analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://covid-19kit.store

Full analysis: https://app.any.run/tasks/efffce70-9c57-41b0-9419-1662db180ef9
Verdict: Malicious activity
Analysis date: March 31, 2020, 10:01:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MD5:

F1DCD23330E9EBA881BEDD3458726D52

SHA1:

14E898FFF65D386885DB90A21DB09841AC85EBD8

SHA256:

9245D6C6B08E7974D033132A1AC24EB96B3571D7394891F2D0779C6071B76C35

SSDEEP:

3:N1KdKTAyc:CIk/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Drops Coronavirus (possible) decoy

      • iexplore.exe (PID: 1168)
      • iexplore.exe (PID: 3328)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1168)
      • iexplore.exe (PID: 3328)
    • Application launched itself

      • iexplore.exe (PID: 3328)
    • Changes internet zones settings

      • iexplore.exe (PID: 3328)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1168)
    • Creates files in the user directory

      • iexplore.exe (PID: 1168)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3328)
      • iexplore.exe (PID: 1168)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3328)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\Internet Explorer\iexplore.exe" "http://covid-19kit.store"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1168"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3328 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
2 783
Read events
1 855
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
48
Text files
37
Unknown types
28

Dropped files

PID
Process
Filename
Type
3328iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1168iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\woocommerce[1].csstext
MD5:F3B1F1EA2A91164E2902C5E4369B2445
SHA256:4703256BA274A823456E854B18CEE7A1808DDC66E8F4D89F13678B6E810DD000
1168iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style.front[1].csstext
MD5:9C9EEF30543A63827B67A080B4142DDE
SHA256:0F718C6CD47E0D52FF8D3586615FCA00E72DD861B121C87F6782B10A65D0A7CF
1168iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab89E9.tmp
MD5:
SHA256:
1168iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar89EA.tmp
MD5:
SHA256:
1168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:BA4F3F81467A3DC2332CC7BF45A0EAEF
SHA256:B4F18425C72D033A765C4780C426223318B19AFA3699EC7880302E7FD24B4230
1168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:D1B2D10BBAE9517186593D8C60FF4FF1
SHA256:633FF3D67721E58227E11A69077114107BFA86A69BACCAADF4030F2F3B60E878
1168iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\gutenberg-blocks[1].csstext
MD5:F3389046EA0BAC97123F74B27BD7A729
SHA256:7A459F629196FCFCD39DA792619CE14E3553B8B8BC8594AD3F727420BE128DDB
1168iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\8QU1CQCK.htmhtml
MD5:8C75985D1FE46449E684ACAD06D0D416
SHA256:689C5F83879C38643DD862129E11130103F470079B83CF5DF560EE577456424B
1168iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:4F2CBF45E703737526AAE0C0C7813423
SHA256:6D75E9E84600945402667B02436E2FFD88EB6A4990A267553AF4204BB850B988
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
74
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1168
iexplore.exe
GET
200
195.19.192.201:80
http://covid-19kit.store/
RU
html
7.16 Kb
suspicious
1168
iexplore.exe
GET
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
whitelisted
1168
iexplore.exe
GET
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
whitelisted
1168
iexplore.exe
GET
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
whitelisted
1168
iexplore.exe
GET
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
whitelisted
1168
iexplore.exe
GET
200
195.19.192.201:80
http://covid-19kit.store/wp-content/themes/storefront/assets/css/woocommerce/woocommerce.css?ver=2.5.5
RU
text
10.6 Kb
suspicious
1168
iexplore.exe
GET
200
195.19.192.201:80
http://covid-19kit.store/wp-content/themes/storefront/style.css?ver=2.5.5
RU
text
11.8 Kb
suspicious
1168
iexplore.exe
GET
200
195.19.192.201:80
http://covid-19kit.store/wp-content/themes/storefront/assets/js/woocommerce/header-cart.min.js?ver=2.5.5
RU
text
531 b
suspicious
1168
iexplore.exe
GET
200
195.19.192.201:80
http://covid-19kit.store/wp-content/themes/storefront/assets/css/base/gutenberg-blocks.css?ver=2.5.5
RU
text
3.95 Kb
suspicious
1168
iexplore.exe
GET
200
2.20.190.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1168
iexplore.exe
172.217.21.234:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1168
iexplore.exe
192.0.76.3:443
stats.wp.com
Automattic, Inc
US
suspicious
1168
iexplore.exe
195.19.192.201:80
covid-19kit.store
Ruscom Ltd.
RU
suspicious
1168
iexplore.exe
192.0.77.37:443
c0.wp.com
Automattic, Inc
US
suspicious
1168
iexplore.exe
195.19.192.201:443
covid-19kit.store
Ruscom Ltd.
RU
suspicious
3328
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1168
iexplore.exe
192.124.249.22:80
ocsp.godaddy.com
Sucuri
US
suspicious
1168
iexplore.exe
216.58.207.67:80
ocsp.pki.goog
Google Inc.
US
whitelisted
1168
iexplore.exe
2.20.190.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
1168
iexplore.exe
2.20.190.17:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
covid-19kit.store
  • 195.19.192.201
suspicious
c0.wp.com
  • 192.0.77.37
whitelisted
fonts.googleapis.com
  • 172.217.21.234
whitelisted
stats.wp.com
  • 192.0.76.3
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.pki.goog
  • 216.58.207.67
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.36
  • 192.124.249.41
  • 192.124.249.24
  • 192.124.249.23
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.20.190.11
  • 2.20.189.204
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.20.190.17
  • 2.20.189.244
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Suspicious Domain Request for Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
1168
iexplore.exe
Potentially Bad Traffic
ET INFO Suspicious GET Request with Possible COVID-19 Domain M1
No debug info