analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.paypal.com/myaccount/settings/

Full analysis: https://app.any.run/tasks/142b90ae-ca35-4cd9-aa4f-4ce42e451314
Verdict: Malicious activity
Analysis date: April 14, 2019, 22:47:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

382A8D5F6D8120AF95AD00D048E4ED17

SHA1:

41B2A20F8C93495D461BB88517BBC095A481ACD5

SHA256:

2F60F4DFBCDB337ED0843DA1AC13D3F99B76110B1A422B30A0035D6F6EF35187

SSDEEP:

3:N8DSLiyTTqQUKVK:2OLbTTgoK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2936)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3404)
    • Application launched itself

      • iexplore.exe (PID: 2936)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2936)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3404)
      • iexplore.exe (PID: 2936)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2936)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2936)
    • Creates files in the user directory

      • iexplore.exe (PID: 3404)
      • iexplore.exe (PID: 2936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2936"C:\Program Files\Internet Explorer\iexplore.exe" https://www.paypal.com/myaccount/settings/C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3404"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2936 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
539
Read events
418
Write events
117
Delete events
4

Modification events

(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{4352ED51-5F07-11E9-B3B3-5254004A04AF}
Value:
0
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307040000000E0016002F0016004401
Executable files
0
Suspicious files
5
Text files
65
Unknown types
9

Dropped files

PID
Process
Filename
Type
2936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@paypal[1].txt
MD5:
SHA256:
3404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FZZKSFCQ\how-do-i-check-and-update-my-web-browser-faq3893[1].txt
MD5:
SHA256:
3404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:B97BD4416F1B7939E534046BF2B2772B
SHA256:9093F12B0C2347E0D17E4C9CE6CF0F1C2F0FC4A02E4305161F5D0A8507142EC4
3404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:C4AC742437FF61CD7EE84044846D37C4
SHA256:07C980839A09EBD9B828EE47A8FDEBF82DB00F4BEACCAFD5A8579A14566B14DD
3404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\[email protected][1].txttext
MD5:6E12408F554C2F0C09EFF7C4FF73BD3F
SHA256:BC1C8A396F3E453DD67C2BB146D0D7AA14F230EF3B83A4E0976820C31EF00A3C
3404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FZZKSFCQ\how-do-i-check-and-update-my-web-browser-faq3893[1].htmhtml
MD5:8608D15891E5D804D376F844B5C5720D
SHA256:2F293DAAC258AE4BF625E8DEF86C2B5B0F3FD92C68059ADFDF64A3A1EF946C70
3404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FZZKSFCQ\node-rac[1].jstext
MD5:AB0998BE643AF3EB837AD03B436F205A
SHA256:5D1099762619E24A0C397A1C5D7D83CB748F9CC4219606F71E098EB0BFAD3DAB
3404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Y5AJORN9\app[1].csstext
MD5:DE437EB62B3AB912C5AE08B63D51BDFB
SHA256:A80BD34F203FECFEF7F9E7E12A96E82C5243C42C1C8B0C073DFB59FAD0649B99
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
75
TCP/UDP connections
44
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/sa/simg/SharedSpriteDesktopRewards_022118.png
US
image
5.73 Kb
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/30/1H/cj,nj/5983aa50/f8c6dd44.js
US
text
773 b
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/fd/ls/l?IG=A8E2D04CEA014E5991FC6E98D547C56B&CID=38EDF1FA51E165742AAAFCC450FF64AB&Type=Event.CPT&DATA={"pp":{"S":"L","FC":78,"BC":266,"SE":-1,"TC":-1,"H":349,"BP":411,"CT":419,"IL":12},"ad":[-1,-1,1260,560,1260,498,0]}&P=SERP&DA=DUB02
US
image
190 b
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/5p/cj,nj/3e6a7d75/9a358300.js?bu=EoAfnx_GHsse4wTZHtseqx_dHuQe7B6XH5UfiR_6HYQdhx39HQ
US
text
4.95 Kb
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/16/cj,nj/1b7dfb88/cc8437ad.js?bu=DikuW2tvc2dfY6sBrwEunwEu
US
text
7.54 Kb
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rs/30/1X/cj,nj/4c7364c5/40e1b425.js
US
text
816 b
whitelisted
2936
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/search?q=paypal+adder+money+hak&src=IE-SearchBox&FORM=IE8SRC
US
html
58.8 Kb
whitelisted
2936
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3404
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/rb/16/cj,nj/1b7dfb88/cc8437ad.js?bu=DikuW2tvc2dfY6sBrwEunwEu
US
text
7.54 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2936
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3404
iexplore.exe
23.210.248.226:443
www.paypal.com
Akamai International B.V.
NL
whitelisted
3404
iexplore.exe
104.16.85.20:443
cdn.jsdelivr.net
Cloudflare Inc
US
shared
2936
iexplore.exe
23.210.248.226:443
www.paypal.com
Akamai International B.V.
NL
whitelisted
52.58.207.81:443
nexus.ensighten.com
Amazon.com, Inc.
DE
unknown
3404
iexplore.exe
52.58.207.81:443
nexus.ensighten.com
Amazon.com, Inc.
DE
unknown
3404
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3404
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3404
iexplore.exe
204.79.197.222:80
b1e01171f2971a0b459e608aecdeaf61.clo.footprintdns.com
Microsoft Corporation
US
whitelisted
3404
iexplore.exe
52.231.32.10:80
f6f058a26c9b9f53db22d4b4de35c0dc.clo.footprintdns.com
Microsoft Corporation
KR
whitelisted

DNS requests

Domain
IP
Reputation
www.paypal.com
  • 23.210.248.226
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.paypalobjects.com
  • 23.210.248.226
whitelisted
cdn.jsdelivr.net
  • 104.16.85.20
  • 104.16.88.20
  • 104.16.89.20
  • 104.16.87.20
  • 104.16.86.20
whitelisted
nexus.ensighten.com
  • 52.58.207.81
  • 35.157.3.192
whitelisted
tse1.mm.bing.net
  • 204.79.197.200
  • 13.107.21.200
whitelisted
login.live.com
  • 64.4.16.218
  • 64.4.16.216
  • 64.4.16.214
whitelisted
b1e01171f2971a0b459e608aecdeaf61.clo.footprintdns.com
  • 204.79.197.222
suspicious
68dace1e227a9e2c9fee4d84f2227b05.clo.footprintdns.com
  • 13.107.3.254
suspicious
734e1e4552569ac3683d09e315c2b241.clo.footprintdns.com
  • 13.107.4.254
suspicious

Threats

PID
Process
Class
Message
3404
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
No debug info