analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.tinyurl.com/2ohg2o4n

Full analysis: https://app.any.run/tasks/0c1e44dd-0c2f-4fae-8742-49faff37f1d8
Verdict: Malicious activity
Analysis date: August 12, 2022, 14:23:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

C22C640594A73C6BADE85A1BED12342A

SHA1:

71E43F32245850CE8DB757DA4DDD71D1B2DD54BC

SHA256:

3F0D239F1DE34893CFCE386A2F54755F16485772A3ED2EBBCA6DD6B984C8230F

SSDEEP:

3:N8DSL+ZLdI5UQn:2OL+1dWUQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3040)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 3132)
    • Reads the computer name

      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 3132)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 3132)
    • Changes internet zones settings

      • iexplore.exe (PID: 3132)
    • Application launched itself

      • iexplore.exe (PID: 3132)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3040)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3040)
      • iexplore.exe (PID: 3132)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3132"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.tinyurl.com/2ohg2o4n"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3040"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3132 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
16 556
Read events
16 436
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
17
Text files
57
Unknown types
10

Dropped files

PID
Process
Filename
Type
3040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:589C442FC7A0C70DCA927115A700D41E
SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
3040iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabC936.tmpcompressed
MD5:589C442FC7A0C70DCA927115A700D41E
SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
3040iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabC8F5.tmpcompressed
MD5:589C442FC7A0C70DCA927115A700D41E
SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
3040iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarC937.tmpcat
MD5:7EE994C83F2744D702CBA18693ED1758
SHA256:5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:2EE6F5EC060FFFACD4985741689089F9
SHA256:DF0D52F35B25B1BF68CFD69FB934425AB6E9509553BC8AFF55D52F249BE04C22
3132iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3132iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verBC63.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:A5D46ACF3E9AE81BF679CF3EB592569A
SHA256:84A5CA1139E5110D05752C8345E7AED6AAA96AEAB85BA00D62B43E61B53C64A9
3040iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\924367F2FE9CDA65FB343EEB1ABF95DDbinary
MD5:7FFD16751412D29DC4A69732B462D3E5
SHA256:4BBC79655EEC4F6FBFAEF1DA91C702454EC2C1A75C13C17D979B773566190756
3040iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarC8F6.tmpcat
MD5:7EE994C83F2744D702CBA18693ED1758
SHA256:5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
49
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3040
iexplore.exe
GET
301
172.67.1.225:80
http://tinyurl.com/2ohg2o4n
US
html
438 b
shared
3040
iexplore.exe
GET
200
41.63.96.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bd37b386d06f85dd
ZA
compressed
60.2 Kb
whitelisted
3040
iexplore.exe
GET
200
95.140.236.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?46865307a4d018a2
GB
compressed
60.2 Kb
whitelisted
3132
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
3132
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
3040
iexplore.exe
GET
200
104.96.143.115:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3040
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAxUEA1v8Bw%2BYX2R3lRH2nQ%3D
US
der
471 b
whitelisted
3040
iexplore.exe
GET
200
95.140.236.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0121939b82d9ad30
GB
compressed
4.70 Kb
whitelisted
3040
iexplore.exe
GET
200
104.83.4.154:80
http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRjy9znccGo6O6AoAV5RNWGhg%3D%3D
NL
der
346 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3040
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3132
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3040
iexplore.exe
172.67.1.225:443
www.tinyurl.com
US
malicious
3132
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3040
iexplore.exe
104.20.139.65:443
www.tinyurl.com
Cloudflare Inc
US
suspicious
3132
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3132
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3040
iexplore.exe
95.140.236.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
whitelisted
3040
iexplore.exe
31.13.84.36:443
facebook.com
Facebook, Inc.
IE
whitelisted

DNS requests

Domain
IP
Reputation
www.tinyurl.com
  • 172.67.1.225
  • 104.20.139.65
  • 104.20.138.65
suspicious
ctldl.windowsupdate.com
  • 95.140.236.0
  • 95.140.236.128
  • 41.63.96.0
  • 41.63.96.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
tinyurl.com
  • 172.67.1.225
  • 104.20.138.65
  • 104.20.139.65
shared
goakendmest.ga
  • 188.114.97.12
  • 188.114.96.12
malicious

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ga Domain
3040
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ga) in TLS SNI
3040
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ga)
3040
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.ga)
No debug info