URL:

https://massgrave.dev\\get.ps1

Full analysis: https://app.any.run/tasks/f4ab2436-438d-47a6-abd8-f445d950efdd
Verdict: Malicious activity
Analysis date: February 09, 2024, 12:54:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

487447163CBDBE35766B80E2324B7CA8

SHA1:

BAAD8DC36C38C07498D21372B5C03E560F0B6B4D

SHA256:

CCA993D0BF32AF16530977A122ADD376E783D956559044F7E769AF4507ADA453

SSDEEP:

3:N8a0CGTn:2a0CGTn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts POWERSHELL.EXE for commands execution

      • iexplore.exe (PID: 3700)

  • SUSPICIOUS

    • Reads the Internet Settings

      • powershell.exe (PID: 3992)

    • The process executes Powershell scripts

      • iexplore.exe (PID: 3700)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3700)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3700)

    • The process uses the downloaded file

      • powershell.exe (PID: 3992)
      • iexplore.exe (PID: 3700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs iexplore.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2044"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3700 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3700"C:\Program Files\Internet Explorer\iexplore.exe" "https://massgrave.dev\\get.ps1"C:\Program Files\Internet Explorer\iexplore.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3992"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\get.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
3221225786
Version:
10.0.14409.1005 (rs1_srvoob.161208-1155)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\atl.dll
c:\windows\system32\user32.dll
Total events
14 527
Read events
14 400
Write events
112
Delete events
15

Modification events

(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
896546688
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31087447
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31087447
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3700) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
5
Text files
4
Unknown types
10

Dropped files

PID
Process
Filename
Type
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:7005AF0F5756BDD8036E30A19D2F7427
SHA256:E4C45BF3FFAFFD8FB05ED7615C2FE84FCFC94EDB4E0BCD512F7B9F289D138FA4
2044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\get.ps1.v3k9p51.partialtext
MD5:993B9C88C73AC1E74472E0CC9E8970DD
SHA256:D3234E767F52807C6A8D8C7222EC0701A5435FF1C0FAF96A32CA7B41DF395952
3700iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF3BCDCDF75EB94F4A.TMPbinary
MD5:591FD6DBDF8552556CAB7723B27021F3
SHA256:990822F62CF9C90C36525B2E23DC5361E7F320442AA04FAC5E026B55635DACA9
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25binary
MD5:DE279EF11368DD24578007E81E086851
SHA256:9ACCB850299742BAE8334CC8C9A56722E864244C6C9D6942E23E5B7F42426FC1
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19binary
MD5:6F6A243F248FDB0697115ED668903248
SHA256:3D7D0EE02556AFCFC6BF7AA2B138C1D5A764226D50C8050EBAA2F923B2561BCA
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25binary
MD5:F57C75E0B8254E8B1E5EB4C1F1F3D43F
SHA256:3B4A8D3BF9CADF313E3214435360C7BC11F8A085506514CE35DDE75CB3B73E9D
2044iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19binary
MD5:C3562848B0D9C846C96FFEB19DA114AC
SHA256:90DF011A718AA6DB0FD85DA570BBEA050067DAC0590164AF235CAA07CD8E8CB6
3700iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\get.ps1.v3k9p51.partial:Zone.Identifiertext
MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
3992powershell.exeC:\Users\admin\AppData\Local\Temp\qdo4s4dt.mp3.psm1binary
MD5:C4CA4238A0B923820DCC509A6F75849B
SHA256:
3992powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:446DD1CF97EABA21CF14D03AEBC79F27
SHA256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
9
DNS requests
5
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2044
iexplore.exe
GET
304
178.79.238.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f78d505714a595e3
unknown
unknown
2044
iexplore.exe
GET
304
178.79.238.128:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?545e1839169dd0e6
unknown
unknown
2044
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSr83eyJy3njhjVpn5bEpfc6MXawQQUOuEJhtTPGcKWdnRJdtzgNcZjY5oCECO3bePBuysaUZYeCOq3ZOg%3D
unknown
binary
979 b
unknown
2044
iexplore.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEFZnHQTqT5lMbxCBR1nSdZQ%3D
unknown
binary
1.42 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
2044
iexplore.exe
5.45.97.157:443
massgrave.dev
netcup GmbH
DE
unknown
2044
iexplore.exe
178.79.238.128:80
ctldl.windowsupdate.com
LLNW
FR
unknown
2044
iexplore.exe
104.18.38.233:80
ocsp.comodoca.com
CLOUDFLARENET
shared

DNS requests

Domain
IP
Reputation
massgrave.dev
  • 5.45.97.157
unknown
ctldl.windowsupdate.com
  • 178.79.238.128
  • 178.79.238.0
whitelisted
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.usertrust.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted

Threats

PID
Process
Class
Message
2044
iexplore.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
2044
iexplore.exe
Misc activity
ET INFO Observed ZeroSSL SSL/TLS Certificate
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://massgrave.dev\\get.ps1