analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://xss.my.id

Full analysis: https://app.any.run/tasks/d3abfc3f-2f97-4f7a-99b2-4fa1104f7dc5
Verdict: Malicious activity
Analysis date: May 20, 2022, 15:59:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6931BE312628E5F41B0925A48F9F725E

SHA1:

617E88D824FFBA3C7ECDEE4360322CC4CAADF3F7

SHA256:

4967E6DA4E657F716AE02EFA3832C072044F7E8F6516E810F6A418E9B8C58026

SSDEEP:

3:N86MhLAn:26SM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1276)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1432)
      • iexplore.exe (PID: 1276)

    • Reads the computer name

      • iexplore.exe (PID: 1432)
      • iexplore.exe (PID: 1276)

    • Changes internet zones settings

      • iexplore.exe (PID: 1432)

    • Application launched itself

      • iexplore.exe (PID: 1432)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1276)
      • iexplore.exe (PID: 1432)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1276)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1432)
      • iexplore.exe (PID: 1276)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1432)

    • Creates files in the user directory

      • iexplore.exe (PID: 1276)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1432)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1432"C:\Program Files\Internet Explorer\iexplore.exe" "https://xss.my.id"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1276"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1432 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
25 420
Read events
25 197
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
29
Text files
219
Unknown types
31

Dropped files

PID
Process
Filename
Type
1276iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:88A0329B4E805CB212C09813367C1569
SHA256:6D0FB4F8CCF4ADEA831363DE56E9570F10BA9E1FFCB1DF1F6E4E85A1391084CC
1432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:9E4EDE3B107CC4B0E175385C76BAA46F
SHA256:8853AB6066D79415D18093FF897ABC3BBDF22BA5F69C048DD8CFD75B8860498C
1276iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabBC52.tmpcompressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
1276iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:B9F21D8DB36E88831E5352BB82C438B3
SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E
1432iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
1276iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarBC53.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
1276iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:33E1B0539868898BF13E398D11C07E39
SHA256:DD1359F5A43444389EBE41AD8346078B09639A6133BE39651011C5B1370CFF6A
1276iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
1276iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:41FBBFEF77C9E15DF36E1CB541503D98
SHA256:1C596FD0B7231E43E672CB027BE6117200830DD98929F060C3A97F8EFC4EAE17
1276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\IFKJ7QT0.htmhtml
MD5:8546D30A726E43CEFDC90D76D081D416
SHA256:88C708E5AB2669AC042716F72F8B951C011950DAFDCFDEA4868858C66A5688A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
26
TCP/UDP connections
95
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1432
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
1276
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?d09f74642c76f67c
US
compressed
60.0 Kb
whitelisted
1276
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1276
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDExSUZ712qmxLhqE9UUaDV
US
der
472 b
whitelisted
1276
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1276
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEAJ2P5%2FrMeCKCjxqPfGvBuc%3D
US
der
471 b
whitelisted
1276
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCHXS%2FWwGsOSRJbmAIB8NC3
US
der
472 b
whitelisted
1276
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
1276
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCdUrA%2FwvrytArhIvu6cF3d
US
der
472 b
whitelisted
1276
iexplore.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCRFv%2BVFTnkqRJIhUuzpdiA
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1276
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
1276
iexplore.exe
172.67.203.238:80
forums.cyberpanel.net
US
unknown
1276
iexplore.exe
3.22.228.104:443
community.cyberpanel.net
US
suspicious
1276
iexplore.exe
184.24.77.62:80
r3.o.lencr.org
Time Warner Cable Internet LLC
US
unknown
1276
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1432
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1276
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
1432
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1276
iexplore.exe
188.114.96.10:443
xss.my.id
Cloudflare Inc
US
malicious
1432
iexplore.exe
188.114.96.10:443
xss.my.id
Cloudflare Inc
US
malicious

DNS requests

Domain
IP
Reputation
xss.my.id
  • 188.114.96.10
  • 188.114.97.10
malicious
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
forums.cyberpanel.net
  • 172.67.203.238
  • 104.21.44.216
suspicious
community.cyberpanel.net
  • 3.22.228.104
suspicious
x1.c.lencr.org
  • 96.16.145.230
whitelisted
r3.o.lencr.org
  • 184.24.77.62
  • 184.24.77.79
  • 184.24.77.56
  • 184.24.77.67
  • 184.24.77.48
shared
pagead2.googlesyndication.com
  • 142.250.186.162
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://xss.my.id