analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://bit.ly/30mruXl

Full analysis: https://app.any.run/tasks/fcd7d634-60b8-4cbc-bcae-ee933266d627
Verdict: Malicious activity
Analysis date: September 30, 2020, 12:05:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

10E7D681A7DA4DB03334B702FB74C031

SHA1:

EC409991BAFC620594291C388EE0211ADA277221

SHA256:

6C4B0900A1C0F4B9E79BD9EBBC35EDE68E62B7C69F05A542B68831A648EB664F

SSDEEP:

3:N8kSiArn:2J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2384)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2384)
      • iexplore.exe (PID: 1336)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2384)
    • Changes internet zones settings

      • iexplore.exe (PID: 1336)
    • Application launched itself

      • iexplore.exe (PID: 1336)
    • Creates files in the user directory

      • iexplore.exe (PID: 2384)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1336"C:\Program Files\Internet Explorer\iexplore.exe" https://bit.ly/30mruXlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2384"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1336 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
487
Read events
437
Write events
50
Delete events
0

Modification events

(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
305605690
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30840610
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
46000000A5000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1336) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
Executable files
0
Suspicious files
26
Text files
19
Unknown types
14

Dropped files

PID
Process
Filename
Type
2384iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7829.tmp
MD5:
SHA256:
2384iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\769UAQKY.txt
MD5:
SHA256:
2384iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Y2ODGGGB.txt
MD5:
SHA256:
1336iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2384iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3N17UA2Y.txttext
MD5:484E8E4EC6FB906863EC62C25F5850DB
SHA256:6EA62BF9954FF321A0E6381E41B4DDDF29650326C667990A788330A5B0A8AD28
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\xvideos[1].jstext
MD5:90EE8DD194EC00E6E3B7A0A68E264CC5
SHA256:FB9D974EB4C5CB617BB7AE40FA48AB665C9D4B54925E8B8257655A84CC8C3384
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\analytics[1].jstext
MD5:1E3AD19B0836D257E66DF0E4106AF582
SHA256:60863E86AA7743D1AC841DA7F473A05CD57FBA81D661CEF658E385437F80D5EF
2384iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\X2KZ81RD.txttext
MD5:388AA0AA3F46EB5C02707C38C18C4746
SHA256:8DCA529769AD129F3872D71AF12029FD1D07D4CC1B821BE70BAF7808746FAB1C
2384iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\eqis4Z[1].htmhtml
MD5:F796974490FCBC268C87096281EDBC89
SHA256:4923F5F4BE71BA43CB80C29C148F1603D58F052FB672ACDBACB8E444EB50EEB9
2384iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\85B3F147E3624A14E6A20DB4F6C2C5D9der
MD5:138A196AC15A2BEBCB9FB38AC0120C4D
SHA256:17CE6CCF73A3D80F8303851A7AE95DA746F7AF1C3D058BB22E6FED54293DFE87
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
52
DNS requests
22
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2384
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D
US
der
471 b
whitelisted
2384
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAyDrs7o0RpNCAAAAABXoKo%3D
US
der
471 b
whitelisted
2384
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAqN7HPiQ2%2F4c3rdXE3uHG8%3D
US
der
471 b
whitelisted
2384
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDqXuNQ97mPtAIAAAAAektt
US
der
472 b
whitelisted
2384
iexplore.exe
OPTIONS
200
35.227.234.224:80
http://analytics.shorte.st/displayed
US
whitelisted
2384
iexplore.exe
GET
200
104.26.6.218:80
http://static.sh.st/js/packed/interstitial-page.js?2020-02-19.0
US
text
24.7 Kb
unknown
2384
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEDM8p7YwCDvUCAAAAABXoPk%3D
US
der
471 b
whitelisted
2384
iexplore.exe
GET
200
104.27.182.150:80
http://gestyy.com/bundles/smeweb/img/tracking-9370952.gif?t=1601467538
US
image
43 b
malicious
2384
iexplore.exe
GET
200
172.217.23.131:80
http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEAyDrs7o0RpNCAAAAABXoKo%3D
US
der
471 b
whitelisted
2384
iexplore.exe
GET
200
104.26.6.218:80
http://static.sh.st/b5/4c/45/48/be/0d/ca/35/64/1c/e2/75/9d/8f/9e/2c/logo1707.png?2020-02-19.0
US
image
6.08 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
67.199.248.11:443
bit.ly
Bitly Inc
US
shared
2384
iexplore.exe
216.58.205.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2384
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2384
iexplore.exe
67.199.248.11:443
bit.ly
Bitly Inc
US
shared
2384
iexplore.exe
172.217.23.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2384
iexplore.exe
172.67.68.250:80
static.sh.st
US
unknown
2384
iexplore.exe
172.217.23.142:80
www.google-analytics.com
Google Inc.
US
whitelisted
2384
iexplore.exe
104.27.182.150:80
gestyy.com
Cloudflare Inc
US
malicious
2384
iexplore.exe
139.45.195.108:80
go.onclasrv.com
US
unknown
2384
iexplore.exe
142.250.74.195:80
crl.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
bit.ly
  • 67.199.248.11
  • 67.199.248.10
shared
ocsp.digicert.com
  • 93.184.220.29
whitelisted
gestyy.com
  • 104.27.182.150
  • 104.27.183.150
  • 172.67.188.36
unknown
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 216.58.205.234
whitelisted
static.sh.st
  • 172.67.68.250
  • 104.26.6.218
  • 104.26.7.218
unknown
go.onclasrv.com
  • 139.45.195.108
  • 139.45.196.89
  • 139.45.195.43
  • 139.45.196.27
  • 139.45.195.164
whitelisted
d3ud741uvs727m.cloudfront.net
  • 143.204.208.47
  • 143.204.208.48
  • 143.204.208.90
  • 143.204.208.30
whitelisted
www.google-analytics.com
  • 172.217.23.142
whitelisted

Threats

No threats detected
No debug info