analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://finecus.atlassian.net

Full analysis: https://app.any.run/tasks/3ed41425-450f-4740-acb0-e304b875b12b
Verdict: Malicious activity
Analysis date: May 21, 2022, 09:49:20
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

0937075F30A78EE111857BFE012541AA

SHA1:

F5C69973C295C1AAD9DF16C400850274217DB2E8

SHA256:

DC4492ABC1A9425FEC9ED0D3918140998B2BDA29968F4B1996F9D7E387BDC114

SSDEEP:

3:N85qD0:2gg

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 912)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 1636)
      • iexplore.exe (PID: 912)
    • Checks supported languages

      • iexplore.exe (PID: 1636)
      • iexplore.exe (PID: 912)
    • Changes internet zones settings

      • iexplore.exe (PID: 1636)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 1636)
    • Application launched itself

      • iexplore.exe (PID: 1636)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 912)
      • iexplore.exe (PID: 1636)
    • Reads internet explorer settings

      • iexplore.exe (PID: 912)
    • Creates files in the user directory

      • iexplore.exe (PID: 912)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1636"C:\Program Files\Internet Explorer\iexplore.exe" "https://finecus.atlassian.net"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
912"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1636 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
17 059
Read events
16 779
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
18
Text files
37
Unknown types
14

Dropped files

PID
Process
Filename
Type
912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\runtime-main.3cfcc755[1].jstext
MD5:17347BECB19E3BFBACECDAB0599C7233
SHA256:77BC8929D0A5D3395A05CBD934C98E4A090624251BC37B7BC118CA325E8F0183
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894der
MD5:EA14882BC25E3D89D7705A3E8B311D7E
SHA256:F348DA10BEF4F6AAC2AF202A368C4032B53447643B6FBEB62030BA083FA96A62
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62der
MD5:4A8C7F6C5AE2A37D5E6CCB1BBC0AF569
SHA256:7AB918B977BBA5FDFEE3E8E570F1BE8680969932AD717C34A1A736348B7946A9
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4Fder
MD5:60937BA0E67EE3E021378614EDC8B41C
SHA256:3B339514CB3BDFCA941E2E1F215C9A28143E940D9D060471123E1217E24F22E4
912iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\F9XLN80J.txttext
MD5:21FE54E601D9515089C15EB1B28A4472
SHA256:FF55FC45FE0E728C8346C70A9C3718EC4B5511C3C1181A4733FFEDB432599EC7
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_793EF318C0E0F5E46F41FDC9CDA223ABder
MD5:0945589F08F2E25F31C0860524405D78
SHA256:D6532ACBE86865C809D478F1A3DCCE7B67FF588D6A6B9C4F680F93E392034959
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\50CD3D75D026C82E2E718570BD6F44D0_FC2597002E0869C839C3E6840DBDF145binary
MD5:1102A3A2E268D4F4DB854A7E58BDE66B
SHA256:7AAD3E5306B10ABB5CE02E6E5462681411FA1E8B9E3CE45C9B50CD4472A85CB2
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:0F2F0D33E264BBFEF2AB1AA152FE82C3
SHA256:16CC04CFC83120826A2D089F4C91AE085B0FECB8BA46D45058F6DC555CB5845C
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4Fbinary
MD5:7F7A2F0E9A9DF3C1620208888398E2CD
SHA256:C17E4C5546097437ABF84112970F601014C4C8EC51CA595A4289EEAA6F0E350F
912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\50CD3D75D026C82E2E718570BD6F44D0_FC2597002E0869C839C3E6840DBDF145der
MD5:5A82CBC273AC182A7A2554E12BB17E4C
SHA256:0C17CC5D1BAF325F2D09EC2D9BD0D916D36B07E09D3E5BC88C0F72C562EF8698
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
34
DNS requests
19
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
912
iexplore.exe
GET
200
108.138.2.10:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAIM2ZSi%2BBypaU%2BEZA11IvE%3D
US
der
312 b
whitelisted
912
iexplore.exe
GET
200
18.66.242.155:80
http://ocsp.rootg2.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIfaREXmfqfJR3TkMYnD7O5MhzEgQUnF8A36oB1zArOIiiuG1KnPIRkYMCEwZ%2FlEoqJ83z%2BsKuKwH5CO65xMY%3D
US
der
1.51 Kb
whitelisted
912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQrHR6YzPN2BNbByL0VoiTIBBMAOAQUCrwIKReMpTlteg7OM8cus%2B37w3oCEAuXd3ahO1T8sGRrjcv7RCI%3D
US
der
313 b
whitelisted
912
iexplore.exe
GET
200
18.66.242.45:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
912
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
US
der
471 b
whitelisted
912
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
912
iexplore.exe
GET
200
142.250.185.131:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDix8Xecs1REgrrmT3L4YRr
US
der
472 b
whitelisted
912
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?da55bedbff9e13b7
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
912
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
912
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
912
iexplore.exe
185.166.143.36:443
finecus.atlassian.net
ATLASSIAN PTY LTD
DE
unknown
912
iexplore.exe
142.250.185.109:443
accounts.google.com
Google Inc.
US
suspicious
912
iexplore.exe
18.66.242.45:80
ocsp.rootg2.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
912
iexplore.exe
108.138.2.10:80
o.ss2.us
BellSouth.net Inc.
US
unknown
912
iexplore.exe
18.66.242.155:80
ocsp.rootg2.amazontrust.com
Massachusetts Institute of Technology
US
whitelisted
912
iexplore.exe
185.166.143.25:443
id.atlassian.com
ATLASSIAN PTY LTD
DE
suspicious
912
iexplore.exe
108.157.4.117:443
metal.prod.atl-paas.net
US
suspicious
912
iexplore.exe
142.250.185.131:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
finecus.atlassian.net
  • 185.166.143.36
  • 185.166.143.38
  • 185.166.143.37
suspicious
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
id.atlassian.com
  • 185.166.143.25
  • 185.166.143.26
  • 185.166.143.24
shared
metal.prod.atl-paas.net
  • 108.157.4.117
  • 108.157.4.79
  • 108.157.4.41
  • 108.157.4.83
whitelisted
aid-frontend.prod.atl-paas.net
  • 18.66.122.95
  • 18.66.122.8
  • 18.66.122.110
  • 18.66.122.5
whitelisted
o.ss2.us
  • 108.138.2.10
  • 108.138.2.107
  • 108.138.2.173
  • 108.138.2.195
whitelisted
ocsp.rootg2.amazontrust.com
  • 18.66.242.155
  • 18.66.242.45
  • 18.66.242.62
  • 18.66.242.58
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.66.242.45
  • 18.66.242.62
  • 18.66.242.155
  • 18.66.242.58
shared
api.bing.com
  • 13.107.5.80
whitelisted

Threats

No threats detected
No debug info