analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://tfaforms.com

Full analysis: https://app.any.run/tasks/3ed3a72f-c09f-423c-bb30-ce50e8a213cc
Verdict: Malicious activity
Analysis date: December 05, 2022, 21:41:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8DB692A938CB02BE8DBC0A44811FF689

SHA1:

3248C0AF1AF3DB52A597AB82862694CD235616DE

SHA256:

D582D6AB1F9B89A62F3CB368A5D33504E4DF54A08B3C430E57B6774FFF17B37E

SSDEEP:

3:N8LqK72:2w

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 856)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
856"C:\Program Files\Internet Explorer\iexplore.exe" "https://tfaforms.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
404"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:856 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
16 156
Read events
16 028
Write events
128
Delete events
0

Modification events

(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31000818
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31000818
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
16
Text files
59
Unknown types
15

Dropped files

PID
Process
Filename
Type
856iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:5648F6CE1EB88B1D4F7C56A7ED654B5E
SHA256:3C5E87B88A53DF78BCBD8FCAF72707C77E5CB3E1BE64FED8C43C93F0534C4BD7
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:048844669BAEB69BBDB8FA499BDF6AB4
SHA256:F2CF5F6E80CFE2ADCAEE56639CA122443DC0DE60B5987AF883A865917648125E
856iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:503AD061073A29CEE4CB12D552F6A5B3
SHA256:D2A97423F8B71CA1DAAC39F8A037DCA022303C1ADFBD49995EFF3B36AFFF33F9
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1CVIZKCB.txttext
MD5:6FDF94BD84EDB50CC645CDAA4D6D84E9
SHA256:DF0696BB991F58805F19A9E0AF8F6C3E9F0F899138A1F43F87B048F5266177AC
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\2M86RNLK.txttext
MD5:E197BC11A2E18CC5742D4D38CD9A2ED1
SHA256:4AB647BC55D365D37D4CA36EA651B013377A698FD5DBA15A2FA76E756C1553CB
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7D6243C18F0F8F9AEC6638DD210F1984_9F77718FCB1E6D882CD1845976A9E5F6binary
MD5:7DFAA14AF63FCA995F57BCABB9844771
SHA256:9EE861292577CF0382791CE3446FA6AADF8ED1FBBDF50743494024BF9D4DD38C
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:EAA4DCE3EAE1609F49EBAE7323D80FEF
SHA256:DF398498CCD10951E5B64A54A0D10547E36A78D1CBCA6369EE8AABC83363AD83
404iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894binary
MD5:D63E8A487C67BE1246B8EE526EDC0DCD
SHA256:2D8D5D3E69B66EDA06312071C72D646AB9DB3FD7CB1897D49D65AB09323B820B
404iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\0NFYD38B.htmhtml
MD5:2997FC327E521707ED9EEDBCC34F12CB
SHA256:807B1DBF789233D53B000D16206ABE51F73A0BE4175FBFCB97FE32ECE1A6A95A
404iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\J12XHBLC.txttext
MD5:F8553118A54A8AC28BA4C610A93EA42B
SHA256:1C7F89FCC033C3E11A769FE4769101AF77DED7E64A680010C978E3DE53279F6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
52
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
404
iexplore.exe
GET
200
13.225.84.42:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
856
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
404
iexplore.exe
GET
200
13.225.84.175:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
404
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAo1CNVcKSsBffitZcAP9%2BQ%3D
US
der
471 b
whitelisted
404
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTk45WiKdPUwcMf8JgMC07ACYqr2AQUt2ui6qiqhIx56rTaD5iyxZV2ufQCEAKewfGO%2BI%2BbmshQbI1PuQ4%3D
US
der
471 b
whitelisted
404
iexplore.exe
GET
184.24.77.54:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgP30lYTYr%2FPH8zTvOquw5%2FCzA%3D%3D
US
shared
404
iexplore.exe
GET
200
67.27.235.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a2fb9fa03a6a4c4e
US
compressed
4.70 Kb
whitelisted
404
iexplore.exe
GET
200
13.225.84.142:80
http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEA98zCtBN8u%2FnYNUSFQe050%3D
US
der
471 b
whitelisted
404
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
404
iexplore.exe
GET
200
13.225.84.58:80
http://crl.rootca1.amazontrust.com/rootca1.crl
US
der
493 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
856
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
404
iexplore.exe
34.195.204.92:443
AMAZON-AES
US
unknown
13.225.84.58:80
crl.rootca1.amazontrust.com
AMAZON-02
US
whitelisted
404
iexplore.exe
13.225.84.42:80
o.ss2.us
AMAZON-02
US
unknown
13.225.84.142:80
ocsp.sca1b.amazontrust.com
AMAZON-02
US
whitelisted
404
iexplore.exe
13.110.46.112:443
c.la2-c2-ia5.salesforceliveagent.com
SALESFORCE
US
unknown
404
iexplore.exe
13.225.84.175:80
ocsp.rootg2.amazontrust.com
AMAZON-02
US
whitelisted
856
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
404
iexplore.exe
54.211.52.235:443
AMAZON-AES
US
unknown
404
iexplore.exe
67.27.235.126:80
ctldl.windowsupdate.com
LEVEL3
US
suspicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 67.27.235.126
  • 8.248.139.254
  • 8.253.204.121
  • 8.248.143.254
  • 8.253.207.120
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
o.ss2.us
  • 13.225.84.42
  • 13.225.84.97
  • 13.225.84.68
  • 13.225.84.66
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.rootg2.amazontrust.com
  • 13.225.84.175
  • 13.225.84.145
  • 13.225.84.49
  • 13.225.84.13
whitelisted
ocsp.rootca1.amazontrust.com
  • 13.225.84.175
  • 13.225.84.145
  • 13.225.84.49
  • 13.225.84.13
shared
crl.rootca1.amazontrust.com
  • 13.225.84.58
  • 13.225.84.14
  • 13.225.84.120
  • 13.225.84.149
whitelisted
ocsp.sca1b.amazontrust.com
  • 13.225.84.142
  • 13.225.84.104
  • 13.225.84.107
  • 13.225.84.88
whitelisted
c.la2-c2-ia5.salesforceliveagent.com
  • 13.110.46.112
  • 13.110.65.112
  • 13.110.45.112
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://tfaforms.com