URL: | http://covidly.com |
Full analysis: | https://app.any.run/tasks/9060ca50-f518-416c-bfc7-97e8f5b741c6 |
Verdict: | Malicious activity |
Analysis date: | March 30, 2020, 18:04:37 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | C397ADCDC547C75D11284FC538A03122 |
SHA1: | 95C3DEF31050BD72B5332C3AC57F7ECFE9EE88BB |
SHA256: | F6075B95D89135CD3928024B346106F2B3437428108E1DADB6A881A42EADAAE0 |
SSDEEP: | 3:N1KdKTA3:CIk3 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3512 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://covidly.com" | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3868 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3512 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3512 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab92C2.tmp | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar92C3.tmp | — | |
MD5:— | SHA256:— | |||
3868 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 | der | |
MD5:8C6AC661A97D83DB453D8DB66231FE24 | SHA256:C33691514FA1560145198947DB85C7F90FBB5FBDD0A4105521AC4391753D9266 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F | der | |
MD5:D64CFDDEC1AC83B9C563724061B4828B | SHA256:33E9AE472315740BECC8C3DA15CD79D611C47851ED76B4E699C47D8C0B0A2563 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 | der | |
MD5:C16307497EA332BCA45E1239426082D3 | SHA256:180200666D31E572AED78CED43758F12295AF87506F8DBAEEA412F4314B5A164 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\NQKASD1D.htm | html | |
MD5:687A66C4E6F838CAA495D4679AFE7FD5 | SHA256:A9B376D50390CD15C333340F534023EB859F82DE5B33ADEFEBD5761E7CF546C8 | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\8QU1CQCK.htm | html | |
MD5:E4E384D6672787C1BB2A9B500114F1F5 | SHA256:80785F5520097DDE3B28C617171415CD690CBF1E0353A5F3E348C83A4656EA0F | |||
3868 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_93E4B2BA79A897B3100CCB27F2D3BF4F | binary | |
MD5:C5A02E730887001DBB13D6A61FB06CFC | SHA256:BCBCD2FA95AA31A48DE58B4B54FE4D3C3A81AF674D9497FFB6575BB8447C4A6B | |||
3868 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\amplify.min[1].js | text | |
MD5:08CC2991C898DC904D4672D61D6D851B | SHA256:E13779264ED2003DF0EB8AF84C3D8C76F0AC073A1F6B9970E8764930E229843A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3868 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAH9o%2BtuynXIiEOLckvPvJE%3D | US | der | 471 b | whitelisted |
3868 | iexplore.exe | GET | 301 | 143.204.97.75:80 | http://covidly.com/ | US | html | 183 b | malicious |
3868 | iexplore.exe | GET | 200 | 216.58.210.3:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3868 | iexplore.exe | GET | 200 | 216.58.210.3:80 | http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D | US | der | 468 b | whitelisted |
3868 | iexplore.exe | GET | 200 | 216.58.210.3:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFeh1L3VO0beCAAAAAAyCgc%3D | US | der | 471 b | whitelisted |
3868 | iexplore.exe | GET | 200 | 216.58.210.3:80 | http://ocsp.pki.goog/gts1o1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEFeh1L3VO0beCAAAAAAyCgc%3D | US | der | 471 b | whitelisted |
3868 | iexplore.exe | GET | 200 | 13.225.87.38:80 | http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwZ%2FlFeFh%2Bisd96yUzJbvJmLVg0%3D | US | der | 1.39 Kb | shared |
3512 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3868 | iexplore.exe | GET | 200 | 13.225.87.144:80 | http://ocsp.sca1b.amazontrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQz9arGHWbnBV0DFzpNHz4YcTiFDQQUWaRmBlKge5WSPKOUByeWdFv5PdACEATN1L2J4tdZMGxJHox8Zlg%3D | US | der | 471 b | whitelisted |
3512 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3868 | iexplore.exe | 143.204.97.75:443 | covidly.com | — | US | suspicious |
3868 | iexplore.exe | 23.39.81.234:443 | cloud.typography.com | NTT America, Inc. | NL | unknown |
3868 | iexplore.exe | 13.225.87.38:80 | ocsp.rootg2.amazontrust.com | — | US | whitelisted |
3512 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3868 | iexplore.exe | 143.204.97.75:80 | covidly.com | — | US | suspicious |
3868 | iexplore.exe | 13.225.87.124:80 | o.ss2.us | — | US | unknown |
3868 | iexplore.exe | 13.225.87.218:80 | ocsp.rootg2.amazontrust.com | — | US | whitelisted |
3868 | iexplore.exe | 172.217.22.8:443 | www.googletagmanager.com | Google Inc. | US | whitelisted |
3512 | iexplore.exe | 143.204.97.75:443 | covidly.com | — | US | suspicious |
3868 | iexplore.exe | 172.217.18.110:443 | www.google-analytics.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
covidly.com |
| malicious |
o.ss2.us |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.rootg2.amazontrust.com |
| whitelisted |
ocsp.rootca1.amazontrust.com |
| shared |
cloud.typography.com |
| whitelisted |
www.googletagmanager.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
— | — | Potentially Bad Traffic | ET INFO Suspicious Domain Request for Possible COVID-19 Domain M1 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious GET Request with Possible COVID-19 Domain M1 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Possible COVID-19 Domain in SSL Certificate M2 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Possible COVID-19 Domain in SSL Certificate M2 |
— | — | Potentially Bad Traffic | ET INFO Suspicious Domain Request for Possible COVID-19 Domain M1 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1 |
3868 | iexplore.exe | Potentially Bad Traffic | ET INFO Possible COVID-19 Domain in SSL Certificate M2 |
3512 | iexplore.exe | Potentially Bad Traffic | ET INFO Suspicious TLS SNI Request for Possible COVID-19 Domain M1 |