internet zones settings

      • iexplore.exe (PID: 2200)
    • Reads internet explorer settings

      • iexplore.exe (PID: 924)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2200)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2200"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.sj-software.de/mepla/mepla-50/install/sj_mepla_install.exe"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
924"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2200 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
9 352
Read events
9 237
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
7
Unknown types
4

Dropped files

PID
Process
Filename
Type
2200iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
2200iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:790E40386A5478B54787C28956E029D7
SHA256:2A14CA44FA89C53F53111C7CAAE9155A460FA162BD822CCEAF7B7F74B8390557
2200iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\cropped-sj_bild_logo-32x32[1].jpgimage
MD5:330604D85065F3F3885EB88834B40F50
SHA256:50C13DE5487C27073CCB106F97D36465CB789197D0B5552D46CA1CD723ADEEFB
2200iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:F9E9A60C0008CDC4C6C91CACC1827B83
SHA256:856E78F57AACC916475FFEC0BE0940339DA0FD37F8AC854663FBE885D5343C98
2200iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:8F33294DEC42857BB6F910B3EE2791AE
SHA256:2B76386A9CB0A268AA3E985C7C4C9200C8735698BAF61644318C55270EDEC41B
2200iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_9F6005AF34C7906F717D420F892FD6D0der
MD5:3CF0BF1FAF2AA2F8770A3F03C4388F47
SHA256:36530CB098DAA657948C48A30B966FF389A12EA7F0D58A47422071FD1ACA6AB6
2200iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].htmhtml
MD5:B8CE9384F6C359DE268FCE6D06C2A38F
SHA256:97E6F018B47AA2B5E9CDC4C416CE08D31124596B0AE1776AAB014E32DCD2EFC7
2200iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2200iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1D695780FB98C96AAE70750F77599D4A
SHA256:F7FFF4977280A85E26991884CA28B08E5EA5DBBE52A1E5F4C7B3F612CA2BFA03
2200iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7
SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
18
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
924
iexplore.exe
GET
401
217.160.0.77:80
http://www.sj-software.de/mepla/mepla-50/install/sj_mepla_install.exe
DE
html
681 b
malicious
GET
302
217.160.0.77:80
http://www.sj-software.de/favicon.ico
DE
html
222 b
malicious
2200
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2200
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2e50a28c016993cb
US
compressed
4.70 Kb
whitelisted
924
iexplore.exe
GET
401
217.160.0.77:80
http://www.sj-software.de/mepla/mepla-50/install/sj_mepla_install.exe
DE
html
681 b
malicious
2200
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2200
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA9iL28hwv9dUh9yOh1H1i0%3D
US
der
471 b
whitelisted
2200
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2200
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1ab15ec9db8b2787
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2200
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2200
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
924
iexplore.exe
217.160.0.77:80
www.sj-software.de
1&1 Internet SE
DE
malicious
2200
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
217.160.0.77:80
www.sj-software.de
1&1 Internet SE
DE
malicious
2200
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2200
iexplore.exe
217.160.0.77:443
www.sj-software.de
1&1 Internet SE
DE
malicious

DNS requests

Domain
IP
Reputation
www.sj-software.de
  • 217.160.0.77
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
924
iexplore.exe
Potential Corporate Privacy Violation
ET POLICY Outgoing Basic Auth Base64 HTTP Password detected unencrypted
No debug info