analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM

Full analysis: https://app.any.run/tasks/04662f53-2c64-4520-bfde-1d042283de7c
Verdict: Malicious activity
Analysis date: January 10, 2022, 21:07:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

EF67236371D435A54A81262C67AAAB4E

SHA1:

FFB98EC1C668A8005AB4D1EF22E22B32D552E4FD

SHA256:

A6190ABE8394505404F3CE8D0E383084EFDB998B78A2E357ACD8AE43DB93B917

SSDEEP:

6:CDAKGmzPaI6q2RMjcTHCJB1Y9YP8KicO8uFTFBuXqeZi7y90wrO7q6/k0Kd5Kl6e:LdEPazKjcOJDaHUmpBuniirABEdcg6N

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3544)

  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2160)
      • iexplore.exe (PID: 3544)

    • Reads the computer name

      • iexplore.exe (PID: 2160)
      • iexplore.exe (PID: 3544)

    • Checks supported languages

      • iexplore.exe (PID: 2160)
      • iexplore.exe (PID: 3544)

    • Changes internet zones settings

      • iexplore.exe (PID: 2160)

    • Creates files in the user directory

      • iexplore.exe (PID: 2160)
      • iexplore.exe (PID: 3544)

    • Application launched itself

      • iexplore.exe (PID: 2160)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3544)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3544)
      • iexplore.exe (PID: 2160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2160"C:\Program Files\Internet Explorer\iexplore.exe" "http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3544"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2160 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
9 942
Read events
9 822
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
8
Text files
33
Unknown types
5

Dropped files

PID
Process
Filename
Type
3544iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\DHBKSOOD.txttext
MD5:5F2EEE7B40A2351EA65BF8D76A3E77EE
SHA256:960958EB57C5B28C6B60695B421C90278BCC03D92FC5B4A60EA21D659B496FAE
3544iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\K0M5PI24.txttext
MD5:8CE8C86CB842358C2B49B21B30E8936A
SHA256:882912A5817A2FB731EFBF3D2E53DCBFDA02C08CF3A39D77DA38693094B5504E
3544iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:690C853F37A280EC104526B676AF97EA
SHA256:D972CC505E7B0F85B202D4543364D74E6FE0802111B3705EF748E141D64BB32B
3544iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\5O2TWH9O.txttext
MD5:C8D4013A60E186CC86ACBCECB546ACC1
SHA256:5B98AE1B20F01FF131675D8A50EA4B3AA6C8563A22CBD4D0DF99FCD43DF51D35
2160iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:E77449B560C8625DAC3684AC2C0C05B6
SHA256:710603AFD54CA88D56B828BD668A48A2DFD3590BFBDC0555270113CFA71DC769
3544iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\XY2E0905.txttext
MD5:B0D609D01BE6A89955AC03D4E298A0CA
SHA256:3C513D8D2833F1E290D7737D745A4E0FC0950505933CDD3B8AE25559BCD38035
3544iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\GXX8J5ND.txttext
MD5:A9CE19466EF39F4D565B63C281103093
SHA256:DCC0E30B2F796B94AB7661CB204D49E38D46F4D5D75C6C669D724F673281D143
3544iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\67F6625BC22310D5C99DDE12020DBD90der
MD5:ED9812637AE0F850BCB6CDB32E9319A2
SHA256:9900D836E1FB845E491F764245F7B16F4BC0BD2CB223EA106AD6FF1A5088EBFA
3544iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\M0Y5JYLU.txttext
MD5:0C4B7E953CE7CF8D6A6F2F808C5C7D07
SHA256:35C5BCC725D2D6669DAEDA3809CE5A7AB475E4252C8C2269CDC6F5896BCEDC6F
3544iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:2D3A95DC9EE99C6023842417430C2FBD
SHA256:0FE3D62AF74343E3AFB0A8A220B11D2344A67AE0B275CEA524DB4FFF1B352CD8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
35
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2160
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
3544
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3544
iexplore.exe
GET
200
192.124.249.31:80
http://crl.godaddy.com/gdroot-g2.crl
US
der
462 b
whitelisted
2160
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
whitelisted
3544
iexplore.exe
GET
200
192.124.249.24:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
3544
iexplore.exe
GET
302
52.205.132.94:80
http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM
US
html
417 b
suspicious
3544
iexplore.exe
GET
302
138.197.51.36:80
http://tracking.stevenmschultz.com/bbb
US
html
99 b
unknown
3544
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?54250d5b91e94eca
unknown
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3544
iexplore.exe
192.124.249.22:80
ocsp.godaddy.com
Sucuri
US
suspicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3544
iexplore.exe
2.16.106.171:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2160
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3544
iexplore.exe
138.197.51.36:80
tracking.stevenmschultz.com
Digital Ocean, Inc.
US
unknown
3544
iexplore.exe
134.209.69.162:443
mcrmgo.com
US
unknown
3544
iexplore.exe
52.205.132.94:80
email.z9.qg-mail.com
Amazon.com, Inc.
US
suspicious
3544
iexplore.exe
104.16.16.194:443
anthonymorrison.clickfunnels.com
Cloudflare Inc
US
shared
2160
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2160
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
email.z9.qg-mail.com
  • 52.205.132.94
  • 54.85.139.2
suspicious
tracking.stevenmschultz.com
  • 138.197.51.36
unknown
mcrmgo.com
  • 134.209.69.162
unknown
ctldl.windowsupdate.com
  • 2.16.106.171
  • 2.16.106.186
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.24
  • 192.124.249.23
  • 192.124.249.41
  • 192.124.249.36
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl.godaddy.com
  • 192.124.249.31
  • 192.124.249.41
  • 192.124.249.36
whitelisted
pwa.crmsecureorders.com
  • 134.209.69.162
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://email.z9.qg-mail.com/c/eJwVjUtuxCAQRE9jdoOahnabBYtEUa4R8bVRsD3xkFnM6UOkWpT0Sq-uHOu95qPfaprofaIPh5AUIgXM7A0nAPAEBZgSckZjRXIFKGgv6tgiggKrLCq1SM-FE-poUEWajZ4MvKz8WW-7r03Gcxeb42UOs1q0mWMoyaIJmTXZwsgGSmHR3Nb7fdJvE36O9MvH73qs8tHzMx_7I26_rb_-bYOGEMTlWjxb8-kcfyXVKNfzKbpDS4YWHM1_aSA0fxvFRUM