analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://go.microsoft.com/fwlink/?LinkId=838604

Full analysis: https://app.any.run/tasks/2a8eacca-695b-4fd1-af91-2d9f27e9dcde
Verdict: Malicious activity
Analysis date: October 17, 2020, 15:50:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

F6E06B12C33AD3D615BD8820447308C3

SHA1:

5396B73E470AE034B4BA006CB8A8E3B33C4EA73D

SHA256:

6D110BD63924989E6EF63BE756BAA1E07D88EE6896340C70308612DC064B68A7

SSDEEP:

3:N1KZKLIetR7LOCdvRn:C08eDPOCdJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2428)

    • Changes internet zones settings

      • iexplore.exe (PID: 2428)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2428)
      • iexplore.exe (PID: 1844)

    • Creates files in the user directory

      • iexplore.exe (PID: 1844)

    • Application launched itself

      • iexplore.exe (PID: 2428)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1844)

    • Manual execution by user

      • cmd.exe (PID: 2456)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2428)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2428)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2428)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe cmd.exe no specs tracert.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2428"C:\Program Files\Internet Explorer\iexplore.exe" "http://go.microsoft.com/fwlink/?LinkId=838604"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1844"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2428 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2456"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2540tracert google.comC:\Windows\system32\TRACERT.EXEcmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Traceroute Command
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
449
Read events
349
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
45
Text files
59
Unknown types
20

Dropped files

PID
Process
Filename
Type
1844iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab4153.tmp
MD5:
SHA256:
1844iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4154.tmp
MD5:
SHA256:
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\oneplayer[1].jstext
MD5:E55A31578CEB2F95B1BE64DC9D196C4F
SHA256:F15E464423C3567021EDF03B52910CBA2D94667E4E2F9977D6E49CBB10521245
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\css[1].csstext
MD5:45364B29A40A6E675CA364F25E2EECBD
SHA256:8C8ADB1CE95737650CC6418D782D0C3D5A8E6B293BA57507942C3C07FD18BC0B
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\js[1].jstext
MD5:6124FBF3B5B9EDCBDB48EA1008F237AB
SHA256:E059370DA6921E61359C688DE77D771EB7DC29F216BAAA29C914C3BD0184309C
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABder
MD5:69CE0F8127A8878A5B88CE11379C9E68
SHA256:9CD0599533309F69C9AEC5F581FEBAB94EE88E2D43A0A5AA60B27E36E4834252
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04der
MD5:0C575BD049E419503C704224FACABC04
SHA256:9114D790F498FC5315001B19B5CBBA8EC366AD985F6B00210AB69AAE9CF0FB7F
1844iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\edge[1].htmhtml
MD5:8D8FD697A7803A1AC2FCBFA7A27E8D87
SHA256:63F45F3ED5C6998BF1881D4994809D13A3D9B99FCA7831A835F440DD21E88A18
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:8D842D028C3A4E73547472A8EC9BEC80
SHA256:BABE0CE9056D580A6C7E3C959A6DA2135F2FF3A87408D536D64FE2DE47D3F189
1844iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04binary
MD5:328FEDABD7CDE26DB2D9DEC6AFB44296
SHA256:BFC41AF89A69904A02C1060774D5A2494E05F66C99481E4B2E6AE633EFAE925E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
57
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1844
iexplore.exe
GET
302
104.108.39.131:80
http://go.microsoft.com/fwlink/?LinkId=838604
NL
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
304
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
1844
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAtb9ltrp%2FvQiykNkEU33uA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1844
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1844
iexplore.exe
104.108.39.131:80
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
1844
iexplore.exe
2.16.186.40:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
whitelisted
1844
iexplore.exe
104.108.39.131:443
go.microsoft.com
Akamai Technologies, Inc.
NL
unknown
1844
iexplore.exe
95.100.197.46:443
assets.adobedtm.com
Akamai Technologies, Inc.
unknown
1844
iexplore.exe
13.107.246.10:443
wcpstatic.microsoft.com
Microsoft Corporation
US
whitelisted
1844
iexplore.exe
2.16.186.41:443
statics-marketingsites-neu-ms-com.akamaized.net
Akamai International B.V.
whitelisted
1844
iexplore.exe
104.80.29.181:443
www.microsoft.com
Akamai Technologies, Inc.
US
malicious
1844
iexplore.exe
2.16.186.18:443
mwf-service.akamaized.net
Akamai International B.V.
whitelisted
1844
iexplore.exe
95.100.198.11:443
c.s-microsoft.com
Akamai Technologies, Inc.
unknown

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 104.108.39.131
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.microsoft.com
  • 104.80.29.181
whitelisted
assets.adobedtm.com
  • 95.100.197.46
whitelisted
statics-marketingsites-neu-ms-com.akamaized.net
  • 2.16.186.41
  • 2.16.186.27
whitelisted
mwf-service.akamaized.net
  • 2.16.186.18
  • 2.16.186.9
whitelisted
wcpstatic.microsoft.com
  • 13.107.246.10
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.40
  • 2.16.186.27
whitelisted
c.s-microsoft.com
  • 95.100.198.11
whitelisted
az725175.vo.msecnd.net
  • 152.199.19.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://go.microsoft.com/fwlink/?LinkId=838604