analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://omnatuor.com/ck

Full analysis: https://app.any.run/tasks/b62ae6a9-009f-4e24-a9bf-a1a1e18e7457
Verdict: Malicious activity
Analysis date: June 27, 2022, 07:42:25
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

468C7701699EE449BC12D0371D0CB6E0

SHA1:

AF84FA63F2B87337654F8D2E696EBD447E5E7A8A

SHA256:

2C747F3074194FC24CF15BD37B69F09D4C61A64C18FB92DDDB14495858F7E33C

SSDEEP:

3:N8BLEtHn:2mh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2972)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2800)
      • iexplore.exe (PID: 2972)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 2800)

    • Checks supported languages

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 2800)

    • Changes internet zones settings

      • iexplore.exe (PID: 2800)

    • Application launched itself

      • iexplore.exe (PID: 2800)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2972)
      • iexplore.exe (PID: 2800)

    • Creates files in the user directory

      • iexplore.exe (PID: 2972)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2800"C:\Program Files\Internet Explorer\iexplore.exe" "https://omnatuor.com/ck"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2972"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2800 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
13 479
Read events
13 362
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
8
Unknown types
6

Dropped files

PID
Process
Filename
Type
2972iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\H11EUYY6.txttext
MD5:E2B6B372C040065408AB3A2DE5847A31
SHA256:11682228B8C2949AE2FF49C1A499594981F6D0EBE24A1A3926BD81A4BFB51CEA
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:E0EC47B3B8AEA8412EC0BF722D2D9CED
SHA256:BF6375DEC46411526766E994D447C130246EC282BC3CF6A4A2009DC473E0DCF2
2972iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ID08F9HW.txttext
MD5:292095720486D1AF04AF8A66CCED25C0
SHA256:6BFB63728F1F810307F989738F179B926218C69113441194B07599FF703D5721
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1F50734E840AC91A08107D04F120FA9Fbinary
MD5:A114715485D67FC3B521384049EEAAE6
SHA256:2D8DC2BDD7B8791431DDB6ACFDA7EE3BC42F1790172F80FA3C8F4519075AD61A
2972iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarAC16.tmpcat
MD5:2D8A5090656DE9FB55DD0F3BA20F9299
SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC2512E6E3936FADCCE8F2AE4829565Fbinary
MD5:8FB75406E279CFD7725270AE1BF9EA18
SHA256:89571E0BD4F03BF4DD34FE6FB42114A86A651CB2F60541445E384BF9FED6798C
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
2800iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC2512E6E3936FADCCE8F2AE4829565Fder
MD5:3B93C53ECB7914743251128820156437
SHA256:69159D53DFCEE3806F367CA70AFED41AAA17D869C572DD14A1F4D185EA24F389
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
33
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
iexplore.exe
GET
200
184.24.77.54:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNcP%2FYIVAPRWx0VVW8zbeePIA%3D%3D
US
der
503 b
shared
2972
iexplore.exe
GET
200
184.24.77.48:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNMdnVIJ5qaFEaSuSKGYPPGhA%3D%3D
US
der
503 b
shared
2972
iexplore.exe
GET
200
8.248.95.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?379f6632df11727d
US
compressed
60.0 Kb
whitelisted
2800
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2972
iexplore.exe
GET
200
67.27.141.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?990b70dac08a19f7
US
compressed
4.70 Kb
whitelisted
2972
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2800
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2972
iexplore.exe
GET
200
8.248.95.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e4425510b7c8ff5f
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2972
iexplore.exe
139.45.197.253:443
omnatuor.com
US
suspicious
2972
iexplore.exe
184.24.77.48:80
r3.o.lencr.org
Time Warner Cable Internet LLC
US
unknown
2972
iexplore.exe
184.24.77.54:80
r3.o.lencr.org
Time Warner Cable Internet LLC
US
suspicious
2800
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2972
iexplore.exe
139.45.197.247:443
zuphaims.com
US
malicious
2972
iexplore.exe
99.86.4.65:443
www.gearbest.com
AT&T Services, Inc.
US
suspicious
2972
iexplore.exe
23.45.105.185:80
x1.c.lencr.org
Akamai International B.V.
NL
unknown
2972
iexplore.exe
8.248.95.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2800
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2972
iexplore.exe
67.27.141.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
omnatuor.com
  • 139.45.197.253
malicious
ctldl.windowsupdate.com
  • 8.248.95.254
  • 67.27.141.254
  • 8.247.185.126
  • 8.248.93.254
  • 8.248.101.254
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 184.24.77.54
  • 184.24.77.79
  • 184.24.77.48
shared
zuphaims.com
  • 139.45.197.247
suspicious
www.gearbest.com
  • 99.86.4.65
  • 99.86.4.128
  • 99.86.4.18
  • 99.86.4.108
whitelisted
my.rtmark.net
  • 139.45.195.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://omnatuor.com/ck