analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://geoinfo.i2w.io/

Full analysis: https://app.any.run/tasks/9b7726c2-247d-40fa-a269-f515ec09c36c
Verdict: Malicious activity
Analysis date: January 24, 2022, 21:11:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

DB7A4685F21099C420D93393BC50DC7A

SHA1:

7BC90D62D8CC6F3A02FD34AFFE12D3499BBBA15D

SHA256:

BE827C7755EA740583788B2ADD770D21A288124E36CB41DABE4BC8D54F2A558B

SSDEEP:

3:N8hbMMCHKn:2poq

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3784)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2184)
      • iexplore.exe (PID: 3784)

    • Reads the computer name

      • iexplore.exe (PID: 2184)
      • iexplore.exe (PID: 3784)

    • Application launched itself

      • iexplore.exe (PID: 2184)

    • Changes internet zones settings

      • iexplore.exe (PID: 2184)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2184)
      • iexplore.exe (PID: 3784)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2184)
      • iexplore.exe (PID: 3784)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3784)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2184"C:\Program Files\Internet Explorer\iexplore.exe" "https://geoinfo.i2w.io/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\rpcrt4.dll
3784"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2184 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
18 317
Read events
18 206
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
2184iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:FC990EAA7247546FB67C18916A4CAC9B
SHA256:294F5BE9159C87842AD3173FE7CDA168C9F2010C6D428085A8AC30EF436CA993
3784iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar2BDF.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
3784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F083F4978BDEFEC5BFD25A11D41D4F5D
SHA256:CA49399A850585F80BD74E0FCC19E0BF01873EC3E82A713BEB9B36D174EFDEA9
3784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:FAF1C48C9BEFF163B2ABC44FAF262EA0
SHA256:E87736D384E9691FFF1DBEAED9E50AA4141E5D095FE1B8D1EF59CDEA9E6EA1BD
2184iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:A313DD9A7B39439B6B4C3955496FB2D5
SHA256:8084173B6BF777EACA24B3EB04925E44202EE6D20EA77A5D78808BB619B04B21
3784iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar2C1F.tmpcat
MD5:D99661D0893A52A0700B8AE68457351A
SHA256:BDD5111162A6FA25682E18FA74E37E676D49CAFCB5B7207E98E5256D1EF0D003
3784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:488B5502CA2702B5AA85EF1EB376E20F
SHA256:188CD1615E506F22D2B12FA42CDC0645D283CC3275A38CA350F5E722AD12561C
3784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\947AF310F52BB02DA99B26373F3CE9FDbinary
MD5:D89BF00FF4BEC292122C0D1E18623166
SHA256:9D93AFF404879F5A7A2E1277FEBBBE6C279A0F7F2B790E12BBBD54192B895C7C
3784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\947AF310F52BB02DA99B26373F3CE9FDder
MD5:CD5A8097558F3BD64E0B98280BE3C99C
SHA256:3608CE1326125ECB1446E26399EC854BBE89A5053323D43493A3B8B6A61722A9
3784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DD4634BC6228F802DAD08FA834C43BE8binary
MD5:56D24C25870E1AA07A8458766D3F5690
SHA256:A86514F37138E89EDBBBD39A578448D3A477BCE657F41658BF10C93D6BD21FAD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
14
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3784
iexplore.exe
GET
200
2.16.186.11:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgThyIAb64reFo4sSbjmEiXMgQ%3D%3D
unknown
der
503 b
shared
2184
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3784
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?df9d9c1e19e3cf8b
unknown
compressed
59.9 Kb
whitelisted
3784
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?358a1c8cd19c8c82
unknown
compressed
4.70 Kb
whitelisted
3784
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2184
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3784
iexplore.exe
GET
200
2.16.186.11:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQ80Ftf1VSM%2BRzLjZypmPfJ9g%3D%3D
unknown
binary
5 b
shared
3784
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d624580ddca4123c
unknown
compressed
4.70 Kb
whitelisted
3784
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?c16cb7ac3155a913
unknown
compressed
59.9 Kb
whitelisted
3784
iexplore.exe
GET
200
2.16.186.11:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQ80Ftf1VSM%2BRzLjZypmPfJ9g%3D%3D
unknown
binary
5 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3784
iexplore.exe
208.100.26.245:443
geoinfo.i2w.io
Steadfast
US
malicious
3784
iexplore.exe
2.16.106.171:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2184
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3784
iexplore.exe
23.45.105.185:80
x1.c.lencr.org
Akamai International B.V.
NL
unknown
2184
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2184
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3784
iexplore.exe
2.16.186.11:80
r3.o.lencr.org
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
geoinfo.i2w.io
  • 208.100.26.245
malicious
ctldl.windowsupdate.com
  • 2.16.106.171
  • 2.16.106.233
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r3.o.lencr.org
  • 2.16.186.11
  • 2.16.186.10
shared
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://geoinfo.i2w.io/