analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://server.duinocoin.com/webminer.html?username=oneptp&threads=8&rigid=oneptp2

Full analysis: https://app.any.run/tasks/51455e79-5a6e-4c3d-be4c-e27d2a198fd1
Verdict: Malicious activity
Analysis date: January 25, 2022, 00:03:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

AC1CCB534D01B3A412A4EA0E814B7FA5

SHA1:

B3C8866ED54589185D9789F1716ED0F159A56D5A

SHA256:

DDD6EC3369D748100CEE05884BA827366492B9A2437437AFB1DD0B2759F78D45

SSDEEP:

3:N8NmHLKdTTJAoKgCA9YK0LNQErKm:28LITTJroA9YK0L6C

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2464)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2464)
      • iexplore.exe (PID: 2520)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2464)
      • iexplore.exe (PID: 2520)
    • Checks supported languages

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2464)
    • Changes internet zones settings

      • iexplore.exe (PID: 2520)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2464)
      • iexplore.exe (PID: 2520)
    • Application launched itself

      • iexplore.exe (PID: 2520)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2520)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2464)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2520)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\Internet Explorer\iexplore.exe" "https://server.duinocoin.com/webminer.html?username=oneptp&threads=8&rigid=oneptp2"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
2464"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
c:\windows\system32\version.dll
Total events
14 337
Read events
14 204
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
19
Text files
17
Unknown types
13

Dropped files

PID
Process
Filename
Type
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\51D2D751AE564604915A6EEFE8E4809Eder
MD5:2644659BA39CB623E0D395E34B2D3861
SHA256:D689AFA8DCA0E08D48D00C94D069D5FFB05C7EBAFF6ABDEDE7FAAEC67BDB1610
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:64E9B8BB98E2303717538CE259BEC57D
SHA256:76BD459EC8E467EFC3E3FB94CB21B9C77A2AA73C9D4C0F3FAF823677BE756331
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751der
MD5:54E9306F95F32E50CCD58AF19753D929
SHA256:45F94DCEB18A8F738A26DA09CE4558995A4FE02B971882E8116FC9B59813BB72
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:0213524244EAF6A7E638BB1910432065
SHA256:2CCB09AE116851A6DFF4849062A18092D522A05897CECB74DFCA383AA2DEA296
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_EA155A4F71401ACE9E57E1102779C852der
MD5:6C09F6659BD4D47084F4657A9D820BE2
SHA256:7F012FA62C3E3B9E0E9EDC312E06F961DECFAA94CD1B83FA51A6A5D61752BEFC
2464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\webminer[1].htmhtml
MD5:0CF60FB4632464DE8829D55B6C617A04
SHA256:A9F74C1E846063931659A333DA71191B1290D79F9DF69589C3E606FEB38DE07B
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:FFEC27953DBE371623DD5D534EA2DCB7
SHA256:B180C5AB56B2B6C85B83B6268DBCA084E6D1D5FE56D79ABAB6F4CCC348D3E82B
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:5EB9B6057FDCDE63A27B9148360A52B8
SHA256:740620DC213E53277C69D6BE4CA978B60C4AE650C392A5247A9E95A2E62920D4
2464iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_EA155A4F71401ACE9E57E1102779C852binary
MD5:B92704159369ECEDE0F950244E599FE2
SHA256:E045BE771DA3813B3F432D7B6E9FA979C6F53970C4037A7835E81FB2FBE2AF46
2464iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\mystyles[1].csstext
MD5:B7EBF2F2224B14B0F93620F5A243196E
SHA256:4DF72521B12C50B94B7AF1F21050648DEFFD675AC70B09922012CCCCF04A3D94
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
39
DNS requests
21
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2464
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCrvyQ4GllugQoAAAABK4Az
US
der
472 b
whitelisted
2464
iexplore.exe
GET
200
23.45.105.185:80
http://x1.c.lencr.org/
NL
der
717 b
whitelisted
2464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAZnA1u7FP1jr8DWqFNO%2FhY%3D
US
der
471 b
whitelisted
2464
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
2464
iexplore.exe
GET
200
2.16.186.10:80
http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgOo0xX%2F8zJWZxW23bcUMoVkiQ%3D%3D
unknown
der
503 b
shared
2464
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEEFKxQHtEPcBCgAAAAErfHU%3D
US
der
471 b
whitelisted
2464
iexplore.exe
GET
200
142.250.184.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
2464
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.68 Kb
whitelisted
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2464
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTGMlruL6P9M9B3if1rTM7wyj%2FQKQQUUGGmoNI1xBEqII0fD6xC8M0pz0sCEA6L83cNktGW8Lth%2BTxBZr4%3D
US
der
279 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2520
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2464
iexplore.exe
142.250.184.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2464
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2464
iexplore.exe
51.15.127.80:443
server.duinocoin.com
Online S.a.s.
FR
unknown
2464
iexplore.exe
104.16.19.94:443
cdnjs.cloudflare.com
Cloudflare Inc
US
suspicious
2464
iexplore.exe
2.16.106.233:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
2464
iexplore.exe
142.250.185.194:443
pagead2.googlesyndication.com
Google Inc.
US
suspicious
2464
iexplore.exe
2.16.186.10:80
r3.o.lencr.org
Akamai International B.V.
whitelisted
2464
iexplore.exe
142.250.186.106:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2464
iexplore.exe
185.199.108.153:443
bernii.github.io
GitHub, Inc.
NL
shared

DNS requests

Domain
IP
Reputation
server.duinocoin.com
  • 51.15.127.80
unknown
ctldl.windowsupdate.com
  • 2.16.106.233
  • 2.16.106.171
whitelisted
x1.c.lencr.org
  • 23.45.105.185
whitelisted
r3.o.lencr.org
  • 2.16.186.10
  • 2.16.186.11
shared
cdnjs.cloudflare.com
  • 104.16.19.94
  • 104.16.18.94
whitelisted
bernii.github.io
  • 185.199.108.153
  • 185.199.109.153
  • 185.199.110.153
  • 185.199.111.153
malicious
pagead2.googlesyndication.com
  • 142.250.185.194
whitelisted
github.com
  • 140.82.121.4
shared
fonts.googleapis.com
  • 142.250.186.106
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info