analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDEsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMjAxMTAuNTE1NDI2MzEiLCJ1cmwiOiJodHRwOi8vd3d3LmtpdGNoZW5zaXN0ZXJzLm9yZy9wcmVzZW50LyJ9.kfoILRwnK5-D02gtnbcnmQAQJUQndqpSAeRLLytVKrc/s/601723030/br/124432635406-l

Full analysis: https://app.any.run/tasks/97b37a75-5b9e-4b37-af37-f817d5e5b0cc
Verdict: Malicious activity
Analysis date: January 11, 2022, 15:04:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

EEB79B353E145F41AE19D9203CD1B3B3

SHA1:

EB58AC9F7491539BF5039BD56D8824C2A48F7DC9

SHA256:

F025E3CCACF991A4F3D0BD9280955959078448377DBF6484B7630DC20E246D9B

SSDEEP:

6:2xKxNFr48eNtp2LghoEpJDOs9qi/mRGhz3eOkaGfG:2xiNNnYtpR+EpJDOAmRa1kaG+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 148)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 148)
    • Checks supported languages

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 148)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2520)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 148)
      • iexplore.exe (PID: 2520)
    • Application launched itself

      • iexplore.exe (PID: 2520)
    • Changes internet zones settings

      • iexplore.exe (PID: 2520)
    • Creates files in the user directory

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 148)
    • Reads internet explorer settings

      • iexplore.exe (PID: 148)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2520)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 148)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2520"C:\Program Files\Internet Explorer\iexplore.exe" "https://lnks.gd/l/eyJhbGciOiJIUzI1NiJ9.eyJidWxsZXRpbl9saW5rX2lkIjoxMDEsInVyaSI6ImJwMjpjbGljayIsImJ1bGxldGluX2lkIjoiMjAyMjAxMTAuNTE1NDI2MzEiLCJ1cmwiOiJodHRwOi8vd3d3LmtpdGNoZW5zaXN0ZXJzLm9yZy9wcmVzZW50LyJ9.kfoILRwnK5-D02gtnbcnmQAQJUQndqpSAeRLLytVKrc/s/601723030/br/124432635406-l"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2520 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
13 494
Read events
13 351
Write events
141
Delete events
2

Modification events

(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30934780
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30934780
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2520) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
24
Text files
110
Unknown types
21

Dropped files

PID
Process
Filename
Type
148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\miniplayer[1].csstext
MD5:EA6DE0ABFB018CEF912E2B53E3184D98
SHA256:DAE01496EF2C717B56A7F3A7CF8B3797424881975FC763AA1266B5114181F75B
148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\woocommerce-styling[1].csstext
MD5:6D5355B74C6747F7F0EEA11581695CB8
SHA256:9142D3D31F31750A0A0AF71C1990871403C35445429668EEDAF1DCE38C0301C5
148iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\204C1AA6F6114E6A513754A2AB5760FA_F08D193BC3B4026ECC0251B4C09BE3F5binary
MD5:77444CCEE41B6191474540EF94BDDF01
SHA256:791C9858CBF9F9233B6E055F0A4F6F30EEE9394FDDEAAB0499A26FA9D8DDA18B
148iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711Eder
MD5:3C25AE40011D89B20ABD9294701F7D71
SHA256:CB88C85861D98B7C2F84F837560BD9A0830E3CF074632EB9A8ED760C070F3738
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:7CE57A327C37CB93D97EFCEA39984D5C
SHA256:7F5DEC72D2A15FAA8A66C26D8D8462DED8E0469C841712AF71C0C2A7A0F77BF3
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:345C9A343F84986448D8863255B6EC4C
SHA256:F8E0BC9F60B77861E3F56B4DE780BC555CC7BAED390F7D1C76B80CBA533E1324
148iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3F26ED5DE6B4E859CCCA6035ECB8D9CBbinary
MD5:2FD2B682B3D259EC1D90719B40953425
SHA256:10F4125402FB4E2A2C0E4600A97B017B484F037450515CBB14F73C0308E294F8
2520iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:B2CA82ED846F57E76DFE3E48EF8563A1
SHA256:9503CA94FC5C7E333D4806DDBF6C07550A68CB4EB8C6CB5A5584C16D093D3F8F
148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\124432635406-l[1].htmhtml
MD5:BD40225DFE8FD332FC471760254D0608
SHA256:4431F13C914960F00B15DC416FD1A48D02D5C5B20C29D01D3E6EC229DCF2373E
148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\site[1].jstext
MD5:36C69C12E057361D3DEBE983FA589FB8
SHA256:E9EC9EBF944BC428590B4C2B665AD3086A0F991BF785341635E876BEAF048E7B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
103
TCP/UDP connections
745
DNS requests
52
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/present/
US
html
27.9 Kb
suspicious
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/wp-includes/js/wp-emoji-release.min.js?ver=5.5.8
US
text
4.61 Kb
suspicious
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=2.4.10
US
text
6.52 Kb
suspicious
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/wp-content/themes/purity/plugins/woocommerce/assets/woocommerce-styling.css?ver=5.5.8
US
text
5.53 Kb
suspicious
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.2.2
US
text
729 b
suspicious
148
iexplore.exe
GET
200
104.18.31.182:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEGxVq9vQB5LHnQcM2BGe1r8%3D
US
der
727 b
whitelisted
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/wp-content/plugins/wp-miniaudioplayer/css/miniplayer.css?ver=1.7.5
US
text
2.62 Kb
suspicious
148
iexplore.exe
GET
200
104.18.31.182:80
http://ocsp.usertrust.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRyyuDOSqb8BtprWZSAvBT9kFoYdwQU%2BftQxItnu2dk%2FoMhpqnOP1WEk5kCEQC1tMD7M6W%2BrFcdEWF%2BoECX
US
der
472 b
whitelisted
2520
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
148
iexplore.exe
GET
200
69.163.251.156:80
http://www.kitchensisters.org/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=2.4.10
US
text
940 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
148
iexplore.exe
69.163.251.156:80
www.kitchensisters.org
New Dream Network, LLC
US
suspicious
148
iexplore.exe
104.18.30.182:80
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
148
iexplore.exe
209.134.144.229:443
lnks.gd
Vector Internet Services, Inc.
US
suspicious
2520
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2520
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2520
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
148
iexplore.exe
104.18.31.182:80
ocsp.comodoca.com
Cloudflare Inc
US
unknown
148
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
148
iexplore.exe
79.142.69.149:443
second.pmservicespr.com
AltusHost B.V.
DK
suspicious
148
iexplore.exe
192.229.233.25:443
platform.twitter.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
lnks.gd
  • 209.134.144.229
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.22.200
  • 131.253.33.200
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.comodoca.com
  • 104.18.30.182
  • 104.18.31.182
whitelisted
ocsp.usertrust.com
  • 104.18.31.182
  • 104.18.30.182
whitelisted
www.kitchensisters.org
  • 69.163.251.156
suspicious
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
148
iexplore.exe
Potentially Bad Traffic
ET INFO Observed ZeroSSL SSL/TLS Certificate
2 ETPRO signatures available at the full report
No debug info