analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://icanhazip.com

Full analysis: https://app.any.run/tasks/bb4b5dd1-f762-4030-9788-074b65a3e928
Verdict: Malicious activity
Analysis date: January 17, 2019, 21:57:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MD5:

623F118A47E904AC29B29452EBC3631C

SHA1:

3122E7BA6412F4088057AACE9BC65C97CC760688

SHA256:

F2DAFB20B3906460D4426E24D7EE64E71B7B4BB4078B8CF83F29E3B6758F7BC8

SSDEEP:

3:N1KXtIn:Cqn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Checks for external IP

      • iexplore.exe (PID: 3000)
      • iexplore.exe (PID: 3312)
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3312)
    • Changes internet zones settings

      • iexplore.exe (PID: 3000)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3312)
    • Application launched itself

      • iexplore.exe (PID: 3000)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3000"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3312"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3000 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
371
Read events
309
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
2
Unknown types
2

Dropped files

PID
Process
Filename
Type
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3000iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019011720190118\index.datdat
MD5:541DF1A4B7CD3A9D539F13E39BC7DBD2
SHA256:6A228DAFCE0FC72CDC70902ACDC224B76C46A1E97DAD43484450480539A2827F
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019011720190118\index.datdat
MD5:475B156AA9DAB90479F068E5AE93E814
SHA256:5A18DBA895956DF708348325BD52E8C49F028597D24D9196E3D0EA3BE3E17B71
3312iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\icanhazip_com[1].txttext
MD5:87971407F1F06A0B9E7F4354F55F5F0C
SHA256:600D77405F45C825AD8970B99AD1B3802ADEA0F72D6A6DE1F923BBD74F90CB24
3000iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3000
iexplore.exe
GET
200
147.75.40.2:80
http://icanhazip.com/favicon.ico
US
text
14 b
shared
3312
iexplore.exe
GET
200
147.75.40.2:80
http://icanhazip.com/
US
text
14 b
shared
3000
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3000
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3312
iexplore.exe
147.75.40.2:80
icanhazip.com
Packet Host, Inc.
US
suspicious
3000
iexplore.exe
147.75.40.2:80
icanhazip.com
Packet Host, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
icanhazip.com
  • 147.75.40.2
shared

Threats

PID
Process
Class
Message
3312
iexplore.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
3000
iexplore.exe
Attempted Information Leak
ET POLICY IP Check Domain (icanhazip. com in HTTP Host)
No debug info