analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://xn--k1a.web.app/host:-login.bll.co.il:1964

Full analysis: https://app.any.run/tasks/2126a419-852d-4a00-ae04-dff9c98a12c4
Verdict: Malicious activity
Analysis date: October 04, 2022, 21:02:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

10C9C07502CEF3A73CC36C5C60161F21

SHA1:

798AE360AF4114482408B77DE624F0542A3BFDF1

SHA256:

B232F553A1BB737C7221497D410B35D5EBA13BFAEB9D7FABCF3280BAE54767AB

SSDEEP:

3:N8nEJzrxDIJKnZzcdn:2EJZ/xyn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 380)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2900)
      • iexplore.exe (PID: 380)

    • Checks supported languages

      • iexplore.exe (PID: 380)
      • iexplore.exe (PID: 2900)

    • Changes internet zones settings

      • iexplore.exe (PID: 2900)

    • Application launched itself

      • iexplore.exe (PID: 2900)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 380)
      • iexplore.exe (PID: 2900)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 380)
      • iexplore.exe (PID: 2900)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2900)

    • Reads internet explorer settings

      • iexplore.exe (PID: 380)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2900)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2900"C:\Program Files\Internet Explorer\iexplore.exe" "https://xn--k1a.web.app/host:-login.bll.co.il:1964"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-user32-l1-1-0.dll
380"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2900 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
Total events
10 746
Read events
10 623
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
11
Text files
98
Unknown types
10

Dropped files

PID
Process
Filename
Type
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:03A4EA292F42440E48CCAE7D20455E4E
SHA256:3E0203A6FC441FE43E36F9B18B7444A258080D54D2CD5C97CEBC7847EA47FC77
2900iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:F7983D8FD8DDD6DF665E3E5EB736D1C4
SHA256:173C1E435668AB7C8E2D30A020D2E63D66979911CDF19E0D50F68E697D2CAFC6
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:87AAD071DDAAAD8ADB70E4DABCC1A750
SHA256:2D558A3FE733F9893095B3758FF661E7B48DB7D8D725D7AC9EDBFFABC65D1613
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13der
MD5:37D9737D87E736F32071BC84631A152D
SHA256:55961D82ABE79DE45FBDA7F4E7B4EC02F37A53D0617DF5A69C6FCC95D18C0258
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:21EBA8A424ECFAD2BE2AF297E11ED0DC
SHA256:9CC0C7241DA3CCCE4652DE590973F9F9EC2F36EC9C6A76702CDA5173DF6705D4
2900iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:4EBC2B4BB59323ED6415163874073125
SHA256:5D4FE29D62B49BD6058258B601A9DA4A1D0E2ADABA4D6748B76E4B48FB498F09
380iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\host_-login.bll.co[1].htmhtml
MD5:D6DF8C971E518879B2E005F2C6FE85BA
SHA256:913EF9EF39D28D61EE58FF4313ACC21F552EB7DA42D6F54CCD7D1983ACE675FB
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_45E3C223BCF135987E4038FB6B0DBA13binary
MD5:347426C4C205CF9139A2A4D7C64516DC
SHA256:06E62AF44B2796041D19504ABE3D5608568DE755195885AACDB90467B888E45E
380iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F4206F54069C8BA409DDEA3B9714D8BD
SHA256:D37AD0DD615E93B578C731AA5FBB83605A3F4732412800C12AC7F439D05014F6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
46
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
380
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
380
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
380
iexplore.exe
GET
200
142.250.186.35:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIAjrICMzZli2TN25s%3D
US
der
724 b
whitelisted
2900
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
2900
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
380
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAbY2QTVWENG9oovp1QifsQ%3D
US
der
471 b
whitelisted
380
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
US
der
1.42 Kb
whitelisted
380
iexplore.exe
GET
200
8.249.63.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed37a4d26ff55ffa
US
compressed
4.70 Kb
whitelisted
380
iexplore.exe
GET
200
104.18.32.68:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
2.18 Kb
whitelisted
380
iexplore.exe
GET
200
8.249.63.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5641f4edb50a1a92
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2900
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
380
iexplore.exe
142.250.186.35:80
ocsp.pki.goog
GOOGLE
US
whitelisted
2900
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
380
iexplore.exe
104.17.24.14:443
cdnjs.cloudflare.com
CLOUDFLARENET
suspicious
380
iexplore.exe
8.249.63.254:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious
380
iexplore.exe
104.18.11.207:443
maxcdn.bootstrapcdn.com
CLOUDFLARENET
suspicious
380
iexplore.exe
199.36.158.100:443
xn--k1a.web.app
FASTLY
US
malicious
380
iexplore.exe
69.16.175.42:443
code.jquery.com
STACKPATH-CDN
US
malicious
380
iexplore.exe
104.16.87.20:443
cdn.jsdelivr.net
CLOUDFLARENET
shared
380
iexplore.exe
104.18.22.52:443
kit.fontawesome.com
CLOUDFLARENET
unknown

DNS requests

Domain
IP
Reputation
xn--k1a.web.app
  • 199.36.158.100
malicious
ctldl.windowsupdate.com
  • 8.249.63.254
  • 8.249.61.254
  • 8.241.45.126
  • 8.238.176.254
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.pki.goog
  • 142.250.186.35
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
maxcdn.bootstrapcdn.com
  • 104.18.11.207
  • 104.18.10.207
whitelisted
cdnjs.cloudflare.com
  • 104.17.24.14
  • 104.17.25.14
whitelisted
kit.fontawesome.com
  • 104.18.22.52
  • 104.18.23.52
whitelisted
use.fontawesome.com
  • 172.64.132.15
  • 172.64.133.15
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://xn--k1a.web.app/host:-login.bll.co.il:1964