analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://0nt3ck4rg0.dyndns-web.com:31682

Full analysis: https://app.any.run/tasks/979ef571-1371-40a2-afb6-d10712e7c48d
Verdict: Malicious activity
Analysis date: June 27, 2022, 09:59:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7C13C33352C05579DD493BD30C02472F

SHA1:

BC8BB491C27F7650E9E0C2B48C1816113B88E448

SHA256:

57A7BFC0178D789F2E85F029D5CABC56F17CD0617339D351999ED2A7318F8303

SSDEEP:

3:N1KYc80X7A:CYj2M

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 3736)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2908)
      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 3736)
    • Reads the computer name

      • iexplore.exe (PID: 2908)
      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 3736)
    • Changes internet zones settings

      • iexplore.exe (PID: 2908)
    • Application launched itself

      • iexplore.exe (PID: 2908)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2908)
      • iexplore.exe (PID: 3736)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3376)
      • iexplore.exe (PID: 3736)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2908)
      • iexplore.exe (PID: 3736)
    • Creates files in the user directory

      • iexplore.exe (PID: 2908)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Internet Explorer\iexplore.exe" "http://0nt3ck4rg0.dyndns-web.com:31682"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3376"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3736"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:3413261 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
13 292
Read events
13 132
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
39
Unknown types
3

Dropped files

PID
Process
Filename
Type
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\YXC9VRRD.htmhtml
MD5:5E919AB06B00289A05A861D74588BE2D
SHA256:995894BAB765F95DBA6DF4D2D650D103049E123CBD2626039E2725D117F93D65
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\logo[1].pngimage
MD5:19249BC3B62FA1D192FD60DD47E95378
SHA256:A0F47951E03CA90A2E3962A6EF82A45EBC70A91F95521E6DC21742B19BBD0F91
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\logoinicio[1].pngimage
MD5:19249BC3B62FA1D192FD60DD47E95378
SHA256:A0F47951E03CA90A2E3962A6EF82A45EBC70A91F95521E6DC21742B19BBD0F91
2908iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:794F1817C1E752505C5E02F92D7207B3
SHA256:C598DECDB5659AC43EFE909C2EBD8B63B79A4DD27FA49F51FA0644BDEEBDFEA6
2908iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\customer[1].pngimage
MD5:0264E4BAC03AE25034B60DEB9874F1BA
SHA256:6FFDB80FF29CF6FA832A6E10EB942FF4691B916E3D6E6A2F9CF52EB188CEEAC3
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style[1].csstext
MD5:D4FC277217CE61E2846C58C054927EF9
SHA256:A4CDBBC4B624F32175CB80026458A12533DDC7CA674FDACA750219E1C80524AB
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\agencias[1].pngimage
MD5:8E40E61BBCEF9C800D8BE29CCB170EBD
SHA256:CE7809883880AAE6C0C5CF66E85367BBCC9412D4CB561F2BFF1CD3BBFCE5CE87
2908iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\tecnokargo[1].icoimage
MD5:761C8E4B9859EF726B29EC98E51DAB55
SHA256:335449375D4E96E4653913EB21BF354C795A45DDD4A2829C9D0EB3C555A7BA7C
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\agentes[1].pngimage
MD5:878C68A2CF6F71C73CC6D669247FB652
SHA256:99F9D8C47BB94DA88EB72CCDC92C2E875BB2A9FE9DB382EB75CCB4682FAF4CFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
36
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3376
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/img/agencias.png
US
image
5.30 Kb
suspicious
2908
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/img/tecnokargo.ico
US
image
1.12 Kb
suspicious
2908
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3376
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/style.css
US
text
13.1 Kb
suspicious
3376
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/img/agentes.png
US
image
6.93 Kb
suspicious
3736
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/casillero/css/style.css
US
text
8.62 Kb
suspicious
3376
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/img/diagonal.png
US
image
144 b
suspicious
3376
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/img/logoinicio.png
US
image
5.13 Kb
suspicious
3376
iexplore.exe
GET
200
162.229.157.161:31682
http://0nt3ck4rg0.dyndns-web.com:31682/
US
html
9.10 Kb
suspicious
3376
iexplore.exe
GET
200
107.180.51.105:80
http://www.tecnokargo.com/clientes/0/logo.png
US
image
5.13 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2908
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2908
iexplore.exe
162.229.157.161:31682
0nt3ck4rg0.dyndns-web.com
AT&T Services, Inc.
US
suspicious
2908
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
162.229.157.161:31682
0nt3ck4rg0.dyndns-web.com
AT&T Services, Inc.
US
suspicious
107.180.51.105:80
www.tecnokargo.com
GoDaddy.com, LLC
US
unknown
3376
iexplore.exe
162.229.157.161:31682
0nt3ck4rg0.dyndns-web.com
AT&T Services, Inc.
US
suspicious
2908
iexplore.exe
178.79.242.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
whitelisted
3736
iexplore.exe
162.229.157.161:31682
0nt3ck4rg0.dyndns-web.com
AT&T Services, Inc.
US
suspicious
3376
iexplore.exe
107.180.51.105:80
www.tecnokargo.com
GoDaddy.com, LLC
US
unknown
172.217.18.106:80
ajax.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
0nt3ck4rg0.dyndns-web.com
  • 162.229.157.161
suspicious
www.tecnokargo.com
  • 107.180.51.105
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.0
  • 95.140.236.0
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
maxcdn.bootstrapcdn.com
  • 104.18.11.207
  • 104.18.10.207
whitelisted
ajax.googleapis.com
  • 172.217.18.106
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO DYNAMIC_DNS Query to a Suspicious *.dyndns-web.com Domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3376
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
2908
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
3736
iexplore.exe
Potentially Bad Traffic
ET INFO DYNAMIC_DNS HTTP Request to a *.dyndns-*.com domain
No debug info