analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://u13031921.ct.sendgrid.net/ls/click?upn=hnZEJtlOVoCRcvX0yS9ql2S3lEY07S8QIduMTeHG2NygRozO-2BdkXRZjt2SGJ4AO80pHl_Mj-2FciSswvBdfEnfNyoSWC-2BzhoNwB0poIaKgHOAeYbuipAPlIStbHvAMhyEPbDorbPMvsRdAt6H2Ci6RLG5O2XlqhrJw8c4ptDsbHjEWl2U2Vy1jg6BOOa6SOUWJNAeCYy8cZ1BcA12Omq9NRtf5HQlhhM7mNKEh1JyQX4VO3pit7IHOY3zudv8pQq2yn14PWmIPRdYoG8OxL1mvfuSWxbq8mkG-2B2lYFF1tKRVKcofko-3D

Full analysis: https://app.any.run/tasks/4c0dd82d-1855-4ebe-bcd6-a6bf4c412a56
Verdict: Malicious activity
Analysis date: January 25, 2022, 01:04:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

47A2BFD7781EA5D85F2EA4B9382246DC

SHA1:

D6865324AEE28104F57C171247FACF9A66E35374

SHA256:

A85E090E86B1851F8039135B3B0FFC96E860A13BE753AB570D946155D0E9CE80

SSDEEP:

6:2WW8nwY6xq/5mAGjlw2cOrJtJ6SbWgOrVmIvitqJ9DrJDRhrB2fD+om4NS3NsqHL:2KnHSq/5mAGjlDlJtJT/qMKikH9SC4No

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2684)
  • INFO

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3820)
      • iexplore.exe (PID: 2684)
    • Reads the computer name

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 3820)
    • Checks supported languages

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 3820)
    • Changes internet zones settings

      • iexplore.exe (PID: 3820)
    • Application launched itself

      • iexplore.exe (PID: 3820)
    • Creates files in the user directory

      • iexplore.exe (PID: 2684)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2684)
      • iexplore.exe (PID: 3820)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3820"C:\Program Files\Internet Explorer\iexplore.exe" "https://u13031921.ct.sendgrid.net/ls/click?upn=hnZEJtlOVoCRcvX0yS9ql2S3lEY07S8QIduMTeHG2NygRozO-2BdkXRZjt2SGJ4AO80pHl_Mj-2FciSswvBdfEnfNyoSWC-2BzhoNwB0poIaKgHOAeYbuipAPlIStbHvAMhyEPbDorbPMvsRdAt6H2Ci6RLG5O2XlqhrJw8c4ptDsbHjEWl2U2Vy1jg6BOOa6SOUWJNAeCYy8cZ1BcA12Omq9NRtf5HQlhhM7mNKEh1JyQX4VO3pit7IHOY3zudv8pQq2yn14PWmIPRdYoG8OxL1mvfuSWxbq8mkG-2B2lYFF1tKRVKcofko-3D"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2684"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3820 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\version.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
14 425
Read events
14 307
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
23
Text files
103
Unknown types
22

