analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://tinyurl.com/286j95h7

Full analysis: https://app.any.run/tasks/bce25f72-9ce7-49a6-b534-ad4c88f7eb4c
Verdict: Malicious activity
Analysis date: October 05, 2022, 01:36:08
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

6D8214349CDDC383E703CBCF940C2689

SHA1:

EE02BC79C4135B55E1F33756AB8CD1EF65067E66

SHA256:

AB21F9C822F63A6693C9A89FAA7805D10C6F9D5AEB01E1DA5AC443193CAE9D4F

SSDEEP:

3:N8EzLdIshA:2Endp2

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2936)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3016)
      • iexplore.exe (PID: 2936)
    • Checks supported languages

      • iexplore.exe (PID: 3016)
      • iexplore.exe (PID: 2936)
    • Application launched itself

      • iexplore.exe (PID: 3016)
    • Changes internet zones settings

      • iexplore.exe (PID: 3016)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2936)
      • iexplore.exe (PID: 3016)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2936)
    • Creates files in the user directory

      • iexplore.exe (PID: 2936)
      • iexplore.exe (PID: 3016)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2936)
      • iexplore.exe (PID: 3016)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3016)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3016)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3016)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3016"C:\Program Files\Internet Explorer\iexplore.exe" "https://tinyurl.com/286j95h7"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2936"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3016 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
12 162
Read events
12 036
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
22
Text files
34
Unknown types
16

Dropped files

PID
Process
Filename
Type
2936iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0A448HZL.txttext
MD5:93E639FAD65DBC12C34CED24D0365700
SHA256:731E9DD879B5F40656479A764D0879CBECB01257584F253C76076682DA627465
2936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\cls[1].csstext
MD5:2AD42C99ECE77B46E5A42A85207A3750
SHA256:3D510E16E6E569E573980FD67A55221795D539FD56688ECACA8D284255E86EE6
2936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EB2C4AB8B68FFA4B7733A9139239A396_D76DB901EE986B889F30D8CC06229E2Dder
MD5:C592E482A700E972E14C46C59EABD9BB
SHA256:3BD64AE8F25AD4DE3186018F5609D7B474B3F2FAF60C210DB787044055E78CAD
2936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:DA2BF87D774DAED8BD25573DDCC7A721
SHA256:3776CDF7D19A1AF8F30A451A5B165E23D537F5F4E55D583EF9D87489A491BECE
2936iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\JR52VUP7.txttext
MD5:2EE74A8683DBB4BC6B5A91CF60D225BB
SHA256:6D341B9902A3FD01A31F68769CE502AF03A2A76076EA099F9C07E9628E35E49B
2936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F86983BB8AB0C774668A46B69DD8E212
SHA256:48108AC86882EE8FFEC539841C71D7F08A529E92F0CED247206641DD2EDA07ED
2936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\286j95h7[1].htmhtml
MD5:C94DCEFAC0E42675CD0DC11F7A410220
SHA256:A35F306B9A07EDE8D007D37D5D7C29034105B4C4A2D7FE199EAFD50D04613EF1
2936iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:F7983D8FD8DDD6DF665E3E5EB736D1C4
SHA256:173C1E435668AB7C8E2D30A020D2E63D66979911CDF19E0D50F68E697D2CAFC6
2936iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\pubfig.min[1].jstext
MD5:1F07E49DD8ADD3B5FD885EA10DB78385
SHA256:3D4B69859A01137A99E11FE9DD21290684788CF1A93F5853B7DEFDE56AB0D299
2936iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\R13GQMNW.txttext
MD5:17B99A2E62E60A4A90687E31818CE6EC
SHA256:382A6811889C8D810046C53D2AC3F3177468124EC6AFC4B2499EFDCEFDDBC3E5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
17
TCP/UDP connections
48
DNS requests
24
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2936
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
2936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3016
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2936
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEAeReQ3heodN5gA88rOQrYY%3D
US
der
471 b
whitelisted
2936
iexplore.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCDGHwgNcZJfa
US
der
1.74 Kb
whitelisted
2936
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?13d1c1ffc685b723
US
compressed
60.9 Kb
whitelisted
2936
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2936
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?f42197540d403b6b
US
compressed
60.9 Kb
whitelisted
2936
iexplore.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2936
iexplore.exe
157.240.20.19:443
connect.facebook.net
FACEBOOK
DE
whitelisted
2936
iexplore.exe
104.20.139.65:443
tinyurl.com
CLOUDFLARENET
suspicious
2936
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2936
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
2936
iexplore.exe
104.26.0.139:443
a.pub.network
CLOUDFLARENET
US
suspicious
2936
iexplore.exe
143.204.215.68:443
api.pushnami.com
AMAZON-02
US
malicious
2936
iexplore.exe
35.201.71.192:443
d.pub.network
GOOGLE
US
unknown
3016
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2936
iexplore.exe
31.13.92.36:443
www.facebook.com
FACEBOOK
DE
whitelisted
2936
iexplore.exe
65.9.66.9:443
cmp.quantcast.com
AMAZON-02
US
suspicious

DNS requests

Domain
IP
Reputation
tinyurl.com
  • 104.20.139.65
  • 104.20.138.65
  • 172.67.1.225
shared
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
a.pub.network
  • 104.26.0.139
  • 104.26.1.139
  • 172.67.68.60
whitelisted
api.pushnami.com
  • 143.204.215.68
  • 143.204.215.36
  • 143.204.215.43
  • 143.204.215.35
shared
connect.facebook.net
  • 157.240.20.19
whitelisted
stats.g.doubleclick.net
  • 108.177.15.157
  • 108.177.15.155
  • 108.177.15.156
  • 108.177.15.154
whitelisted
d.pub.network
  • 35.201.71.192
whitelisted
ocsp.pki.goog
  • 216.58.212.163
whitelisted
ocsp.godaddy.com
  • 192.124.249.22
  • 192.124.249.41
  • 192.124.249.36
  • 192.124.249.23
  • 192.124.249.24
whitelisted

Threats

No threats detected
No debug info