analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://testcoronavirusrdc.info

Full analysis: https://app.any.run/tasks/4d4bba13-91fc-44c4-8592-5a1665e41395
Verdict: Malicious activity
Analysis date: March 30, 2020, 18:36:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MD5:

1EA49467D89AB0E294CDB115D5F283EF

SHA1:

15045734ED6FB1548AF78E18C97321C8B78BDE99

SHA256:

309DA36FD94BC82D81CAB0556F653F95024D73323C2F33E50B93096C928920FC

SSDEEP:

3:N1KKAGQ6ktK:CKxr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Drops Coronavirus (possible) decoy

      • iexplore.exe (PID: 3088)
    • Application launched itself

      • iexplore.exe (PID: 3832)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 3832)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 3832)
    • Creates files in the user directory

      • iexplore.exe (PID: 3088)
      • iexplore.exe (PID: 3832)
    • Changes internet zones settings

      • iexplore.exe (PID: 3832)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3088)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3832)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3832)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3832"C:\Program Files\Internet Explorer\iexplore.exe" "http://testcoronavirusrdc.info"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3088"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3832 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
6 752
Read events
467
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
43
Text files
123
Unknown types
27

Dropped files

PID
Process
Filename
Type
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\8QU1CQCK.htmhtml
MD5:985C97C9E29699CE2774E942BD7E68AC
SHA256:DA8974CC86057911B3E39D040BB59EBC7937668BACC01638F7F59F436209719D
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\style[1].csstext
MD5:D0E0CA6135F41B5623F398AD2066FA54
SHA256:B135070815C94DCD4BEF9DBD4349E237BCBCED26CBB30A90F695BD233711E429
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\style.min[1].csstext
MD5:9EEDDC51B0B4A2580A959042D50F826E
SHA256:D9662B4B9BA6C2C3691CE0ACD4572E027366EB97D6070550A13429262BB0037F
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\styles[1].csstext
MD5:8983E25A91F5C9981FB973BDBE189D33
SHA256:811E8960B8F79F14983E30DF80A4CCC69D82430CCC0520D2A1A3D1405CFBB2A1
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\dashicons.min[1].csstext
MD5:C8956481E00463F838B45364F45756DF
SHA256:18AA66C192CBEF43A61B1398C292AE5C6C1D40D679428EE998B1C6BFAF61D75A
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\mediaelementplayer-legacy.min[1].csstext
MD5:C53C2F4DD23046CE2127477792AECB20
SHA256:B834A80037718E3DA7F92199034DC59611ED774AF41F1E84FA1E0D97C4261192
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\givejs[1].jstext
MD5:B85300FA7218AFA158A25E2D4E309C65
SHA256:33D39253D3923E433EB95797D29AC387D5A4DDC5B953EE254DCBC39CE530D3FE
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\givecss[1].csstext
MD5:5A364288269E9FD1855C5345A8A680CD
SHA256:5164BCA728C59A5F202D8170F00BD11AAF4B7F75C8508D55321FFEE4F85D7572
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style[1].csstext
MD5:4CE2FBE0D9DEB0BA211AADB340D17DDB
SHA256:83E77215028EB95FF473ECB8118CC9898D6612EEA3432CA5899BA6075FC04657
3088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\givecss[2].csstext
MD5:1CF60F66A2FF7A330CAFA99FDFE1867C
SHA256:778EC1396D6125ACDFDD89CE51026A6B414583FE8D2DD0CB666C5B49AFB40C43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
111
TCP/UDP connections
85
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/plugins/pagelayer/css/givecss.php?give=pagelayer-frontend.css%2Cnivo-lightbox.css%2Canimate.min.css%2Cowl.carousel.min.css%2Cowl.theme.default.min.css&ver=1.0.8
GB
text
16.7 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/plugins/everest-forms/assets/css/everest-forms.css?ver=1.6.4
GB
text
3.19 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-includes/css/dist/block-library/style.min.css?ver=5.3.2
GB
text
6.00 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/plugins/contact-form-7-multi-step-module/resources/cf7msm.css?ver=4.0.2
GB
text
100 b
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-includes/css/dashicons.min.css?ver=5.3.2
GB
text
27.8 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/
GB
html
34.9 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/themes/flash-child/style.css?ver=5.3.2
GB
text
258 b
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/themes/flash/style.css?ver=5.3.2
GB
text
13.3 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/plugins/pagelayer/css/givecss.php?give=font-awesome5.min.css&ver=1.0.8
GB
text
15.7 Kb
suspicious
3088
iexplore.exe
GET
200
51.178.102.230:80
http://stopcoronavirusrdc.lumsglobal.fr/wp-content/plugins/cf7-conditional-fields/style.css?ver=1.8.3
GB
text
618 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3088
iexplore.exe
69.164.220.55:80
cdn.html5maps.com
Linode, LLC
US
unknown
3088
iexplore.exe
172.217.18.163:80
crl.pki.goog
Google Inc.
US
whitelisted
3088
iexplore.exe
172.217.23.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3088
iexplore.exe
51.178.102.230:80
stopcoronavirusrdc.lumsglobal.fr
GB
suspicious
3832
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3088
iexplore.exe
172.217.22.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3088
iexplore.exe
213.186.33.5:80
OVH SAS
FR
malicious
3088
iexplore.exe
172.217.22.35:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3088
iexplore.exe
172.217.16.206:443
www.youtube.com
Google Inc.
US
whitelisted
3088
iexplore.exe
172.217.18.98:443
googleads.g.doubleclick.net
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
testcoronavirusrdc.info
  • 209.197.3.24
malicious
stopcoronavirusrdc.lumsglobal.fr
  • 51.178.102.230
suspicious
cdn.html5maps.com
  • 69.164.220.55
unknown
fonts.googleapis.com
  • 172.217.22.74
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.pki.goog
  • 172.217.23.131
whitelisted
crl.pki.goog
  • 172.217.18.163
whitelisted
fonts.gstatic.com
  • 172.217.22.35
whitelisted
www.youtube.com
  • 172.217.16.206
  • 172.217.23.110
  • 172.217.22.78
  • 172.217.21.238
  • 172.217.21.206
  • 172.217.16.142
  • 172.217.23.174
  • 172.217.23.142
  • 216.58.205.238
  • 172.217.22.14
  • 216.58.206.14
  • 172.217.18.110
  • 172.217.18.174
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Suspicious Domain Request for Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
Potentially Bad Traffic
ET INFO Suspicious Domain Request for Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
3088
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M2
No debug info