analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://t.ly/_5qZ/

Full analysis: https://app.any.run/tasks/b6ac59db-a72f-49e8-b5b7-f6974afa6269
Verdict: Malicious activity
Analysis date: June 27, 2022, 12:43:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

AECD20BF1AE4CE7B68837B508669ED56

SHA1:

3BA49A872AF40C111FE523BDE6DA91A303AB70B4

SHA256:

C669F0761FA2FBE55FA2A623B7B3FF9D1B9963B355B8F7F4E072F21741248165

SSDEEP:

3:N8D5Q/Kn:2tQ/Kn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2924)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2764)
      • iexplore.exe (PID: 2924)
    • Checks supported languages

      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 2764)
    • Application launched itself

      • iexplore.exe (PID: 2764)
    • Changes internet zones settings

      • iexplore.exe (PID: 2764)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2924)
      • iexplore.exe (PID: 2764)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2764)
      • iexplore.exe (PID: 2924)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2924)
    • Creates files in the user directory

      • iexplore.exe (PID: 2924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2764"C:\Program Files\Internet Explorer\iexplore.exe" "https://t.ly/_5qZ/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2924"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2764 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
12 927
Read events
12 812
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
16
Text files
20
Unknown types
12

Dropped files

PID
Process
Filename
Type
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:45E6E82EA8BA8492C75383D1D298476F
SHA256:0C6BADACA8A697282EAD6F769E59E7A866F410359AD63B72E7EFBA08E3366F1A
2924iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab85DB.tmpcompressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
2764iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
2924iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\P2G4KY4E.txttext
MD5:81B303F9AE72291E182072216814234B
SHA256:C2143D6D309A98817C27EDCBA4E801E12B04C0536C4A71AB963A226D92A40E80
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:3D443463BF8C31CF2D200FEC31C933FC
SHA256:75382C90C885204F0227E1655ACD2B809F7AB1FFA0242CD7CD28B1C12EE9DDA7
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EFC26C9D3B591EAF223E88F0B15645AFder
MD5:0B9539B6F2292F96429C1F238CFF59FA
SHA256:7996919271A476768A98779C59E52678E105240E57C07485798CCDC662BD718E
2924iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\RX5EOXHW.txttext
MD5:593FCD6084787926A3EFB2014EB36381
SHA256:FECAA91B0C2F692D4C6F04E34C9D31E7922D23AF97F6D7ABA207800CF90F1AAF
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506compressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
2764iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:5AE6E2DC4BCB4EC67B0ECAC17B5AA297
SHA256:AB8A138607974727926A00662D6217A5D54E58FA0E9EC4712719603CD5F0F8BA
2924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:DF6DEECBA36F8D0AF53EAFA9C51AB1F7
SHA256:60D1053BDE5FBCA23ED8976F1EABAEE9C4BB459D9C997E5A76BB2182EE916D98
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
39
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2924
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2764
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2924
iexplore.exe
GET
200
8.252.73.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?24f056ead05b76ad
US
compressed
60.0 Kb
whitelisted
2924
iexplore.exe
GET
200
8.252.73.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?0f56b02e2d74dc41
US
compressed
60.0 Kb
whitelisted
2764
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2924
iexplore.exe
GET
200
92.123.224.235:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgQn5PlIQ%2BbaXWE%2Fawr%2BmmaYEA%3D%3D
unknown
der
503 b
shared
2924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
2924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEArEUKwX8I4ZIpOYKXd%2B%2FBg%3D
US
der
471 b
whitelisted
2924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR0tOcjGcdlkhVARHvHzj6Qwhh26wQUpI3lvnx55HAjbS4pNK0jWNz1MX8CEAFHNNUpDP%2BL7ji3wrZelLo%3D
US
der
471 b
whitelisted
2924
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAeYNgOt45kIIZygDCe8imw%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2764
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2764
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2924
iexplore.exe
8.252.73.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2924
iexplore.exe
172.67.135.215:443
t.ly
US
unknown
2924
iexplore.exe
5.188.196.193:443
smartdrivinglabs.com
Petersburg Internet Network ltd.
NL
unknown
2924
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2924
iexplore.exe
96.16.145.230:80
x1.c.lencr.org
Akamai Technologies, Inc.
US
suspicious
2924
iexplore.exe
104.17.25.14:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
2924
iexplore.exe
113.108.231.116:443
blog.kungfuenglish.com
CHINANET Guangdong province network
CN
unknown
2924
iexplore.exe
161.190.1.97:443
onlinebanking.bancogalicia.com.ar
Banco de Galicia y Buenos Aires
AR
unknown

DNS requests

Domain
IP
Reputation
t.ly
  • 172.67.135.215
  • 104.21.26.98
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 8.252.73.254
  • 8.252.73.126
  • 67.26.163.254
  • 8.253.130.254
  • 8.253.129.204
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
smartdrivinglabs.com
  • 5.188.196.193
unknown
x1.c.lencr.org
  • 96.16.145.230
whitelisted
r3.o.lencr.org
  • 92.123.224.235
  • 92.123.224.240
shared
blog.kungfuenglish.com
  • 113.108.231.116
unknown

Threats

No threats detected
No debug info