analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly/list.html

Full analysis: https://app.any.run/tasks/dac783dd-9a73-4a60-926c-79f57993f25c
Verdict: Malicious activity
Analysis date: January 15, 2022, 02:33:16
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

15DAE60861D0B9C4F849CD10E6FB93E9

SHA1:

A0EB474CA80B772160EC0ED7A38B6B22B7917992

SHA256:

F603BB24DDF3E8002CA7588E6D809EA2C6EB8BE171D84EFB05B983B929C40B90

SSDEEP:

3:N1KKKGFNsKQ0KRXEQCYNAfRWULecMQ:CKVNsKQzxvKWUD

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1708)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 1708)
    • Reads the computer name

      • iexplore.exe (PID: 1708)
      • iexplore.exe (PID: 3204)
    • Changes internet zones settings

      • iexplore.exe (PID: 3204)
    • Application launched itself

      • iexplore.exe (PID: 3204)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1708)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1708)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 1708)
    • Dropped object may contain URL to Tor Browser

      • iexplore.exe (PID: 3204)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3204)
      • iexplore.exe (PID: 1708)
    • Creates files in the user directory

      • iexplore.exe (PID: 1708)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3204"C:\Program Files\Internet Explorer\iexplore.exe" "http://torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly/list.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
1708"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3204 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
13 162
Read events
13 047
Write events
115
Delete events
0

Modification events

(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30935480
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30935480
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3204) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
8
Text files
10
Unknown types
5

Dropped files

PID
Process
Filename
Type
1708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_A01EFC9EF87B331821A80D893F4D7FE8binary
MD5:786D53D8E9F8B2C78651624AD7F77830
SHA256:82C21D965E3BA1C331556C2239CEDC1D6D36A621701C46E3BE521721D590211E
3204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC68ACF50745357D4EA92B214D9E7132
SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154
3204iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:66948CFB04632A0D7EDABAE01E0FEC0D
SHA256:C540C8FADCB19B902D8F33152BCB286487BC94686F35783016CDEE0382B16B94
1708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAbinary
MD5:D95A7EEC256BC45121E49F102C77681F
SHA256:EE5FDB835429B6CD38E3736A9E36D26947DB18E92ADBFE293FA90870DD3B022A
1708iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\OTXM1EPW.txttext
MD5:A7CBC64BE9EC8A3BAAEA7DA3300EFD53
SHA256:2E4606BC7C9135C6D9681F36B91044011B673CECD2D68D4C10DF4847B3E5A8C5
1708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:396CD69662FC1EE91DEC0FBE75F6B932
SHA256:3FA83246A192B81A9A5C4DBDF59E4B15178DCBAB95D98F6139C625548F027E42
1708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_A01EFC9EF87B331821A80D893F4D7FE8der
MD5:8568135856BB7A64DC01CD86DDFEEDF3
SHA256:B6F9EBC6817249A914ACA6C071D1E0051A1EDB3C49DD2863B44520053D201472
1708iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\list[1].htmlhtml
MD5:A4A0F5E2E607A2331322305271866914
SHA256:E2991222A836944D3E173B6215A25872D922A4C2306730CF5A4D12871F8961A8
1708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:2663BED1F902BED00647B84FABBF8DEA
SHA256:7A3C6A8BE401F6DE91999C00919EA0F3BDCF80D06EB0E8A15D801F8F9A465DE9
1708iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBAder
MD5:64E9B8BB98E2303717538CE259BEC57D
SHA256:76BD459EC8E467EFC3E3FB94CB21B9C77A2AA73C9D4C0F3FAF823677BE756331
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
24
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1708
iexplore.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
US
der
1.41 Kb
whitelisted
1708
iexplore.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D
US
der
724 b
whitelisted
1708
iexplore.exe
GET
200
203.28.246.190:80
http://torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly/css/main.css
AU
text
1.87 Kb
malicious
1708
iexplore.exe
GET
200
203.28.246.190:80
http://torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly/list.html
AU
html
8.26 Kb
malicious
3204
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3204
iexplore.exe
GET
200
178.79.242.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?827d66014578e129
DE
compressed
4.70 Kb
whitelisted
1708
iexplore.exe
GET
200
178.79.242.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?cf95c5ff4f4a00f9
DE
compressed
4.70 Kb
whitelisted
1708
iexplore.exe
GET
200
178.79.242.0:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a6efc47fc83b78c4
DE
compressed
4.70 Kb
whitelisted
1708
iexplore.exe
GET
200
142.250.185.195:80
http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQCAnDacZA1UWwoAAAABJ9nq
US
der
472 b
whitelisted
3204
iexplore.exe
GET
200
203.28.246.190:80
http://torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly/favicon.ico
AU
html
15.0 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1708
iexplore.exe
142.250.186.174:443
www.google-analytics.com
Google Inc.
US
whitelisted
3204
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1708
iexplore.exe
142.250.185.195:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3204
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1708
iexplore.exe
142.250.185.200:443
www.googletagmanager.com
Google Inc.
US
suspicious
1708
iexplore.exe
178.79.242.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
whitelisted
1708
iexplore.exe
203.28.246.190:80
torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly
The University of Melbourne, Melbourne, Victoria
AU
malicious
3204
iexplore.exe
203.28.246.190:80
torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly
The University of Melbourne, Melbourne, Victoria
AU
malicious
3204
iexplore.exe
178.79.242.0:80
ctldl.windowsupdate.com
Limelight Networks, Inc.
DE
whitelisted
3204
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
torscn6qv7ohkslwgmvtye57krggsgnlo42a4rssqyrhoheb6fb4qjqd.onion.ly
  • 203.28.246.190
malicious
www.googletagmanager.com
  • 142.250.185.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 178.79.242.0
  • 95.140.236.128
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.pki.goog
  • 142.250.185.195
whitelisted
www.google-analytics.com
  • 142.250.186.174
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potential Corporate Privacy Violation
ET POLICY DNS Query to .onion proxy Domain (onion . ly)
No debug info