Dropped files

PID
Process
Filename
Type
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dbinary
MD5:A49AF11A570757B1E28213D82214D902
SHA256:F9A9C75D435224635D572DEBF76A31086856C5552F86A2925693FEFD4C35EB6E
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\campaign[1].svgimage
MD5:1D2A60A60F40F9E63B63AC52183F9C01
SHA256:572ACFB80CDCE15FD7239F1B6266FEB4470926FDD5698E95F40B5B41FFABBE06
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\digital_products[1].svgimage
MD5:5407A8FE869D2A4B5DEFE4AE08268D45
SHA256:7B932B72D4C1AB01CD1FB55C4D016156A0AA77CC30CE273854C95CFC2B32073A
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:3DBA8BD3D1C5586D7B6C88E9865CC72B
SHA256:BE214107A441DCCC82553116726922B4A19BB0D32DDD965E83FD15FFC90AD9F8
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\tailwind[1].csstext
MD5:DA22A5D152DD467575A99D3A99DAFF8D
SHA256:813B1C3B125DDDB582E472B820BE298B12CC6EE5F74E9B46B56F4D6427F42EC0
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B39C403EE7698F732743C79CB583A818_F94572BF13D20C8A2D58EA30B5AB031Eder
MD5:5573411EC5DC6DF320B2C1880FB69AA0
SHA256:B9E10EE122CE5B5749C50314ADC44337601CD7DE0F4E6A85EA757AD8883BF129
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\223DE96EE265046957A660ED7C9DD9E7_EFF9B9BA98DEAA773F261FA85A0B1771binary
MD5:1F2C44BECB3F6D4A8FDABA6EED0D50EA
SHA256:03A13DBF6928966C5D9A7A2F2568624BFDBE73C749D844005AF12EEBB4BA30B6
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\automation[1].svgimage
MD5:A71DC63B19309A29D188551C4A945223
SHA256:446D7F3C8D927583C065006736151F610EB821A9A55A376804E0CC54AE7F81F5
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\JBRLR9CF.htmhtml
MD5:CD3646F9215D1DC74DA91DF97E994CED
SHA256:33AEA0377772DA92256401FD9564B3A9C4A08E03BF2293AB26F6DDA8E8A60706
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\landing-pages[1].svgimage
MD5:8F841DD57F9D56C89C58FECF6F65DC30
SHA256:159B96880979BFC9516F6DBBE907CD184181F132DCCC8AE0B5D9A6377BDF4A32
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
73
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2684
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2684
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
2684
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQS14tALDViBvqCf47YkiQRtKz1BAQUpc436uuwdQ6UZ4i0RfrZJBCHlh8CEAyxVj9Q6Sv8YTt%2B78cX2W4%3D
US
der
280 b
whitelisted
2684
iexplore.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2684
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2684
iexplore.exe
GET
200
142.250.185.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2684
iexplore.exe
GET
200
13.32.11.229:80
http://crl.rootca1.amazontrust.com/rootca1.crl
US
der
493 b
whitelisted
2684
iexplore.exe
GET
200
192.124.249.41:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCAFQWPc8P68%2F
US
der
1.74 Kb
whitelisted
2684
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEA0OVaEcb%2BOak3V3OoTdWC4%3D
US
der
471 b
whitelisted
2684
iexplore.exe
GET
200
13.32.11.71:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2684
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2684
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2684
iexplore.exe
192.124.249.41:80
ocsp.godaddy.com
Sucuri
US
suspicious
2684
iexplore.exe
142.250.186.78:443
www.googleoptimize.com
Google Inc.
US
whitelisted
2684
iexplore.exe
104.16.148.64:443
cdn.cookielaw.org
Cloudflare Inc
US
unknown
2684
iexplore.exe
104.18.3.159:443
www.mailerlite.com
Cloudflare Inc
US
unknown
2684
iexplore.exe
167.89.123.16:443
u13031921.ct.sendgrid.net
SendGrid, Inc.
US
malicious
2684
iexplore.exe
142.250.185.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2684
iexplore.exe
104.18.2.159:443
www.mailerlite.com
Cloudflare Inc
US
suspicious
2684
iexplore.exe
104.21.33.201:443
cdn.remotecompany.com
Cloudflare Inc
US
unknown

DNS requests

Domain
IP
Reputation
u13031921.ct.sendgrid.net
  • 167.89.123.16
  • 167.89.123.122
  • 167.89.115.54
  • 167.89.115.121
suspicious
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.godaddy.com
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.23
  • 192.124.249.24
  • 192.124.249.22
whitelisted
www.mailerlite.com
  • 104.18.3.159
  • 104.18.2.159
suspicious
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.googleoptimize.com
  • 142.250.186.78
whitelisted
cdn.cookielaw.org
  • 104.16.148.64
  • 104.16.149.64
whitelisted
track.mailerlite.com
  • 104.18.2.159
  • 104.18.3.159
suspicious
static.mailerlite.com
  • 104.18.3.159
  • 104.18.2.159
whitelisted
cdn.remotecompany.com
  • 104.21.33.201
  • 172.67.166.88
malicious

Threats

No threats detected
No debug info