URL: | https://s3.amazonaws.com/manrerafdakifbantlk/Ymout.html#r.php?t=c&d=4809&l=719&c=46341 |
Full analysis: | https://app.any.run/tasks/ab34fa95-ecda-48c4-8837-f52961c16272 |
Verdict: | Malicious activity |
Analysis date: | May 21, 2022, 08:07:54 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | FD7294B5C281FBC340922DBAEDE65D18 |
SHA1: | D1899D671C9D664E83F64C308D41E8DB379627D7 |
SHA256: | 57F10E5C9991F16AD467C11C7474F57BD605045330FAF9907041228269C6D7A4 |
SSDEEP: | 3:N8H7WtI0WOCSAn3EHhNwDddfn:2HjlaA3E8Rd |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3704 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://s3.amazonaws.com/manrerafdakifbantlk/Ymout.html#r.php?t=c&d=4809&l=719&c=46341" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2800 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3704 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30960873 | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30960873 | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (3704) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | der | |
MD5:4A8C7F6C5AE2A37D5E6CCB1BBC0AF569 | SHA256:7AB918B977BBA5FDFEE3E8E570F1BE8680969932AD717C34A1A736348B7946A9 | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:36D9EDAD6AFA95D348A68B59A8FB2819 | SHA256:3A02FFD546D4735DC57F11BBF64E91DDE3DE8CB574A6AF626FCA48FCB36F7FFD | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BCB67D7ECB470284AF35679F339E879F | der | |
MD5:84959B6A22F077A84CB59820A13D870D | SHA256:FBD0BE6DD91387115FB363280FB0CB8559267DCC70C12C6C5F1FDB9E6DD995EC | |||
3704 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC4726FEE26B5D7F5BC731F03E7D7E34 | SHA256:990F044CAB696ED00BBC2CB11C62BA52EE6D61F33AAFD5F78CD35EA3513D9C01 | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_B13E2B48FEEE7ABC0415719489CB444D | binary | |
MD5:02B4B53AEBF0400F774EEBDC38EF12C8 | SHA256:A016EAC0742C90348FA696CBA6BC9A600C3E01D177A1E997CDF3D139F9AF76B6 | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BCB67D7ECB470284AF35679F339E879F | binary | |
MD5:A6C2452B4D7503B15637F42E32A4714C | SHA256:630A5CA14BA39CD5C0D83AB9C9D31E0934C48D5E7E8E9F4B345990A4BF5D3802 | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\73DA0AE306CF69ADAC457DB6B2997338 | binary | |
MD5:A7AC683A6500CADCC3D6C0AB4FAE49FE | SHA256:9EA78B19E54AECCDA309E83FE6690CA38323AEB0B79E976ABEBBFF3E9FC2D5AD | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | binary | |
MD5:02FD489B8C303CB0C9BA52083F70149B | SHA256:895E818B39E47E06B2C32ABB80AC3742E3BEE5AB7DF97795B4D19285E6E06A03 | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 | compressed | |
MD5:B9F21D8DB36E88831E5352BB82C438B3 | SHA256:998E0209690A48ED33B79AF30FC13851E3E3416BED97E3679B6030C10CAB361E | |||
2800 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F | binary | |
MD5:6BA26B5D0A4A48B12AE1D6BCAAD14A7D | SHA256:D0825A42DDD2B8C2F7D5E7162F6E53EDC1CC602A17F1499F27F69B893D350213 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2800 | iexplore.exe | GET | 200 | 108.138.2.195:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2800 | iexplore.exe | GET | 200 | 67.27.157.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0e7f69cf5a7c15e3 | US | compressed | 4.70 Kb | whitelisted |
3704 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2800 | iexplore.exe | GET | 200 | 18.66.137.71:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
2800 | iexplore.exe | GET | 200 | 108.138.24.78:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEARvjI07tlNggB%2FjBJupetY%3D | US | der | 471 b | whitelisted |
2800 | iexplore.exe | GET | 200 | 67.27.157.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?4cd9239b3b360f4f | US | compressed | 60.0 Kb | whitelisted |
2800 | iexplore.exe | GET | 200 | 18.66.107.167:80 | http://crl.rootg2.amazontrust.com/rootg2.crl | US | der | 660 b | whitelisted |
2800 | iexplore.exe | GET | 200 | 67.27.157.126:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?ecd7a65ed2fc5e81 | US | compressed | 60.0 Kb | whitelisted |
2800 | iexplore.exe | GET | 200 | 92.123.195.28:80 | http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgM7DNulW6KMJutnqCfQafWoaQ%3D%3D | unknown | der | 503 b | shared |
2800 | iexplore.exe | GET | 200 | 13.32.118.203:80 | http://crl.sca1b.amazontrust.com/sca1b-1.crl | US | binary | 1.03 Mb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3704 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3704 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2800 | iexplore.exe | 108.138.2.195:80 | o.ss2.us | BellSouth.net Inc. | US | unknown |
2800 | iexplore.exe | 67.27.157.126:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
2800 | iexplore.exe | 18.66.137.10:80 | ocsp.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
2800 | iexplore.exe | 54.231.129.200:443 | s3.amazonaws.com | Amazon.com, Inc. | IE | unknown |
— | — | 18.66.137.71:80 | ocsp.rootg2.amazontrust.com | Massachusetts Institute of Technology | US | whitelisted |
2800 | iexplore.exe | 185.83.145.100:80 | khemissate.com | Netinternet Bilisim Teknolojileri AS | TR | unknown |
2800 | iexplore.exe | 194.87.29.90:443 | drainflufes.com | Llcrelcom | RU | unknown |
2800 | iexplore.exe | 108.138.24.78:80 | ocsp.sca1b.amazontrust.com | BellSouth.net Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
s3.amazonaws.com |
| shared |
ctldl.windowsupdate.com |
| whitelisted |
o.ss2.us |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
ocsp.sca1b.amazontrust.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2800 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2800 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
2800 | iexplore.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |