analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://tathli.com

Full analysis: https://app.any.run/tasks/bb843c89-2ab1-45dc-9bb7-2bd4ae255588
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:37:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

1707768F06C401344CA56A72E512981B

SHA1:

2C45B16EA892D291D01D96DC3771798770517B1A

SHA256:

9A271F659378A30D61EDD4B91ADD3280911DF1AE43E12258715629AD3162F7DF

SSDEEP:

3:N1KKEPT:CKYT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1064)
      • iexplore.exe (PID: 1128)
      • iexplore.exe (PID: 1936)
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 1936)
    • Checks supported languages

      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 1064)
      • iexplore.exe (PID: 1128)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 1064)
    • Reads the computer name

      • iexplore.exe (PID: 1064)
      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 1128)
    • Application launched itself

      • iexplore.exe (PID: 1936)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1936)
      • iexplore.exe (PID: 1064)
    • Creates files in the user directory

      • iexplore.exe (PID: 1064)
      • iexplore.exe (PID: 1936)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1064)
      • iexplore.exe (PID: 1128)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1936)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1936)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1936"C:\Program Files\Internet Explorer\iexplore.exe" "http://tathli.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\version.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
1064"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1936 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
1128"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1936 CREDAT:3544336 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
17 242
Read events
17 059
Write events
101
Delete events
0

Modification events

(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
871983248
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30988337
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30988337
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1936) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
13
Text files
45
Unknown types
11

Dropped files

PID
Process
Filename
Type
1936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:706D6538FD37693AD6E2784B2EA35218
SHA256:3BE2AF083FFD1E6BF9762687183226AA01EC65B391AFDFAE8ECDAFC247F5C77E
1064iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1JWZLRV2.txttext
MD5:FDAA08A3D7617D275965E9803CDE4AD2
SHA256:C88D4FBCE3422E40D794D43B83394C2A530133F667EA278C87375E68AEEDFE7C
1064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\style[1].csstext
MD5:96F84D0985AF87B4D4F6AE8816F9C5C5
SHA256:93A1109ADA0CD55DEDEAF7E9C4251A7F91AC3C3E1AB85E25E37B6CD4E47D504B
1064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style[1].csstext
MD5:A7F0711E014E0174D69B9E8B07B0D986
SHA256:5D9D67A9789D5456D07ACF0C92B41D2B31E269939D490D522DBA8A99F3AA61C1
1064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\js3caf[1].jstext
MD5:CCE7F943EC8E7B4BA13BE4ABA6B463D9
SHA256:BA5B7354353B0EEC1637564DAE072FEE662A5B9862F6BF7ED5E60A5A76F2EF44
1936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:AFC3E2584B32E1E7C23C33E9534089A5
SHA256:61597F5F937DA250A5ED7B4B82867BEBC546A5A35C0029982A003B1E9CBD2E7E
1936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:703E725EC251B483F38F48C3C762450C
SHA256:7D11DB78A8F2BD3C1D159CEDB786A3D29BDCA1375ED3396075D81624F270B305
1936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:A0CAB92BC8DD9AA4140560A46135368B
SHA256:AE032369B5D92A06DDCC9350EB4A6892617E2BF0687115FB7C057300920D1EF5
1064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\GXV3ZNEX.htmhtml
MD5:CCA7FE3A4765A302FE1DFB9E93C6AE64
SHA256:41207681616049D68862CC562EE1E347C01B5A22E0F5F9642E1B514737B6FD96
1936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\imagestore\f7ruq93\imagestore.datbinary
MD5:B2D3DA00476B1308128703C96431341B
SHA256:659F834F8335D34A7B35AC11F183537D767A31C2D906A9F1BA3CB983C1DD2126
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
72
DNS requests
26
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1064
iexplore.exe
GET
302
198.58.118.167:80
http://tathli.com/mtm/direct/.eJwlikkKgDAMAL8iOdZi735GQok20I00QkH8uy3eZoZ54BaGHRxYQLnawEFCJwnJL6E0PTImGqqoIfLmS5q_91R1VurqgqZoF6w1skflkl2fae0zG2fg_QAnICLb:1ofog1:bdYgt528FqHNYRBFV6xecwkEo28/0
US
malicious
1064
iexplore.exe
GET
200
76.223.26.96:80
http://www1.tathli.com/?tm=1&subid4=1664915923.0119300000&kw=Adware&KW1=Online%20Customer%20Support%20Help%20Desk%20Software&KW2=Customer%20Service%20Call%20Center&KW3=Live%20Chat%20Customer%20Support&searchbox=0&domainname=0&backfill=0
US
html
4.82 Kb
malicious
1936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1064
iexplore.exe
GET
200
198.58.118.167:80
http://tathli.com/
US
html
6.68 Kb
malicious
1064
iexplore.exe
GET
200
216.58.214.132:80
http://www.google.com/adsense/domains/caf.js
US
text
52.5 Kb
whitelisted
1064
iexplore.exe
GET
200
18.66.121.69:80
http://d38psrni17bvxu.cloudfront.net/themes/cleanPeppermintBlack_657d9013/style.css
US
text
580 b
suspicious
1936
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
1064
iexplore.exe
GET
200
18.66.121.69:80
http://d38psrni17bvxu.cloudfront.net/scripts/js3caf.js
US
text
6.84 Kb
suspicious
1064
iexplore.exe
GET
200
216.58.206.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
1064
iexplore.exe
GET
200
216.58.206.163:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD6a7qQTCYd8hJU9n3M3mXb
US
der
472 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1936
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
1936
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
1936
iexplore.exe
198.58.118.167:80
tathli.com
Linode, LLC
US
malicious
1936
iexplore.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1064
iexplore.exe
198.58.118.167:80
tathli.com
Linode, LLC
US
malicious
1936
iexplore.exe
67.26.83.254:80
ctldl.windowsupdate.com
LEVEL3
US
malicious
1064
iexplore.exe
18.66.121.69:80
d38psrni17bvxu.cloudfront.net
AMAZON-02
US
suspicious
1064
iexplore.exe
216.58.214.132:80
www.google.com
GOOGLE
US
whitelisted
1064
iexplore.exe
142.250.184.130:443
partner.googleadservices.com
GOOGLE
US
suspicious
1064
iexplore.exe
76.223.26.96:80
www1.tathli.com
AMAZON-02
US
malicious

DNS requests

Domain
IP
Reputation
tathli.com
  • 198.58.118.167
  • 96.126.123.244
  • 72.14.185.43
  • 45.33.23.183
  • 45.33.2.79
  • 72.14.178.174
  • 173.255.194.134
  • 45.33.30.197
  • 45.33.20.235
  • 45.33.18.44
  • 45.79.19.196
  • 45.56.79.23
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 67.26.83.254
  • 67.27.235.126
  • 8.241.123.126
  • 8.241.9.126
  • 67.27.235.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
www1.tathli.com
  • 76.223.26.96
  • 13.248.148.254
malicious
www.google.com
  • 216.58.214.132
whitelisted

Threats

No threats detected
No debug info