analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://burtrans.slab.com/posts/bur-trans-incorporated-shared-document-6weg3v4n

Full analysis: https://app.any.run/tasks/293829b1-ae12-481c-953c-f5bc0b26f27c
Verdict: Malicious activity
Analysis date: January 24, 2022, 19:22:13
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

1676A501729B75709DBF70DD9E81D640

SHA1:

EF3C57667AB3FBCA21D1FE915E9CC826DFC31BFB

SHA256:

9D5611E811555399196EDD305A1289D64014CA62423324CB6DE5530AB70CD9E4

SSDEEP:

3:N8DiiJvGVKRKHCsXCK/Y8A+7uRd2n:2DiiJvGgRKFSKA8ia

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 532)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 532)
      • iexplore.exe (PID: 2824)
    • Reads the computer name

      • iexplore.exe (PID: 532)
      • iexplore.exe (PID: 2824)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 532)
      • iexplore.exe (PID: 2824)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2824)
    • Changes internet zones settings

      • iexplore.exe (PID: 2824)
    • Application launched itself

      • iexplore.exe (PID: 2824)
    • Creates files in the user directory

      • iexplore.exe (PID: 2824)
    • Reads internet explorer settings

      • iexplore.exe (PID: 532)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2824)
      • iexplore.exe (PID: 532)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2824)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2824"C:\Program Files\Internet Explorer\iexplore.exe" "https://burtrans.slab.com/posts/bur-trans-incorporated-shared-document-6weg3v4n"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
532"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2824 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
16 374
Read events
16 213
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
14
Text files
30
Unknown types
12

Dropped files

PID
Process
Filename
Type
2824iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:FC990EAA7247546FB67C18916A4CAC9B
SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993
2824iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:D0FB92834A9E3475A0B21EBA24709ADA
SHA256:9757D77D7589C62C3F87F006CBD12CD01A8EE7FB2E34DFBFD98830352325096B
2824iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:71A1946D3A0457CF827DE000FC08EBFB
SHA256:54856C69C9098D4B412BE02A22FE58F927C16FD9550CFD7FB8E411736B0A470B
532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\LogRocket.min[1].jstext
MD5:413A0B28A5999B2FF85C7DFFBD26BFB4
SHA256:A0CFB30D3EBED993F1691ED460BA280414F75FF4939F20E43B33B822BF5340BE
532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:E1EAE72E3715286294FAE5B772B54D91
SHA256:CDF348AD50D67BDDAA3E15E75B24A792DBCF8A8C72519F12C357A96FAF381C03
532iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar4E10.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\sentry-44d710c8e6a61b09933445270893364b[1].jstext
MD5:1B70287C8BE04EC2D402B71E4BE746B5
SHA256:E505DA4EC1D49EF3FB16408B759A4A62AFFF8DFC68E49B277E6C234C0F46B8D1
532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:2C4F20F6239EAF9F0A9DC71D9E6035B8
SHA256:1F83604EE471CDF71EF5FF5BAD11B25CEBF5128849898C1FB648567AF7BAB99F
532iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\internal-8ffec3d1e97efbf31b69934aaaf2b4a9[1].csstext
MD5:8FFEC3D1E97EFBF31B69934AAAF2B4A9
SHA256:51EBCFF9E77FA27472938F34E49A1403C6478082AB04F409EB6DD4BF95E6E887
532iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:6632A1BE79D389627FC9B119D6D2752F
SHA256:52465AA48CD2B3764852343B012AB55554878755353FB6879B6EF62D869C3AE2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
63
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
532
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
whitelisted
532
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
2824
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
2824
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
532
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2824
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2824
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?aca855439deafb4e
US
compressed
4.70 Kb
whitelisted
532
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0e48d37b6d95226d
US
compressed
59.9 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
532
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
532
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
2824
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2824
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
532
iexplore.exe
104.17.234.61:443
burtrans.slab.com
Cloudflare Inc
US
unknown
532
iexplore.exe
185.59.220.18:443
cdn.headwayapp.co
Datacamp Limited
DE
suspicious
532
iexplore.exe
104.17.235.61:443
burtrans.slab.com
Cloudflare Inc
US
unknown
2824
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
172.67.163.57:443
cdn.lr-ingest.io
US
malicious
532
iexplore.exe
172.67.163.57:443
cdn.lr-ingest.io
US
malicious

DNS requests

Domain
IP
Reputation
burtrans.slab.com
  • 104.17.235.61
  • 104.17.234.61
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
cdn.slab.com
  • 104.17.234.61
  • 104.17.235.61
whitelisted
cdn.headwayapp.co
  • 185.59.220.18
  • 195.181.175.48
  • 195.181.175.55
  • 195.181.175.45
  • 195.181.174.7
whitelisted
cdn.vitally.io
  • 65.9.49.116
  • 65.9.49.29
  • 65.9.49.42
  • 65.9.49.25
whitelisted
cdn.lr-ingest.io
  • 172.67.163.57
  • 104.21.50.127
whitelisted

Threats

No threats detected
No debug info