analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://intermountainhealthcare.us1.list-manage.com/track/click?u=13ee099aaffa8495dcf9f1865&id=425efb5257&e=987ecec441

Full analysis: https://app.any.run/tasks/95051733-4341-4412-946c-5034c2a71096
Verdict: Malicious activity
Analysis date: June 27, 2022, 13:53:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

53B3510C38E3024ED65D4020F9AE4CC8

SHA1:

18E58C602F0DB63EA38F44763DB624C5B31151A7

SHA256:

EF0803A438536C274E42D0F656758068C6B43F46A36AA840815ADE6B42219A90

SSDEEP:

3:N8MAXgLiKPNTQaCNULGGRXEGcJMkN4w2E84jzAxQ8Gkn:2MAei0NTvCNULEGcJM82CAxQkn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2964)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3572)
      • iexplore.exe (PID: 2964)

    • Checks supported languages

      • iexplore.exe (PID: 2964)
      • iexplore.exe (PID: 3572)

    • Changes internet zones settings

      • iexplore.exe (PID: 3572)

    • Application launched itself

      • iexplore.exe (PID: 3572)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2964)
      • iexplore.exe (PID: 3572)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2964)

    • Creates files in the user directory

      • iexplore.exe (PID: 2964)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2964)
      • iexplore.exe (PID: 3572)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3572"C:\Program Files\Internet Explorer\iexplore.exe" "https://intermountainhealthcare.us1.list-manage.com/track/click?u=13ee099aaffa8495dcf9f1865&id=425efb5257&e=987ecec441"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2964"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3572 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
16 658
Read events
16 535
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
34
Text files
79
Unknown types
38

Dropped files

PID
Process
Filename
Type
2964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\ERQDP9CX.txttext
MD5:AB518660797FD7044E93B594864FD0B8
SHA256:D27AFF8A327B17FB97FDB42442330F676A55C91464D0DBBBB72CB569331EF30B
2964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C31B2498754E340573F1336DE607D619der
MD5:7B1A47B5C13335388D33914618A38EE2
SHA256:1B145D9B225C35C9672B60ADE9067803BBC51AB9E2EC053A12602FD8B1FC18AD
2964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:FC887F7C5EF1EEAE3FB3BA651F77AC36
SHA256:5F98609231B96FC1ECFEFF757089F66D6A74BBE8FED6B33D83A799790484AA56
2964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6der
MD5:8EDB229E8AB5931CECAB275AB8B11C20
SHA256:C3285E5DB1DD3692FF85E168EFECA0778F6A91CA0AE3866214166E27129339F1
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\main[1].csstext
MD5:08A860E7943EF1DC229F125AC2E7F8DA
SHA256:FA4F5A1816DEB1F42332CF90729E0BC21069BAE7EC3FA11F8DBEF1D6793181C7
2964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\VCGY48WV.txttext
MD5:27FC7E98F95C8B8F3ED50A36773530AE
SHA256:BB1A6E405A4C9039BE72466D3D0DFD077C158A7A6AB39E0444535AB17C2436C4
2964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\21NOR5MZ.txttext
MD5:DE57974BCED901CCBF03EEFF5FCA0B45
SHA256:B818979950F824114402BBFDEDF06975119357676097C816F2E2560D4D0362D9
2964iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\module.min[1].jstext
MD5:33DF9FA331BB803A082F78F66F3F2AA8
SHA256:985C265477CA385ADE88580723375C7A8CB707BA3057EAAA2273C1FD7F76B242
2964iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6binary
MD5:10514C8D91958612BAAB1FD6BAAE5D1F
SHA256:7E94875DADBD3A9A9230D23ECE3972A52EFEBD45CEDADE22F5C815FC5661D06F
2964iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\1KXZHAPY.txttext
MD5:5B89352E2E5D7B9A83258FB7A1144F9A
SHA256:15D87AC9C1D2FE486965404235F05423B890689CFC93D59B736A11A06A3B324A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
133
DNS requests
47
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
3572
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2964
iexplore.exe
GET
200
142.250.186.163:80
http://crl.pki.goog/gsr1/gsr1.crl
US
der
1.61 Kb
whitelisted
2964
iexplore.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEkwRzBFMEMwQTAJBgUrDgMCGgUABBS2CA1fbGt26xPkOKX4ZguoUjM0TgQUQMK9J47MNIMwojPX%2B2yz8LQsgM4CCGOLSh941fq8
US
der
1.74 Kb
whitelisted
2964
iexplore.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
2964
iexplore.exe
GET
200
18.66.242.155:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D
US
der
1.39 Kb
shared
2964
iexplore.exe
GET
200
192.124.249.22:80
http://ocsp.godaddy.com//MEIwQDA%2BMDwwOjAJBgUrDgMCGgUABBQdI2%2BOBkuXH93foRUj4a7lAr4rGwQUOpqFBxBnKLbv9r0FQW4gwZTaD94CAQc%3D
US
der
1.69 Kb
whitelisted
2964
iexplore.exe
GET
200
104.18.32.68:80
http://crl.comodoca.com/AAACertificateServices.crl
US
der
506 b
whitelisted
2964
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
2964
iexplore.exe
GET
200
18.66.242.94:80
http://o.ss2.us//MEowSDBGMEQwQjAJBgUrDgMCGgUABBSLwZ6EW5gdYc9UaSEaaLjjETNtkAQUv1%2B30c7dH4b0W1Ws3NcQwg6piOcCCQCnDkpMNIK3fw%3D%3D
US
der
1.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3572
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3572
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2964
iexplore.exe
104.89.22.184:443
intermountainhealthcare.us1.list-manage.com
Akamai Technologies, Inc.
NL
suspicious
2964
iexplore.exe
151.101.0.176:443
js.stripe.com
Fastly
US
suspicious
2964
iexplore.exe
104.18.132.60:443
give.primarychildrenshospital.org
Cloudflare Inc
US
unknown
2964
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2964
iexplore.exe
95.140.236.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
GB
whitelisted
151.101.0.176:443
js.stripe.com
Fastly
US
suspicious
2964
iexplore.exe
52.143.247.24:443
htp.tokenex.com
Microsoft Corporation
US
unknown

DNS requests

Domain
IP
Reputation
intermountainhealthcare.us1.list-manage.com
  • 104.89.22.184
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 95.140.236.0
  • 178.79.242.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
give.primarychildrenshospital.org
  • 104.18.132.60
  • 104.18.113.21
unknown
prod-frs.content.classy.org
  • 104.18.132.60
  • 104.18.113.21
shared
js.stripe.com
  • 151.101.0.176
  • 151.101.64.176
  • 151.101.128.176
  • 151.101.192.176
shared
unpkg.com
  • 104.16.124.175
  • 104.16.125.175
  • 104.16.122.175
  • 104.16.126.175
  • 104.16.123.175
whitelisted
htp.tokenex.com
  • 52.143.247.24
unknown

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://intermountainhealthcare.us1.list-manage.com/track/click?u=13ee099aaffa8495dcf9f1865&id=425efb5257&e=987ecec441