Malware analysis checkip.dyndns.org Malicious activity

Add for printing

URL:	checkip.dyndns.org
Full analysis:	https://app.any.run/tasks/071849a0-5031-4124-be03-0f379ca8a957
Verdict:	Malicious activity
Analysis date:	September 26, 2024, 19:49:55
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	evasion
MD5:	6CAF90F6121DCECA2C0BED9B9D5F5915
SHA1:	C7C90B6395DF754BFC8D045631266B5BD801FD73
SHA256:	B195DA70568B5F64B41B945B1FF5E62C35148494E7C1067C1960223132FD03C3
SSDEEP:	3:dMXwLS:7LS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
No info indicators.

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
6948	"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2364 --field-trial-handle=2444,i,17269224743219337368,10137956094775366487,262144 --variations-seed-version /prefetch:3	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe		msedge.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 122.0.2365.59

Add for printing

Total events

Read events

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\9819ba1b-edfc-4cc0-95bb-8da77cf1f73c.tmp		ini
		MD5:D751713988987E9331980363E24189CE	SHA256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF259093.TMP		ini
		MD5:D751713988987E9331980363E24189CE	SHA256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports~RF258efd.TMP		ini
		MD5:D751713988987E9331980363E24189CE	SHA256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries~RF25b32f.TMP		binary
		MD5:20D4B8FA017A12A108C87F540836E250	SHA256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\5e0885e1-c049-4710-8894-2f84f262e090.tmp		binary
		MD5:957777753E4A9C8F6D69115B52CD7A74	SHA256:A7FBDE1EACA0A058E133C6D15ECC8B90A61F4A5EFFB20CD387CE32B7955A9931
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000258		compressed
		MD5:99D685FB3E231D04D29299A5D6565731	SHA256:19874D7E864C5BA91655C102D84939F776B5CECCA3BDEC2D4F478234224F7916
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity		binary
		MD5:957777753E4A9C8F6D69115B52CD7A74	SHA256:A7FBDE1EACA0A058E133C6D15ECC8B90A61F4A5EFFB20CD387CE32B7955A9931
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports		ini
		MD5:D751713988987E9331980363E24189CE	SHA256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\d010cd6e-edc7-4393-b77b-b1ecc3d9d8a8.tmp		text
		MD5:D751713988987E9331980363E24189CE	SHA256:4F53CDA18C2BAA0C0354BB5F9A3ECBE5ED12AB4D8E11BA873C2F11161202B945
6948	msedge.exe	C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries		binary
		MD5:20D4B8FA017A12A108C87F540836E250	SHA256:6028BD681DBF11A0A58DDE8A0CD884115C04CAA59D080BA51BDE1B086CE0079D

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
—	—	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted
2120	MoUsoCoreWorker.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
6948	msedge.exe	GET	200	158.101.44.242:80	http://checkip.dyndns.org/	unknown	—	—	malicious
6572	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
2636	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6948	msedge.exe	GET	200	158.101.44.242:80	http://checkip.dyndns.org/favicon.ico	unknown	—	—	malicious
2636	SIHClient.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
2968	svchost.exe	GET	200	69.192.161.161:80	http://www.microsoft.com/pkiops/crl/MicWinProPCA2011_2011-10-19.crl%20	unknown	—	—	whitelisted
2968	svchost.exe	GET	200	23.48.23.173:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
—	—	192.168.100.255:137	—	—	—	whitelisted
2120	MoUsoCoreWorker.exe	69.192.161.161:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5336	SearchApp.exe	52.182.143.214:443	browser.pipe.aria.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
—	—	192.168.100.255:138	—	—	—	whitelisted
—	—	13.107.42.16:443	config.edge.skype.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
—	—	158.101.44.242:80	checkip.dyndns.org	ORACLE-BMC-31898	US	shared
—	—	13.107.21.239:443	edge.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
www.microsoft.com	69.192.161.161	whitelisted
browser.pipe.aria.microsoft.com	52.182.143.214	whitelisted
google.com	142.250.181.238	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
config.edge.skype.com	13.107.42.16	whitelisted
checkip.dyndns.org	158.101.44.242 132.226.247.73 193.122.6.168 193.122.130.0 132.226.8.169	shared
edge.microsoft.com	13.107.21.239 204.79.197.239	whitelisted
business.bing.com	13.107.6.158	whitelisted
edge-mobile-static.azureedge.net	13.107.246.64	whitelisted

Threats

PID	Process	Class	Message
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
—	—	Device Retrieving External IP Address Detected	ET INFO External IP Lookup Domain in DNS Query (checkip .dyndns .org)
6948	msedge.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org
6948	msedge.exe	Device Retrieving External IP Address Detected	ET POLICY External IP Lookup - checkip.dyndns.org

Add for printing

No debug info

General Info

checkip.dyndns.org

6CAF90F6121DCECA2C0BED9B9D5F5915

C7C90B6395DF754BFC8D045631266B5BD801FD73

B195DA70568B5F64B41B945B1FF5E62C35148494E7C1067C1960223132FD03C3

3:dMXwLS:7LS

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings