analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapp.getresponse.com%2Fsite2%2F646453255995eb03fd5bb4586452ee27%2F%3Fu%3DQX1hT%26webforms_id%3DhLSX3&data=04%7C01%7CTSlusher%40tennant-risk.com%7C3cf84343e2c24b73916b08d9df41d86a%7C43537b5b887e4f34a77484119940a508%7C0%7C0%7C637786296172203080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0e%2Ffzqo8VFixIZ3DQPEd1xl4m6vuuEViBYSqWFVm3CE%3D&reserved=0

Full analysis: https://app.any.run/tasks/2fe3571b-7bf4-4c7e-a355-819153ce5e07
Verdict: Malicious activity
Analysis date: January 24, 2022, 15:31:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

9BC4F16130B279EA426818875FC6ACAE

SHA1:

E3F9167B4BEE81CD7CA2CB1535637F0D30F204EB

SHA256:

99FA5861BA7060E5B76D841C882B205FF99D442FE6BB0B6C0EA8CABAF4067154

SSDEEP:

12:2H5qxWCcm2h8KujH+AVMdHqKP7RDqbJzmM:2H5qom2qzNMdRP7bM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2684)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2684)

    • Reads the computer name

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2684)

    • Application launched itself

      • iexplore.exe (PID: 3204)

    • Changes internet zones settings

      • iexplore.exe (PID: 3204)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2684)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 3204)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2684)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3204)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3204)

    • Creates files in the user directory

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Program Files\Internet Explorer\iexplore.exe" "https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapp.getresponse.com%2Fsite2%2F646453255995eb03fd5bb4586452ee27%2F%3Fu%3DQX1hT%26webforms_id%3DhLSX3&data=04%7C01%7CTSlusher%40tennant-risk.com%7C3cf84343e2c24b73916b08d9df41d86a%7C43537b5b887e4f34a77484119940a508%7C0%7C0%7C637786296172203080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0e%2Ffzqo8VFixIZ3DQPEd1xl4m6vuuEViBYSqWFVm3CE%3D&reserved=0"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2684"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3204 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
14 116
Read events
13 968
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
42
Unknown types
7

Dropped files

PID
Process
Filename
Type
3204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:FC990EAA7247546FB67C18916A4CAC9B
SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49binary
MD5:4BEB001EFC3387DDB2ED8CBC4406DAEB
SHA256:F722AFB9942EB3B8DE699E66F2DFCF353F01410C28ABFF8F7F0E4B273F19CD99
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_F6FACC49395CFA949BCE851E73323C49der
MD5:DAC4619E319FD2C836D2FCEB1542D665
SHA256:B715BCE5A46505ECF3DF445B5427EBFCD74279271DA1F019C2CAC521D56B8EA3
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:A36BACADDC974EFFBF83C8370653B866
SHA256:364A3E0F367FF0974CFFB860D318C083E2530A17645A8E372A844F27C82F40BD
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\646453255995eb03fd5bb4586452ee27[1].htmhtml
MD5:96ECA49808C1BED480737787AFD397D8
SHA256:E2BE3D72EAA1E7629691DAE1A925C7ADEAA12FEDF4DDF05BB8917A904DD69A9B
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:F1BF24C0EC80B8B67A431A7ACBDC7DFA
SHA256:93DE8905CC3ACA8806650CEABCDE837B77C0BA7B0827466FB8D233E9B2984CA9
3204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:BFA5E651D39B44CD06ABCC156D6A69E7
SHA256:46FBAADA2E9C73D29DA552B4B8664D83C38BF8849F3AFBBA17905E0D2CAF6DA2
2684iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\IK4J2AUE.txttext
MD5:4BB7A821FB731A656312B6E046604215
SHA256:7A2646E315C04C87B41BB50DFE04299258305DA1930002EA8299AA916CE24990
3204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:6DCF97C9166DD6428B1573AC2F04A109
SHA256:FB2A63070880F812D5C75F172F9487F9773BFC5A11697496671A7374635F2307
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:3DBA8BD3D1C5586D7B6C88E9865CC72B
SHA256:BE214107A441DCCC82553116726922B4A19BB0D32DDD965E83FD15FFC90AD9F8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
40
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2684
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2684
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAGewca9P1l7sgwzOOVR2Hc%3D
US
der
471 b
whitelisted
2684
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
2684
iexplore.exe
GET
200
192.124.249.36:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCB889K641wGP
US
der
1.74 Kb
whitelisted
3204
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5ece1ce4496c7b8b
US
compressed
4.70 Kb
whitelisted
3204
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?827d66014578e129
US
compressed
4.70 Kb
whitelisted
3204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3204
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2684
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3204
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2684
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3204
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2684
iexplore.exe
104.47.46.28:443
nam04.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
2684
iexplore.exe
104.160.64.9:443
app.getresponse.com
GETRESPONSE
US
suspicious
2684
iexplore.exe
104.47.45.28:443
nam04.safelinks.protection.outlook.com
Microsoft Corporation
US
whitelisted
204.79.197.200:443
ieonline.microsoft.com
Microsoft Corporation
US
whitelisted
205.185.216.42:443
us-as.gr-cdn.com
Highwinds Network Group, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
nam04.safelinks.protection.outlook.com
  • 104.47.46.28
  • 104.47.45.28
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
app.getresponse.com
  • 104.160.64.9
whitelisted
ocsp.godaddy.com
  • 192.124.249.36
  • 192.124.249.23
  • 192.124.249.22
  • 192.124.249.24
  • 192.124.249.41
whitelisted
us-as.gr-cdn.com
  • 205.185.216.42
  • 205.185.216.10
whitelisted
us-ms.gr-cdn.com
  • 205.185.216.42
  • 205.185.216.10
suspicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapp.getresponse.com%2Fsite2%2F646453255995eb03fd5bb4586452ee27%2F%3Fu%3DQX1hT%26webforms_id%3DhLSX3&data=04%7C01%7CTSlusher%40tennant-risk.com%7C3cf84343e2c24b73916b08d9df41d86a%7C43537b5b887e4f34a77484119940a508%7C0%7C0%7C637786296172203080%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=0e%2Ffzqo8VFixIZ3DQPEd1xl4m6vuuEViBYSqWFVm3CE%3D&reserved=0