URL:

https://Z0z.rlqponawiuy.ru/uJseWG/

Full analysis: https://app.any.run/tasks/07eb9a7d-e7f9-4b32-ac23-ceb82f43785f
Verdict: Malicious activity
Analysis date: December 13, 2024, 18:52:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
phishing
storm1747
Indicators:
MD5:

4F704AC4F34BC894DB19685F9FE6051C

SHA1:

C967024F324DEB96B0CC85F4B97059C4FE3BD81E

SHA256:

7C753D9F9A3D9169BFC82DE521ADF81BE3DE96D62DEBD312F1E6951FBCE3162A

SSDEEP:

3:N8REKwSSQyAxKn:2REKwqIn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PHISHING has been detected (SURICATA)

      • msedge.exe (PID: 4792)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
135
Monitored processes
1
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
#PHISHING msedge.exe

Process information

PID
CMD
Path
Indicators
Parent process
4792"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2604 --field-trial-handle=2320,i,16194277592197507296,15814343983252007256,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RF2b8c12.TMPbinary
MD5:15D26FA4E16467BE658F42074AC0DBAA
SHA256:D287407BD901A32E3F38F4392984507184D596C3694FAA69DD0B2E68F9F3A8FE
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent Statebinary
MD5:ED74D0CC3CAB53CA501F3CD6C50FAA1A
SHA256:331BB0DA5A3BE7843A14503DA9547E7309F3631916C6112882FF36D75025E7EE
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\153a2b85-214b-4634-8397-f27c8cc08b3f.tmpbinary
MD5:ED74D0CC3CAB53CA501F3CD6C50FAA1A
SHA256:331BB0DA5A3BE7843A14503DA9547E7309F3631916C6112882FF36D75025E7EE
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State~RF2b63aa.TMPbinary
MD5:2A21453795942FD88CBB06714604B9FD
SHA256:5DFE0384325B556EE4B8668E502312B9BA6ADC298CD9213DDFA528CB959ADC06
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecuritybinary
MD5:80FF4E1FB8B82E20C546B7E7C9EB55DF
SHA256:9EFA2A216000AAF4A5717C261A07B910C9B27C2D39DB60DBA6516210C50C01C9
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bbbinary
MD5:1BDE5E7CEC3CCCEF63B4CDADDCABAA4C
SHA256:E38C3A21FDBC3F80D949EA39C81DD0DAD7783BDA57D3835FD0592FB083033430
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bcbinary
MD5:CEDA09C978023F0B029310993B9F18C5
SHA256:D3F03033718C9F5955906525E85A503BFBD78C04352B294533594104D23BEC9B
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\39d41481-a82b-4a8e-9b12-9d4ff38a5114.tmpbinary
MD5:80FF4E1FB8B82E20C546B7E7C9EB55DF
SHA256:9EFA2A216000AAF4A5717C261A07B910C9B27C2D39DB60DBA6516210C50C01C9
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000babinary
MD5:22EE8D6641B5322770CDE9BD6DB99EE7
SHA256:BCEE69FA3B0A6D7C425DE90AEBB56EB5EC73864B90EA868A5D6D63867920E550
4792msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bdbinary
MD5:D17B5A55EC9D8608C1D2B531CCB6DE88
SHA256:DC2A3600C7CDFAEA40DB03757D6915D67518215DB51397C8A5BB3F132AE89A49
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
41
DNS requests
19
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
OPTIONS
200
35.190.80.1:443
https://a.nel.cloudflare.com/report/v4?s=vP123i71xspaS6HCfZPaYRyP1k5IL%2BlrQv6w1iv%2BbnlYhBhpXFquVBEqaUdOP8fXzx%2Bh%2Fn2KT7zR3kw7mEMh3U2MxPp9A%2F3Hc64ZNxyDtMFa3jngk4XHuolChO98MQ%3D%3D
unknown
HEAD
200
23.218.208.109:443
https://fs.microsoft.com/fs/windows/config.json
unknown
GET
104.21.76.143:443
https://z0z.rlqponawiuy.ru/uJseWG/
unknown
4792
msedge.exe
GET
302
104.21.76.143:80
http://z0z.rlqponawiuy.ru/uJseWG/
unknown
6340
RUXIMICS.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4304
MoUsoCoreWorker.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6340
RUXIMICS.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5968
svchost.exe
GET
200
23.215.121.133:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4304
MoUsoCoreWorker.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5968
svchost.exe
GET
200
23.32.238.112:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
6340
RUXIMICS.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
224.0.0.251:5353
unknown
4304
MoUsoCoreWorker.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4792
msedge.exe
20.50.73.4:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
5968
svchost.exe
20.73.194.208:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5988
svchost.exe
239.255.255.250:1900
whitelisted
4792
msedge.exe
104.21.76.143:443
z0z.rlqponawiuy.ru
unknown
4792
msedge.exe
2.19.80.27:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4792
msedge.exe
35.190.80.1:443
a.nel.cloudflare.com
GOOGLE
US
whitelisted
6552
svchost.exe
23.218.208.109:443
fs.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.18.110
whitelisted
z0z.rlqponawiuy.ru
  • 104.21.76.143
  • 172.67.196.28
unknown
www.bing.com
  • 2.19.80.27
  • 2.19.80.56
  • 2.19.80.80
  • 2.19.80.89
  • 2.19.80.75
whitelisted
a.nel.cloudflare.com
  • 35.190.80.1
whitelisted
fs.microsoft.com
  • 23.218.208.109
whitelisted
crl.microsoft.com
  • 23.32.238.112
  • 23.32.238.107
whitelisted
www.microsoft.com
  • 23.215.121.133
whitelisted
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
block.charter-prod.hosted.cujo.io
  • 13.32.121.110
  • 13.32.121.69
  • 13.32.121.85
  • 13.32.121.14
unknown
www.spectrum.com
  • 104.87.229.101
whitelisted

Threats

PID
Process
Class
Message
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Storms-1747`s Phishing domain by CrossDomain ( .rlqponawiuy .ru)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Storms-1747`s Phishing domain by CrossDomain ( .rlqponawiuy .ru)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Storms-1747`s Phishing domain by CrossDomain ( .rlqponawiuy .ru)
Possible Social Engineering Attempted
PHISHING [ANY.RUN] Suspected Storms-1747`s Phishing domain by CrossDomain ( .rlqponawiuy .ru)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://Z0z.rlqponawiuy.ru/uJseWG/