analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cdn.special-offers.online

Full analysis: https://app.any.run/tasks/189e161e-b699-48dd-a771-f351ac48e49f
Verdict: Malicious activity
Analysis date: August 12, 2022, 18:01:17
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

E9B1BE3D5CC80351EC594FA98389E62E

SHA1:

221C47C8C15184964E72668CF0A69D97B99A0B1C

SHA256:

5B67A90A2805C9EF85DC6C3B32134894DB224ED1D5966A09367B009F4178B5CC

SSDEEP:

3:N8cKjUcKEAn:2cigEA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1568)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1568)
      • iexplore.exe (PID: 2376)

    • Reads the computer name

      • iexplore.exe (PID: 2376)
      • iexplore.exe (PID: 1568)

    • Checks supported languages

      • iexplore.exe (PID: 1568)
      • iexplore.exe (PID: 2376)

    • Changes internet zones settings

      • iexplore.exe (PID: 2376)

    • Application launched itself

      • iexplore.exe (PID: 2376)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1568)
      • iexplore.exe (PID: 2376)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1568)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2376"C:\Program Files\Internet Explorer\iexplore.exe" "https://cdn.special-offers.online"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1568"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2376 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
14 278
Read events
14 161
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
7
Unknown types
6

Dropped files

PID
Process
Filename
Type
1568iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabBD84.tmpcompressed
MD5:589C442FC7A0C70DCA927115A700D41E
SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
1568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001binary
MD5:45CF7DDD0FC5274757B14FA8FABEC7D1
SHA256:B857AFFE98BACC5DC8B0A764B2157A9B01FE1F678A61B342E788FF6970963496
1568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BC570EC0DE58335AFAF92FDC8E3AA330_5236641CB9426803E867F3160B754BF3binary
MD5:11961057BA817575CDFCE99478E5E3E9
SHA256:52FF34C7BCE64D1CB089BD3F0A088BE4D77F09F31A0F1592B397513365E266B3
1568iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarBD85.tmpcat
MD5:7EE994C83F2744D702CBA18693ED1758
SHA256:5DB917AB6DC8A42A43617850DFBE2C7F26A7F810B229B349E9DD2A2D615671D2
2376iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:290A85BD3E7285CDEDA1602A9E12A7DF
SHA256:17AE86541BE373B2DB8A4B77D7E7626966637E5A6052F290A3B598A56F5123C9
1568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D89764764C7327E5D644A9CE21915CF4
SHA256:4569EB7910E787C0D2FB5FC4FDAD17E6166A2F30CB1AB1769785088C315FDBFC
1568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_BA1AB6C2BDFDF57799E8116E4002D001der
MD5:E1D90ACF8C4BA4BBAB2516482E4325EF
SHA256:29AE5E652E5AE0BC73A8EC5E403419117CE6757D2B43B6FF7CB5AE9710331008
2376iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:EE87BB11E233C12009CC11725035DBDC
SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5
2376iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:D123628C5873424BBFEE153E15308641
SHA256:5B2DBD7A05884971D21DF9E92C3C9C669239A2D5820989C762947758304CF9EE
1568iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:589C442FC7A0C70DCA927115A700D41E
SHA256:2E5CB72E9EB43BAAFB6C6BFCC573AAC92F49A8064C483F9D378A9E8E781A526A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
29
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1568
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp2.globalsign.com/gsalphasha2g2/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBSE1Wv4CYvTB7dm2OHrrWWWqmtnYQQU9c3VPAhQ%2BWpPOreX2laD5mnSaPcCDGWZMYms94QoJYm4KQ%3D%3D
US
der
1.39 Kb
whitelisted
1568
iexplore.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?bf3b274e09e81df7
US
compressed
60.2 Kb
whitelisted
1568
iexplore.exe
GET
200
104.18.21.226:80
http://ocsp.globalsign.com/rootr1/MEwwSjBIMEYwRDAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCCwQAAAAAAURO8DYx
US
der
1.41 Kb
whitelisted
2376
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
1568
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
2376
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1568
iexplore.exe
GET
200
8.248.131.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5641f4edb50a1a92
US
compressed
4.70 Kb
whitelisted
1568
iexplore.exe
GET
200
67.27.157.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed37a4d26ff55ffa
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1568
iexplore.exe
67.27.157.122:443
cdn.special-offers.online
Level 3 Communications, Inc.
US
suspicious
1568
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
1568
iexplore.exe
104.18.21.226:80
ocsp.globalsign.com
Cloudflare Inc
US
shared
2376
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1568
iexplore.exe
156.146.33.26:443
www.cdn77.com
US
suspicious
1568
iexplore.exe
8.248.131.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2376
iexplore.exe
8.241.122.122:443
cdn.special-offers.online
Level 3 Communications, Inc.
US
unknown
2376
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1568
iexplore.exe
67.27.157.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
1568
iexplore.exe
195.181.170.19:443
www.cdn77.com
Datacamp Limited
DE
suspicious

DNS requests

Domain
IP
Reputation
cdn.special-offers.online
  • 67.27.157.122
  • 67.27.233.122
  • 8.248.137.250
  • 8.241.122.122
  • 67.26.137.248
  • 8.241.123.122
malicious
ctldl.windowsupdate.com
  • 8.248.131.254
  • 67.27.157.254
  • 8.253.204.121
  • 67.27.159.254
  • 8.248.119.254
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp2.globalsign.com
  • 104.18.21.226
  • 104.18.20.226
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.cdn77.com
  • 156.146.33.26
  • 195.181.170.19
  • 212.102.56.143
  • 185.59.220.17
  • 156.146.33.17
  • 195.181.174.6
suspicious
x1.c.lencr.org
  • 96.16.145.230
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cdn.special-offers.online