analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://tinyurl.com/2p844rby

Full analysis: https://app.any.run/tasks/dfe3818a-0768-4933-b64b-ccc8bbe5c89e
Verdict: Malicious activity
Analysis date: January 24, 2022, 18:01:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

90F92425C3539CF8F7D1C5A2E3572857

SHA1:

1D8DC172B42B60324223355F1F08EC18D1C16E11

SHA256:

2EB0CA20FA5E2D7BA2ED683F8F992C4CE50D581C0D4D8B457922B454232CDFBE

SSDEEP:

3:N8EzLdIEHc:2Ends

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3412)
    • Checks supported languages

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3180)
    • Executed via COM

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3180)
    • Reads the computer name

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3180)
    • Creates files in the user directory

      • FlashUtil32_32_0_0_453_ActiveX.exe (PID: 3180)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3412)
      • iexplore.exe (PID: 2972)
    • Reads the computer name

      • iexplore.exe (PID: 3412)
      • iexplore.exe (PID: 2972)
    • Application launched itself

      • iexplore.exe (PID: 2972)
    • Changes internet zones settings

      • iexplore.exe (PID: 2972)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3412)
      • iexplore.exe (PID: 2972)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3412)
      • iexplore.exe (PID: 2972)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2972)
    • Creates files in the user directory

      • iexplore.exe (PID: 3412)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2972)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3412)
    • Reads CPU info

      • iexplore.exe (PID: 3412)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe flashutil32_32_0_0_453_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2972"C:\Program Files\Internet Explorer\iexplore.exe" "https://tinyurl.com/2p844rby"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3412"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2972 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3180C:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_32_0_0_453_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe
Integrity Level:
MEDIUM
Description:
Adobe� Flash� Player Installer/Uninstaller 32.0 r0
Version:
32,0,0,453
Modules
Images
c:\windows\system32\macromed\flash\flashutil32_32_0_0_453_activex.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
Total events
25 413
Read events
25 240
Write events
171
Delete events
2

Modification events

(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30937420
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30937420
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2972) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
22
Text files
221
Unknown types
35

Dropped files

PID
Process
Filename
Type
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:FC990EAA7247546FB67C18916A4CAC9B
SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993
3412iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\2p844rby[1].htmhtml
MD5:663F3FAFCB8AAAF1D7137E34859D1FB1
SHA256:DFC2829CF3A1D0FD34F5167E4E11D22DF8A699C268F6F0D4A4DE005935238561
3412iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:FB60CCFED64B03BB7B811D62A7EA962D
SHA256:F783BCD4A4D914DEA56D6EC25023CE635E1635979B3D9FC10861F0D2799BFBF1
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:E1EAE72E3715286294FAE5B772B54D91
SHA256:CDF348AD50D67BDDAA3E15E75B24A792DBCF8A8C72519F12C357A96FAF381C03
3412iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarC712.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
3412iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:494A7483CEAF488A79CB45418E88ECCD
SHA256:9A65904F97742B3D8844EFAFCE7D9E9DA7C1B96A8FDE541E718768AE68293D50
2972iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2972iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:CC39130930227FC3A07B00A13D439126
SHA256:7E3774E8F263ED2D540661A829A452AFEF8869D9EAEA5AC17FFF752583719F12
3412iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:4DE8AE5E2D33ABD8C79597B107717DF9
SHA256:267590B463971813D11F18C1001C681B9CA0619B485DA8A151D7A03E4CA7EBA5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
191
TCP/UDP connections
71
DNS requests
25
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2972
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
whitelisted
3412
iexplore.exe
GET
301
18.66.248.25:80
http://w.sharethis.com/button/st_insights.js?publisher=eba0f3ba-f9ab-408c-bc68-c28af5afe749&product=feather
US
html
183 b
shared
2972
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3412
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3412
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2972
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3412
iexplore.exe
GET
200
8.241.78.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a0f0bf028bae6d23
US
compressed
59.9 Kb
whitelisted
3412
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3412
iexplore.exe
GET
200
95.101.89.24:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTnkKB9NEQ7qRnEtTk0SHdT0g%3D%3D
unknown
der
503 b
shared
3412
iexplore.exe
GET
200
200.58.110.205:80
http://playfmradio.com/
AR
html
28.5 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3412
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2972
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2972
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3412
iexplore.exe
172.67.1.225:443
tinyurl.com
US
malicious
3412
iexplore.exe
185.197.249.155:443
www.newstar-hotel.com
QuickPacket, LLC
US
suspicious
2972
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3412
iexplore.exe
8.253.95.120:80
ctldl.windowsupdate.com
Global Crossing
US
suspicious
3412
iexplore.exe
8.241.78.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
3412
iexplore.exe
142.11.248.124:443
ceskaposta.forumz.info
Hostwinds LLC.
US
unknown
3412
iexplore.exe
95.101.89.24:80
r3.o.lencr.org
Akamai International B.V.
unknown

DNS requests

Domain
IP
Reputation
tinyurl.com
  • 172.67.1.225
  • 104.20.139.65
  • 104.20.138.65
shared
ctldl.windowsupdate.com
  • 8.241.78.254
  • 8.253.95.120
  • 8.253.207.121
  • 67.27.233.254
  • 8.253.204.249
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
www.newstar-hotel.com
  • 185.197.249.155
suspicious
x1.c.lencr.org
  • 23.45.105.185
whitelisted

Threats

No threats detected
No debug info