analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://attivastudiintegrati.it

Full analysis: https://app.any.run/tasks/6325e3f3-9c4b-4cee-8ed5-0a44c0caeecf
Verdict: Malicious activity
Analysis date: May 21, 2022, 10:02:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

139552D675F1E1D90C7DEE5DB35E084F

SHA1:

4365348691A30235AC78001E91A434A1CE348F4A

SHA256:

416D97C8A6D5AFE03332D5FDC3AFA9C8C9FA76B6031677DB91F17860AE7D7C71

SSDEEP:

3:N1Kf3LmdwQ:C/LvQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3304)
      • iexplore.exe (PID: 3704)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3704)
      • iexplore.exe (PID: 3304)

    • Checks supported languages

      • iexplore.exe (PID: 3304)
      • iexplore.exe (PID: 3704)

    • Changes internet zones settings

      • iexplore.exe (PID: 3704)

    • Application launched itself

      • iexplore.exe (PID: 3704)

    • Creates files in the user directory

      • iexplore.exe (PID: 3304)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3704)
      • iexplore.exe (PID: 3304)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3304)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3704)
      • iexplore.exe (PID: 3304)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3704)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3704"C:\Program Files\Internet Explorer\iexplore.exe" "http://attivastudiintegrati.it"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3304"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3704 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
34 510
Read events
23 916
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
39
Unknown types
7

Dropped files

PID
Process
Filename
Type
3704iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:238E44DABE07626FBB56E80D0F613C2C
SHA256:D679950FD89AFA4BC1DF9AB831AD8EA01C56A69B7C19F4956451FACBEC542734
3304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
3304iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabADC6.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
3304iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1G1FQ2YY.txttext
MD5:F27BDBCB5A33E61BFCD25D563C4D65E5
SHA256:EE265DFEFA69110CF0C26F5C00846743AF776F36A96DDD3088FB281B89DBECF1
3304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\LQQ2GSYK.htmtext
MD5:992A00F9375D6EF81A9908F9AB1FBCD8
SHA256:DD6CEF140FEAA710A49BDEF176EE5E1A4397AE2329C5B295B8D5F1FFE15269E3
3704iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
3704iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:CA909A48C5C56D6B5302C581E61AA4F1
SHA256:D5C1F98B49201AFBCCA80E254A4943632515D5554E0275610414629F3ACCF982
3704iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:06904591740F0A43BF039D67E5DA5AC6
SHA256:7B08DFC8D71E97F1041283BEA17D7B29FA03382181E292CBE641E24ACF8D4E56
3304iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarADC7.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
53
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3304
iexplore.exe
POST
302
212.8.247.190:80
http://attivastudiintegrati.it/
RU
unknown
3304
iexplore.exe
GET
200
212.8.247.190:80
http://attivastudiintegrati.it/
RU
text
195 b
unknown
3704
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3704
iexplore.exe
GET
200
212.8.247.190:80
http://attivastudiintegrati.it/favicon.ico
RU
image
66.0 Kb
unknown
3304
iexplore.exe
GET
200
92.123.195.57:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?05b424e98a0f3359
unknown
compressed
60.0 Kb
whitelisted
3304
iexplore.exe
GET
200
92.123.195.41:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ecd7a65ed2fc5e81
unknown
compressed
60.0 Kb
whitelisted
3304
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
3704
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3304
iexplore.exe
GET
200
2.16.107.43:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgNBxveCrgnka3eYuTxmns2l7g%3D%3D
unknown
der
503 b
shared
3304
iexplore.exe
GET
200
2.16.107.43:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgSJiGq7YZRC1jmih0hh8S692Q%3D%3D
unknown
der
503 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3704
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3704
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3704
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3304
iexplore.exe
212.8.247.190:80
attivastudiintegrati.it
LLC RuWeb
RU
unknown
3704
iexplore.exe
8.247.185.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
3704
iexplore.exe
212.8.247.190:80
attivastudiintegrati.it
LLC RuWeb
RU
unknown
212.8.247.190:80
attivastudiintegrati.it
LLC RuWeb
RU
unknown
3304
iexplore.exe
92.123.195.41:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
3704
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3304
iexplore.exe
2.16.107.43:80
r3.o.lencr.org
Akamai International B.V.
suspicious

DNS requests

Domain
IP
Reputation
attivastudiintegrati.it
  • 212.8.247.190
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 8.247.185.126
  • 8.238.155.126
  • 67.26.81.254
  • 67.26.73.254
  • 67.26.115.254
  • 23.216.77.69
  • 23.216.77.80
  • 92.123.195.57
  • 92.123.195.41
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
find-top-prizes-here.life
  • 5.101.45.9
suspicious
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 2.16.107.43
  • 2.16.107.99
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Observed DNS Query to .life TLD
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
3304
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Let's Encrypt Certificate for Suspicious TLD (.xyz)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://attivastudiintegrati.it