analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://protect-us.mimecast.com/s/UfXwCOY0mkh5EynGCv30EQ?domain=kvgo.com

Full analysis: https://app.any.run/tasks/c4e48800-5306-4942-a9c0-5004d760ef7d
Verdict: Malicious activity
Analysis date: June 27, 2022, 13:23:54
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

E448D0C50EC73F82138A4248CA7541BE

SHA1:

63A4A3CA0789180DC02F79B8E4621B23D965E717

SHA256:

926A07B08A204BAEA1BF0264AED56669D3E8C901FC42A2EE0AD8806A20B65E18

SSDEEP:

3:N8TKRt2MdSD9VH/WLimTTVltZIn:2WpwTHOLfZIn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3000)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 1416)
    • Checks supported languages

      • iexplore.exe (PID: 1416)
      • iexplore.exe (PID: 3000)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1416)
      • iexplore.exe (PID: 3000)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 1416)
    • Application launched itself

      • iexplore.exe (PID: 1416)
    • Changes internet zones settings

      • iexplore.exe (PID: 1416)
    • Creates files in the user directory

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 1416)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1416"C:\Program Files\Internet Explorer\iexplore.exe" "https://protect-us.mimecast.com/s/UfXwCOY0mkh5EynGCv30EQ?domain=kvgo.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3000"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1416 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
14 031
Read events
13 916
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
12
Text files
10
Unknown types
9

Dropped files

PID
Process
Filename
Type
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04der
MD5:5AA235614E07491B546686882C44846B
SHA256:8DE48B0F91139A9E0863256D72E7D5F19D99ADAAF206E7E04F7887377F6C797B
1416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7
SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98
1416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:877D0C1AF9CA8B6E596878CEBF114D29
SHA256:6CB5DFD9A6281591CEABDA81613554611A79081288C56C5E1B9EFB9C5FAF254D
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62binary
MD5:5FA977E0AA59D44DC16B918C623430A5
SHA256:694DB76916C034F6BFC079B483180DC6ED7ABF2D59F883728BCFD00A3A1D9826
1416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:790E40386A5478B54787C28956E029D7
SHA256:2A14CA44FA89C53F53111C7CAAE9155A460FA162BD822CCEAF7B7F74B8390557
1416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:DCA01E6BF2E727FEB619E4A0C70C20A4
SHA256:3272C216718A34FC950A9E4B469F687E1E988C92E6156C0CE1B2C1E42CE89B0C
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_35937E6267690664AABA0E7DC7439D5Abinary
MD5:79B8DD79A6988E95528007C6BD142F2B
SHA256:7A47DDC5331850FCF7EB613BB0C53CEBD19E8254DD54F666DC16E0A344C40C82
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:70D95E3307DD1636981EB98F22320529
SHA256:4292EEE1FA677D4D2137F894A62ED35695C3FB8D66B080DEB5292C0B6B8A4783
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04binary
MD5:64FC6835C205C5D6820F6E13DE16BC2A
SHA256:480D74ACBE388A85B004340E2A37DD59BA85CE57277E47603E71AA1D70FA01D8
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_35937E6267690664AABA0E7DC7439D5Ader
MD5:A78FD1E4DA781568DD8D5F1BA08A04C2
SHA256:DC7939453650FA3C860BF5DE50A604A7781956F9AFF664D36D9C4D84D68D797B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
41
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1416
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
3000
iexplore.exe
GET
200
108.156.0.115:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
3000
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?572c7d76fd7c2d54
US
compressed
4.70 Kb
whitelisted
3000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAVSWvgmZgq3vcwzMS0%2BPKk%3D
US
der
471 b
whitelisted
3000
iexplore.exe
GET
200
108.156.0.231:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
1416
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?2e50a28c016993cb
US
compressed
4.70 Kb
whitelisted
1416
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3000
iexplore.exe
GET
200
108.156.0.14:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
3000
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
3000
iexplore.exe
GET
200
18.66.200.16:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEASEVgM%2BzfJA22%2FZw3jZ%2Fn8%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1416
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3000
iexplore.exe
205.139.111.12:443
protect-us.mimecast.com
-Reserved AS-, ZZ
US
suspicious
1416
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
3000
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
192.168.100.2:53
whitelisted
1416
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3000
iexplore.exe
52.5.81.146:443
kvgo.com
Amazon.com, Inc.
US
unknown
108.156.0.14:80
ocsp.rootg2.amazontrust.com
US
whitelisted
3000
iexplore.exe
3.229.225.75:443
kvgo.com
US
unknown

DNS requests

Domain
IP
Reputation
protect-us.mimecast.com
  • 205.139.111.12
  • 207.211.31.113
  • 205.139.111.117
  • 207.211.31.106
  • 205.139.111.113
  • 207.211.31.64
whitelisted
www.microsoft.com
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
kvgo.com
  • 52.5.81.146
  • 3.229.225.75
unknown
crl3.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info