analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://community.expensify.com/discussion/4869/how-to-manage-domain-members

Full analysis: https://app.any.run/tasks/0ff82541-33a5-44a1-86b2-069a5c549f0d
Verdict: Malicious activity
Analysis date: October 04, 2022, 22:16:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3E7A5B34455BFC4549477817DB92247E

SHA1:

BF0561CE248B4038737018456750EC65076B6249

SHA256:

6854D1E11FE8CFC762BD1767063AFC4AB3692CC66D004AD39EC4493445A413E9

SSDEEP:

3:N8XAMVZf2K6W4XNIZlLKDWn:2QM7gJ9XDW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1204)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1528)
      • iexplore.exe (PID: 1204)
    • Reads the computer name

      • iexplore.exe (PID: 1528)
      • iexplore.exe (PID: 1204)
    • Changes internet zones settings

      • iexplore.exe (PID: 1528)
    • Application launched itself

      • iexplore.exe (PID: 1528)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1204)
      • iexplore.exe (PID: 1528)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1204)
      • iexplore.exe (PID: 1528)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1204)
    • Creates files in the user directory

      • iexplore.exe (PID: 1204)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1528"C:\Program Files\Internet Explorer\iexplore.exe" "https://community.expensify.com/discussion/4869/how-to-manage-domain-members"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1204"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1528 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
12 814
Read events
12 703
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
110
Unknown types
12

Dropped files

PID
Process
Filename
Type
1204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:929EEE375429CAA9D9817BAF324334AF
SHA256:4AE6EB7D37807632A3326DFDDC02711EACF0AB9B73595BFB6E0B11F69F99AF05
1204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\prettify[1].csstext
MD5:AC6F30A6189533B3CD7DBC8A0C03976B
SHA256:8E6EAF31579EC46D3098CB9C272F1C8B59D8D08892B9A48184913EF0FE8357A2
1204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:87AAD071DDAAAD8ADB70E4DABCC1A750
SHA256:2D558A3FE733F9893095B3758FF661E7B48DB7D8D725D7AC9EDBFFABC65D1613
1204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\how-to-manage-domain-members[1].htmhtml
MD5:37D074EF39488C2057B4FF1211E4AFFB
SHA256:8B698BA9D14EC26647FE7660D761244A359D03515872C0BA7FC2B7934D0AA0C7
1204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\style-compat[1].csstext
MD5:75FF53A0C58F96AF03194605E345C92C
SHA256:02A9182D0C2599B86DD0BAC81729897E80DA1620CD71D36FC8E282061B58A0F2
1204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:A0CA8D08B6F4474B2994D5D095357738
SHA256:C799D11465524B39A337E24D2848CEB80087EF2E92CA3D3C42829AA1B7A3CD81
1204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\advanced-search[1].csstext
MD5:3A97A1ABB1D39D614A24D4CE8923A7CF
SHA256:0CF770DB446EB06891633A7BDAA99466A7BFB39EB86D19B6B88A9B9A7C56EFB8
1204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\4aeec7ca8bd6c22fd93c.min[1].csstext
MD5:C96A61B38C56DB8E56B96BDB1147A49D
SHA256:FC867C47E28D1D1F9A177755ABEAECB9AFB049B77B511807F55CBBA13B665D8B
1204iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\editor[1].csstext
MD5:70C1256C5E66A877E355BECE754417D7
SHA256:4997A44799DAAAC0CA7F62C5E54A2CE9B5E934223756DCD47D3DCC87D9E82D80
1204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
37
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1204
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
1204
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEGOlwNI5ZtyUEgHpNAgRyd0%3D
US
der
471 b
whitelisted
1204
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
1204
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?453d79ac6bbc3f99
US
compressed
4.70 Kb
whitelisted
1204
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6bad4fdc3b24b047
US
compressed
4.70 Kb
whitelisted
1528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
1528
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1528
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1204
iexplore.exe
142.250.186.35:80
ocsp.pki.goog
GOOGLE
US
whitelisted
1204
iexplore.exe
172.217.16.206:443
www.google-analytics.com
GOOGLE
US
whitelisted
1204
iexplore.exe
162.159.138.78:443
community.expensify.com
CLOUDFLARENET
shared
1204
iexplore.exe
104.18.194.13:443
us.v-cdn.net
CLOUDFLARENET
unknown
1204
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
1204
iexplore.exe
104.16.213.59:443
www.expensify.com
CLOUDFLARENET
shared
1204
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1204
iexplore.exe
142.250.74.200:443
www.googletagmanager.com
GOOGLE
US
suspicious
1528
iexplore.exe
104.18.194.13:443
us.v-cdn.net
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
community.expensify.com
  • 162.159.138.78
  • 162.159.128.79
malicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
us.v-cdn.net
  • 104.18.194.13
  • 104.18.193.13
unknown
www.google-analytics.com
  • 172.217.16.206
whitelisted
www.googletagmanager.com
  • 142.250.74.200
whitelisted
ocsp.pki.goog
  • 142.250.186.35
whitelisted
www.expensify.com
  • 104.16.213.59
  • 104.16.214.59
whitelisted

Threats

No threats detected
No debug info