analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://cloneclicks.com

Full analysis: https://app.any.run/tasks/8a36242b-e211-4f39-bf68-86fd66f88e7e
Verdict: Malicious activity
Analysis date: March 31, 2020, 05:11:50
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

B4183908BC34F0349AFBE388B61A7597

SHA1:

C791C06D85B9B1AE5CA24F30DB4DD76A2736B31D

SHA256:

4CC54020917399DCEF675A892541D009D5F5B47072B75B2F4D3D35034DD9C497

SSDEEP:

3:N1KdJKLLLK:C0S

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 304)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 304)
      • iexplore.exe (PID: 3008)

    • Creates files in the user directory

      • iexplore.exe (PID: 304)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3008)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 304)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 304)

    • Changes settings of System certificates

      • iexplore.exe (PID: 304)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
304"C:\Program Files\Internet Explorer\iexplore.exe" "http://cloneclicks.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3008"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:304 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
7 158
Read events
409
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
12
Unknown types
4

Dropped files

PID
Process
Filename
Type
304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
304iexplore.exeC:\Users\admin\AppData\Local\Temp\Cab2A20.tmp
MD5:
SHA256:
304iexplore.exeC:\Users\admin\AppData\Local\Temp\Tar2A21.tmp
MD5:
SHA256:
304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver2A51.tmp
MD5:
SHA256:
304iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\3Z6FHGM4.txt
MD5:
SHA256:
304iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\J7OWZ9AF.txt
MD5:
SHA256:
3008iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:9C79052CD4702AB47E3269B42E873AC7
SHA256:27174FF21A72F50A2731A7454133B29C2397AA53ABD8848C6FED36A36F0E25EE
304iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203binary
MD5:45FDC2E653E0430CD6B5C2A29E9182ED
SHA256:FCE269F559B6AE2CE34A3B58781225F9055F89875F121B60DCD0BEC7B29EBF91
3008iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\down[1]image
MD5:C4F558C4C8B56858F15C09037CD6625A
SHA256:39E7DE847C9F731EAA72338AD9053217B957859DE27B50B6474EC42971530781
304iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
304
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
304
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
304
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3008
iexplore.exe
GET
403
172.241.69.4:80
http://cloneclicks.com/
NL
html
162 b
malicious
304
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
304
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
304
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
304
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
304
iexplore.exe
72.21.81.200:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
304
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3008
iexplore.exe
172.241.69.4:80
cloneclicks.com
NL
malicious

DNS requests

Domain
IP
Reputation
cloneclicks.com
  • 172.241.69.4
  • 172.241.69.20
  • 64.58.121.60
  • 64.58.126.236
  • 172.241.69.28
  • 23.111.228.4
  • 23.111.228.220
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 72.21.81.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://cloneclicks.com