analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://ewanand.co/snd/index.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4

Full analysis: https://app.any.run/tasks/e1db17fd-fea3-4b9a-801c-01b80974bd18
Verdict: Malicious activity
Analysis date: March 31, 2020, 06:33:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

FC849BBAA6A770BBB4C2513483D6AEB6

SHA1:

20628C3BD0EE2C0DA014A150EEBC1EF7622A218D

SHA256:

3F923419C522F019F3591CC1EAEECC8556F84EAF4E206461A58178FDEB12D0EB

SSDEEP:

6:Cj+k1MkHcESUWf/PEfMzlTDMuZclSplEfMw2TDMk+L8kkSXgWpMWEfMe:hkGkI/8kbal4ykwi0DnXlUke

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2616)
      • iexplore.exe (PID: 3244)
    • Application launched itself

      • iexplore.exe (PID: 3244)
    • Changes internet zones settings

      • iexplore.exe (PID: 3244)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2616)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3244)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3244)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3244)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe outlook.exe no specs outlook.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3244"C:\Program Files\Internet Explorer\iexplore.exe" "http://ewanand.co/snd/index.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2616"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3244 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3336"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
3152"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE" -c IPM.Note /m "mailto:[email protected]"C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
Total events
6 515
Read events
907
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
3244iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\suspendedpage[1].htmhtml
MD5:FD2C7D1ECC5F789E4E8D262A49AC86C0
SHA256:DDF4EE440CCE4489F8D157195AB1F28DE67CEDAB7E2DE9A0F0568877EDEF7985
2616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\suspendedpage[1].htmhtml
MD5:FD2C7D1ECC5F789E4E8D262A49AC86C0
SHA256:DDF4EE440CCE4489F8D157195AB1F28DE67CEDAB7E2DE9A0F0568877EDEF7985
2616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\suspendedpage[1].htmhtml
MD5:FD2C7D1ECC5F789E4E8D262A49AC86C0
SHA256:DDF4EE440CCE4489F8D157195AB1F28DE67CEDAB7E2DE9A0F0568877EDEF7985
2616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\all[1].csstext
MD5:42EAA52604673B64D6B356C2FD7F87E3
SHA256:ED0F122470C4D13D86BBABDC38046D743D0228204A56D786D2E17BD83FD358CE
3244iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
2616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\fa-solid-900[1].eoteot
MD5:10C304F14CD2F6B6BED2AE7F574F03AF
SHA256:F5D00BFD4457C03601F28E200ED5DB6E5BF58B332164A1E630FA6AAFCFAB6BCB
2616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\fa-regular-400[1].eoteot
MD5:D7DE79CAE74B02F2D377786656F1D816
SHA256:E73D73F67B277568AB01D56322D1A01D66409A8F947735DD738FE2DCB6BB0C58
2616iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:0392ADA071EB68355BED625D8F9695F3
SHA256:B1313DD95EAF63F33F86F72F09E2ECD700D11159A8693210C37470FCB84038F7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
17
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2616
iexplore.exe
GET
304
23.111.9.35:80
http://use.fontawesome.com/releases/v5.0.6/css/all.css
US
whitelisted
3244
iexplore.exe
GET
200
173.254.28.82:80
http://ewanand.co/cgi-sys/suspendedpage.cgi
US
html
7.40 Kb
malicious
2616
iexplore.exe
GET
200
173.254.28.82:80
http://ewanand.co/cgi-sys/suspendedpage.cgi?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&[email protected]&.rand=13InboxLight.aspx?n=1774256418&fid=4
US
html
4.13 Kb
malicious
2616
iexplore.exe
GET
200
23.111.9.35:80
http://use.fontawesome.com/releases/v5.0.6/webfonts/fa-regular-400.eot?
US
eot
15.6 Kb
whitelisted
2616
iexplore.exe
GET
304
23.111.9.35:80
http://use.fontawesome.com/releases/v5.0.6/webfonts/fa-regular-400.eot?
US
whitelisted
2616
iexplore.exe
GET
304
23.111.9.35:80
http://use.fontawesome.com/releases/v5.0.6/webfonts/fa-solid-900.eot?
US
whitelisted
3244
iexplore.exe
GET
302
173.254.28.82:80
http://ewanand.co/favicon.ico
US
html
287 b
malicious
3244
iexplore.exe
GET
302
173.254.28.82:80
http://ewanand.co/favicon.ico
US
html
287 b
malicious
3244
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
2616
iexplore.exe
GET
200
23.111.9.35:80
http://use.fontawesome.com/releases/v5.0.6/css/all.css
US
text
8.50 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2616
iexplore.exe
23.111.9.35:80
use.fontawesome.com
netDNA
US
suspicious
2616
iexplore.exe
173.254.28.82:80
ewanand.co
Unified Layer
US
malicious
3244
iexplore.exe
173.254.28.82:80
ewanand.co
Unified Layer
US
malicious
3244
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3244
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
ewanand.co
  • 173.254.28.82
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
use.fontawesome.com
  • 23.111.9.35
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
2616
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adobe PDF Phishing Landing
No debug info