analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://tags-manager.com/gtags/script2?utm_referer=?utm_source=&utm_content=&utm_referer=digitalproductkey.com

Full analysis: https://app.any.run/tasks/e1e574f8-f9cd-4589-9a61-d2ab59b77499
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Analysis date: November 30, 2020, 00:39:15
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
Indicators:
MD5:

6A8427A12E39473A284DC2BFF42E1519

SHA1:

70DE9BDB3F76AF9620938DE02946E417C99B7007

SHA256:

99B295A7FAFF2F575001CA55545F4FBEB5B76744ACBCA2C2F7C571F5B45E7FBD

SSDEEP:

3:N8MmAXZCC/KhlyygcLWSdlAL+3yytPYKBdOAF:2M3XZCC/KmynLWfrytvXOAF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Connects to CnC server

      • iexplore.exe (PID: 1356)
  • SUSPICIOUS

    • Executes scripts

      • iexplore.exe (PID: 2488)
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1356)
    • Application launched itself

      • iexplore.exe (PID: 2488)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2488)
    • Changes internet zones settings

      • iexplore.exe (PID: 2488)
    • Creates files in the user directory

      • iexplore.exe (PID: 1356)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
3
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe no specs iexplore.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2488"C:\Program Files\Internet Explorer\iexplore.exe" "https://tags-manager.com/gtags/script2?utm_referer=?utm_source=&utm_content=&utm_referer=digitalproductkey.com"C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1356"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2488 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3312"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\script2.js" C:\Windows\System32\WScript.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
788
Read events
742
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
9
Text files
5
Unknown types
4

Dropped files

PID
Process
Filename
Type
1356iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7B81.tmp
MD5:
SHA256:
1356iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7B92.tmp
MD5:
SHA256:
2488iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF7BE304227914C329.TMP
MD5:
SHA256:
2488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\script2.js.lonrwp9.partial:Zone.Identifier
MD5:
SHA256:
2488iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF1390243E2D4A2A9C.TMP
MD5:
SHA256:
2488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\RecoveryStore.{83A178F9-32A4-11EB-B41E-12A9866C77DE}.dat
MD5:
SHA256:
1356iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB76F85A22305127BB4020A6777F61FFbinary
MD5:15FC27D7765EFF21E5ABE1A212C3BE9E
SHA256:6C98904BDB3B01570481F7EE93ADCB0874747627AAE43DB9777D44603A96C624
2488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{83A178FB-32A4-11EB-B41E-12A9866C77DE}.datbinary
MD5:7BAF98E65304CB1789C6CACDF510D649
SHA256:C5C2A8A3410A8067FFDE62857D45A6F708EEC7533601E0E62D099B2661AE321F
1356iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:D9A7C71F2455317845563B02C39B84C8
SHA256:C5B24A2E28E55081E315826ED0127557077434F24D5C3EFF803C45AA4EF1B827
1356iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:D515B452C4121850DA1B8CC9D71B4C7B
SHA256:68E326575A141788EA2B9619A18838BA1121627907D5C09F416F173A8E39403C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
6
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1356
iexplore.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
1356
iexplore.exe
GET
200
2.16.186.11:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
1356
iexplore.exe
GET
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRqSofBhxAj%2FDa2H%2F5532lGuQ%3D%3D
unknown
der
527 b
whitelisted
1356
iexplore.exe
GET
200
2.16.186.11:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgRqSofBhxAj%2FDa2H%2F5532lGuQ%3D%3D
unknown
der
527 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1356
iexplore.exe
2.16.186.11:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
whitelisted
1356
iexplore.exe
8.208.97.220:443
tags-manager.com
Level 3 Communications, Inc.
US
malicious

DNS requests

Domain
IP
Reputation
tags-manager.com
  • 8.208.97.220
malicious
isrg.trustid.ocsp.identrust.com
  • 2.16.186.11
  • 2.16.186.35
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.186.11
  • 2.16.186.27
whitelisted

Threats

PID
Process
Class
Message
1356
iexplore.exe
A Network Trojan was detected
ET TROJAN Observed Card Skimmer CnC Domain in TLS SNI
1356
iexplore.exe
A Network Trojan was detected
ET TROJAN Observed Card Skimmer CnC Domain in TLS SNI
No debug info