analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://lovelydream.net/97jXsPCH?dir=cam&tag=Amelia%20&s1=Lily

Full analysis: https://app.any.run/tasks/1b66c90e-a04b-4d65-a1a1-72b5a369676e
Verdict: Malicious activity
Analysis date: June 27, 2022, 09:56:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

92A69DB52D44D1D96D4C66ABD0554127

SHA1:

7043B369F09DC576130F042827D4719E30A945A6

SHA256:

DC53618D38B5CEF500125F5BDA94F8A7341F2E53EFF9FDF62370C39AC34A43DC

SSDEEP:

3:N8KIjEsAwPoBLLCY2Xhn:2KIjJA6oBnCYQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3340)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 2908)
    • Checks supported languages

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 2908)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3340)
      • iexplore.exe (PID: 2908)
    • Changes internet zones settings

      • iexplore.exe (PID: 2908)
    • Application launched itself

      • iexplore.exe (PID: 2908)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3340)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2908)
      • iexplore.exe (PID: 3340)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2908)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2908)
    • Creates files in the user directory

      • iexplore.exe (PID: 3340)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2908"C:\Program Files\Internet Explorer\iexplore.exe" "https://lovelydream.net/97jXsPCH?dir=cam&tag=Amelia%20&s1=Lily"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3340"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2908 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
22 624
Read events
22 501
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
23
Text files
96
Unknown types
22

Dropped files

PID
Process
Filename
Type
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:8FC4118727F204A3C1C95AD1E9DC0C00
SHA256:88F92862CA7E584CDF6D59101DE060024321D7AD000DBF3FADCC4731AF5BEC76
3340iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabBF8B.tmpcompressed
MD5:308336E7F515478969B24C13DED11EDE
SHA256:889B832323726A9F10AD03F85562048FDCFE20C9FF6F9D37412CF477B4E92FF9
3340iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1G2JFQWX.txttext
MD5:E89005F5E17836D06EB10C8FD558FBC1
SHA256:0476E4DB428F16188078A87A381425C98C74E3908A136D6F2DBBC3D401F22372
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:EF49E47DD94F5291B29EA4C27526F45E
SHA256:4C60B655CA8BC65EFFDBB341FF4EC5CD43A3512AABC2B5129A79336F9AC4C700
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506binary
MD5:539C87436B3EAF5E39BB9E44B2119CAD
SHA256:D45343FE2AE952222573F892AEF30D5BBB41266005067F6603DA07EC2DDC0E8D
3340iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarBF8A.tmpcat
MD5:2D8A5090656DE9FB55DD0F3BA20F9299
SHA256:44AE1E61A4E6305C15AAA52FD1B29DDB060E69233703CBA611F5E781D766442E
3340iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:FC887F7C5EF1EEAE3FB3BA651F77AC36
SHA256:5F98609231B96FC1ECFEFF757089F66D6A74BBE8FED6B33D83A799790484AA56
2908iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:28CC3D4B0DA8A29A9DCD6D4755C84342
SHA256:A4CA2DD1D4545838F7A9102623442BC76BDEB2185E9991A294BCB0B6456DDA0E
3340iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\WRRLUMTG.txttext
MD5:5084F4FBD16D3E796F7004D940A3082E
SHA256:A03542DC06607D67DF45D280276AD6294CBBB154D2445A836AA8E7FDFB3220F6
3340iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\885RYN3R.txttext
MD5:3E5168C6B7509F74DEA4BCB84EA12B3C
SHA256:32132CAE30DF14C215B6A5067494B91CD5279AC9D116B5F10F5B44BFA041A669
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
55
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3340
iexplore.exe
GET
302
34.91.226.152:80
http://t.luvmenow.com/sl?id=5fa1807a127bd6bcbd272004&pid=11249&sub3=ui9u4b5vccmf&sub1=17454&sub2=frd
US
suspicious
3340
iexplore.exe
GET
200
8.252.73.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?083ea7dff19e872e
US
compressed
60.0 Kb
whitelisted
2908
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2908
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3340
iexplore.exe
GET
200
8.252.73.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?10f771d6d1d2f4a5
US
compressed
60.0 Kb
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3340
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
3340
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D
US
der
471 b
whitelisted
3340
iexplore.exe
GET
200
216.58.212.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
3340
iexplore.exe
GET
200
2.16.241.15:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgMfTzFHhsX%2F0wUUUqSp6%2FF2XQ%3D%3D
unknown
der
503 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2908
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2908
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3340
iexplore.exe
104.21.89.215:443
lovelydream.net
Cloudflare Inc
US
suspicious
3340
iexplore.exe
8.252.73.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
3340
iexplore.exe
172.67.165.49:443
lovelydream.net
US
suspicious
2908
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3340
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3340
iexplore.exe
34.91.226.152:80
t.luvmenow.com
US
unknown
3340
iexplore.exe
52.19.101.114:443
xovzrd.findiover.net
Amazon.com, Inc.
IE
malicious
3340
iexplore.exe
2.16.241.15:80
r3.o.lencr.org
Akamai International B.V.
suspicious

DNS requests

Domain
IP
Reputation
lovelydream.net
  • 104.21.89.215
  • 172.67.165.49
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 8.252.73.126
  • 67.26.161.254
  • 8.252.73.254
  • 8.253.129.204
  • 8.252.188.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
t.luvmenow.com
  • 34.91.226.152
  • 34.90.14.205
suspicious
xovzrd.findiover.net
  • 52.19.101.114
malicious
x1.c.lencr.org
  • 104.89.32.83
whitelisted
r3.o.lencr.org
  • 2.16.241.15
  • 2.16.241.8
shared
cdn-bimi.akamaized.net
  • 92.123.224.177
  • 92.123.224.170
whitelisted

Threats

No threats detected
No debug info