URL: | https://1drv.ms:443/o/s!BF_zwk5IgVr7k1Ub10Tmp8Q7Euhz?e=ld9TUwMaSEirCrxoOTo1lQ&at=9 |
Full analysis: | https://app.any.run/tasks/835d2fc3-2b16-4adb-9117-3c7255f6b3d5 |
Verdict: | Malicious activity |
Analysis date: | January 15, 2022, 01:01:14 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 4879362CB8927BA8839378BA217A9FE6 |
SHA1: | 15E8A300E844828C4CE5D2293A4349241C52E0D2 |
SHA256: | EDEB0CD2F68E8E5F77240E9EE662D7BD489FF00D004BBC0E4812814372DAFA19 |
SSDEEP: | 3:N8qDLIWf3NRWEj6IMxIESV9Ic2SoE2Kxb:2qXL3NRW77xIZ9Ic146 |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2916 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://1drv.ms:443/o/s!BF_zwk5IgVr7k1Ub10Tmp8Q7Euhz?e=ld9TUwMaSEirCrxoOTo1lQ&at=9" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3664 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2916 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
1384 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2916 CREDAT:988429 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
|
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPDaysSinceLastAutoMigration |
Value: 1 | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchLowDateTime |
Value: | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing |
Operation: | write | Name: | NTPLastLaunchHighDateTime |
Value: 30935467 | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateLowDateTime |
Value: | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager |
Operation: | write | Name: | NextCheckForUpdateHighDateTime |
Value: 30935467 | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content |
Operation: | write | Name: | CachePrefix |
Value: | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies |
Operation: | write | Name: | CachePrefix |
Value: Cookie: | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History |
Operation: | write | Name: | CachePrefix |
Value: Visited: | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2916) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | ProxyBypass |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\clientstring[1].js | text | |
MD5:38FC27A437C7FCF4D4C5C1A12F8B39AE | SHA256:7C5B5B2DC54247E703D8D5A3741819A225422272C3B1EA8767EB868A28269533 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\view[1].htm | html | |
MD5:84AA768F0A0FDB9462925CCFD946C1A1 | SHA256:0266C03D52DA882A591EFAB8C5B9D3C03537BBB06B4B3FF7E14ECDE6FB3636E0 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\24OOMYDP.txt | text | |
MD5:C748CE7F8E5142F0DC3B2F007586DC47 | SHA256:907D68D8A2E06EFE0C720DF9E373CC2DEE4B3FF02B2868AFB4CEC7974903757D | |||
3664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 | binary | |
MD5:A5340E52E793382BFA487738883F4BF7 | SHA256:5CE8D7C686C7249A812CAD6F3F5A263B4873A2E15EEAEEA942969CC5FE7FF434 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\Q4L7RRPB.txt | text | |
MD5:0D25F349CA978A1F5908B779307E9FCB | SHA256:6643F1F0A6AF11BD2037F85DC274595CF50E202A1299FECC9581F43BD485359D | |||
3664 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\redir[1].htm | html | |
MD5:A57DC030EEB1B5368969A6628B62577C | SHA256:BC40D898D071D604D2C7904F0B24BFF1A76D3C392C9E505331E5A541A27A6850 | |||
2916 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:D3C9B0977996294A3B10880D1C892D09 | SHA256:F2E795DD79911E2B2069A36E7409B3B0E53D2E088938FDAD451A79B1FA2B3693 | |||
2916 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:9181FF592842BFA84470CFA5FBCDA8B8 | SHA256:ADE8C9CEEE2AD14593E61920C013130EC4D869BDE16397B9AEC701469E8EBD0A | |||
2916 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:AC68ACF50745357D4EA92B214D9E7132 | SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154 | |||
3664 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6 | der | |
MD5:9C129A9FB04E7107688A7BEF828A19DA | SHA256:68C8FADF7E6473C47570C6DF544249E5EC358E716B347FD269A7612512ECCD3F |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2916 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
1384 | iexplore.exe | GET | 200 | 18.66.92.28:80 | http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D | US | der | 1.70 Kb | whitelisted |
2916 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
2916 | iexplore.exe | GET | 200 | 67.26.139.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5dd138acf41985b1 | US | compressed | 4.70 Kb | whitelisted |
3664 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D | US | der | 1.47 Kb | whitelisted |
3664 | iexplore.exe | GET | 200 | 104.18.24.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRSHuNsR4EZqcsD%2BrdOV%2BEZevGBiwQUtXYMMBHOx5JCTUzHXCzIqQzoC2QCExIAID0mTAYs5VcQIg4AAAAgPSY%3D | US | der | 1.70 Kb | whitelisted |
3664 | iexplore.exe | GET | 200 | 104.18.24.243:80 | http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRSHuNsR4EZqcsD%2BrdOV%2BEZevGBiwQUtXYMMBHOx5JCTUzHXCzIqQzoC2QCExIAEvdwD%2F35xJ9F9wMAAAAS93A%3D | US | der | 1.70 Kb | whitelisted |
3664 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEA8XGkjG8iOAkhjNLtbdwOg%3D | US | der | 471 b | whitelisted |
3664 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAqvpsXKY8RRQeo74ffHUxc%3D | US | der | 471 b | whitelisted |
3664 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3664 | iexplore.exe | 2.21.141.46:443 | c1-onenote-15.cdn.office.net | Telia Company AB | — | unknown |
2916 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3664 | iexplore.exe | 13.107.42.13:443 | onedrive.live.com | Microsoft Corporation | US | malicious |
3664 | iexplore.exe | 13.95.147.73:443 | p.sfx.ms | Microsoft Corporation | NL | whitelisted |
3664 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2916 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2916 | iexplore.exe | 67.26.139.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3664 | iexplore.exe | 92.123.194.20:443 | spoprod-a.akamaihd.net | Akamai International B.V. | — | unknown |
3664 | iexplore.exe | 13.107.42.12:443 | 1drv.ms | Microsoft Corporation | US | suspicious |
3664 | iexplore.exe | 104.18.24.243:80 | ocsp.msocsp.com | Cloudflare Inc | US | shared |
Domain | IP | Reputation |
---|---|---|
1drv.ms |
| shared |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
onedrive.live.com |
| shared |
spoprod-a.akamaihd.net |
| whitelisted |
p.sfx.ms |
| whitelisted |
c1-onenote-15.cdn.office.net |
| whitelisted |
ocsp.msocsp.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Misc activity | ET INFO Suspicious Glitch Hosted DNS Request - Possible Phishing Landing |
1384 | iexplore.exe | Misc activity | ET INFO Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing |
1384 | iexplore.exe | Misc activity | ET INFO Suspicious Glitch Hosted TLS SNI Request - Possible Phishing Landing |