analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://connex.tcslandg.net

Full analysis: https://app.any.run/tasks/61f75947-a7aa-4373-aa03-bd555c10a3e3
Verdict: Malicious activity
Analysis date: March 31, 2020, 10:27:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MD5:

14AB95E4329587F1C9139851E350877B

SHA1:

FF075DF80C0D4C14FAC5E5506DBC64E2B23F2682

SHA256:

40F4E1255D7C52EA9DF1EDB55AD8162E4B8BC1A3F45B84816C953802C18C46CE

SSDEEP:

3:N1KdKL002L0:CIINL0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1740)
    • Creates files in the user directory

      • iexplore.exe (PID: 3276)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3276)
      • iexplore.exe (PID: 1740)
    • Application launched itself

      • iexplore.exe (PID: 1740)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3276)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1740)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1740)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1740)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1740"C:\Program Files\Internet Explorer\iexplore.exe" http://connex.tcslandg.netC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3276"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1740 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
4 426
Read events
945
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
5
Unknown types
0

Dropped files

PID
Process
Filename
Type
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\zcredirect[1].htmhtml
MD5:3B1545F8F5E6E042ACFB105A8DB19EEC
SHA256:4098E15F7A5FFB0F27C1FB33F296CBFB26A0DB4DF97B6ED8862DBB7B38C65BF4
3276iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PGXAICWX.txttext
MD5:B36E3BAD947571170D7752983726AF3B
SHA256:F3A4EBE41006D392697CE3471E84A7D11CACA1F146E72DD1881B2088474F38B2
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\zcredirect[2].htmhtml
MD5:3B1545F8F5E6E042ACFB105A8DB19EEC
SHA256:4098E15F7A5FFB0F27C1FB33F296CBFB26A0DB4DF97B6ED8862DBB7B38C65BF4
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\446468f4-733a-11ea-8eec-12a8c1cce293[1].htmhtml
MD5:D61E8E2A7C7D57DAAEE70442539EF10A
SHA256:0BEA9F9F83F8D531FF48DD1A89433601DAFFFDBD2920D4887FC206AA4EA47975
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\3PCSQWH5text
MD5:32682312D17C7CBF18E73594F5570319
SHA256:E55FB1A1D731153E943B68844AF12DCCE8BFAC917C98FFDEA64C80DA0607DD47
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
15
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1740
iexplore.exe
GET
204.79.197.200:80
http://www.bing.com/favicon.ico
US
whitelisted
3276
iexplore.exe
GET
302
174.137.155.139:80
http://clk.rtpdn11.com/click?i=*u2BnwKj06A_0
US
malicious
3276
iexplore.exe
GET
200
54.86.66.67:80
http://usd.jared-don.com/zcvisitor/446468f4-733a-11ea-8eec-12a8c1cce293?campaignid=446fdaa4-733a-11ea-8eec-12a8c1cce293
US
html
1004 b
shared
3276
iexplore.exe
GET
54.86.66.67:80
http://usd.jared-don.com/zcredirect?visitid=446468f4-733a-11ea-8eec-12a8c1cce293&type=meta
US
shared
3276
iexplore.exe
GET
200
54.86.66.67:80
http://usd.jared-don.com/zcredirect?visitid=446468f4-733a-11ea-8eec-12a8c1cce293&type=js&browserWidth=1280&browserHeight=644&iframeDetected=false
US
html
270 b
shared
1740
iexplore.exe
GET
404
54.86.66.67:80
http://usd.jared-don.com/favicon.ico
US
html
940 b
shared
3276
iexplore.exe
GET
302
5.79.79.210:80
http://connex.tcslandg.net/
NL
text
11 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1740
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
5.79.79.210:80
connex.tcslandg.net
LeaseWeb Netherlands B.V.
NL
malicious
3276
iexplore.exe
5.79.79.210:80
connex.tcslandg.net
LeaseWeb Netherlands B.V.
NL
malicious
3276
iexplore.exe
174.137.155.139:80
clk.rtpdn11.com
Webair Internet Development Company Inc.
US
suspicious
174.137.155.139:80
clk.rtpdn11.com
Webair Internet Development Company Inc.
US
suspicious
1740
iexplore.exe
54.86.66.67:80
usd.jared-don.com
Amazon.com, Inc.
US
malicious
3276
iexplore.exe
54.86.66.67:80
usd.jared-don.com
Amazon.com, Inc.
US
malicious
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3276
iexplore.exe
104.27.152.163:443
cashnewways.com
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
connex.tcslandg.net
  • 5.79.79.210
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
usd.jared-don.com
  • 54.86.66.67
  • 3.216.243.46
  • 18.235.158.66
  • 54.91.125.197
  • 52.207.141.11
  • 3.226.8.132
  • 54.173.100.244
  • 35.175.38.64
shared
clk.rtpdn11.com
  • 174.137.155.139
malicious
cashnewways.com
  • 104.27.152.163
  • 104.27.153.163
unknown
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
3276
iexplore.exe
Misc activity
ADWARE [PTsecurity] Redirecting.Zemot (RBN ZeroPark 0-Click)
No debug info