analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://www.msn.com

Full analysis: https://app.any.run/tasks/7e33822e-b6a6-460e-a66a-910f0ec7ef27
Verdict: Malicious activity
Analysis date: March 30, 2020, 10:45:12
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
covid19
Indicators:
MD5:

FAEF515D875BD88076771963FC4DD672

SHA1:

53B140634551CFAC508A70649BB22242DB209613

SHA256:

F99205789B2C74BD87F5D96159DB3C2E12A64C26D97BC0E5FF1025948362D0E7

SSDEEP:

3:N1KJS4fZI:Cc4hI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1756)
      • iexplore.exe (PID: 3276)
      • iexplore.exe (PID: 820)
      • iexplore.exe (PID: 4076)

    • Changes internet zones settings

      • iexplore.exe (PID: 1756)

    • Application launched itself

      • iexplore.exe (PID: 1756)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3276)
      • iexplore.exe (PID: 820)
      • iexplore.exe (PID: 4076)

    • Dropped object may contain TOR URL's

      • iexplore.exe (PID: 820)

    • Creates files in the user directory

      • iexplore.exe (PID: 820)
      • iexplore.exe (PID: 3276)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3276)

    • Drops Coronavirus (possible) decoy

      • iexplore.exe (PID: 3276)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 820)
      • iexplore.exe (PID: 3276)
      • iexplore.exe (PID: 1756)

    • Changes settings of System certificates

      • iexplore.exe (PID: 1756)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1756)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1756"C:\Program Files\Internet Explorer\iexplore.exe" "http://www.msn.com"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3276"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1756 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
820"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1756 CREDAT:857455 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4076"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1756 CREDAT:922957 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
8 596
Read events
2 089
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
246
Text files
523
Unknown types
116

Dropped files

PID
Process
Filename
Type
3276iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HWYJH8NS.txt
MD5:
SHA256:
3276iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\PANGYP2Q.txt
MD5:
SHA256:
3276iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\4B41T6SL.txttext
MD5:BEC17B4F078F08577B950528A41DF361
SHA256:D33A9692B85FC5A5D04C0140D7FD5AFD0F38BFC3CC052FC192A5B0133A07CCC4
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\a0-2fafeb-185735b[1].csstext
MD5:735228E0B80EB7D424BCA8E1844AD061
SHA256:C43504E707282E1117B847BC85EDB9B79C7F48C7791C38353C72CF4E4E7CA1FF
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\optanon[1].csstext
MD5:43F23C82000C94D9E6B1D7228F36E08B
SHA256:72E33C8EA66D5D54D7FB34DE9E2F2D585F55C0F980CD56EB9DDBAAD822C88C54
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\BB11TcYE[1].jpgimage
MD5:A48B52E8D7EAE6B3B052F06CE6A681E7
SHA256:98F75D231F9E233BBC3CEE0FC0029C690DCE999D7B06D15234C343D07AF89112
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\AAGpOUO[1].pngimage
MD5:BA37BC59F89A0E0A57D094BE1A153FC1
SHA256:D1CE75FC5C16A8F50D73E4F3D644A39003AC750EEF5A95EF9CF876EC06945D44
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\it-it[1].htmhtml
MD5:222967FC721EDE0F08C8BF10C75AFC76
SHA256:420C89265EE5148A32F0ADB581E01B69087ADE0E049768A1E3B2E3607CBDBBEC
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\onetrustConsent[1].jstext
MD5:A1C7829A0B17F7944A3EA4FAB46FBDFB
SHA256:01231F9469916E8A56796CC1906A1CE10AE906184C885AFCA0203B10B1FB598C
3276iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\BB11p0rL[1].pngimage
MD5:03393CEF9E5F9E1FEB36EEDDE99CB7C0
SHA256:814E3ED89016AFA9441F829EC77CDD186923D9AAEB5394E99524EF7FBA96051F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
390
TCP/UDP connections
330
DNS requests
130
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB11TKAF.img?h=333&w=311&m=6&q=60&u=t&o=t&l=f&f=jpg&x=819&y=1048
US
image
10.8 Kb
whitelisted
3276
iexplore.exe
GET
200
204.79.197.203:80
http://www.msn.com/it-it/
US
html
70.5 Kb
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB11p0rL.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
US
image
853 b
whitelisted
3276
iexplore.exe
GET
302
204.79.197.203:80
http://www.msn.com/
US
html
142 b
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/hp-neu/_h/b71c72b5/webcore/externalscripts/oneTrust/it-it/onetrustConsent.js
US
text
48.4 Kb
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BBih5H.img?m=6&o=true&u=true&n=true&w=30&h=30
US
image
930 b
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB11Qhx5.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg
US
image
7.99 Kb
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/AAGpOUO.img?h=27&w=27&m=6&q=60&u=t&o=t&l=f&f=png
US
image
347 b
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/hp-neu/_h/975a7d20/webcore/externalscripts/jquery/jquery-2.1.1.min.js
US
text
28.8 Kb
whitelisted
3276
iexplore.exe
GET
200
23.55.161.132:80
http://static-global-s-msn-com.akamaized.net/img-resizer/tenant/amp/entityid/BB11TcYE.img?h=166&w=310&m=6&q=60&u=t&o=t&l=f&f=jpg&x=2161&y=1441
US
image
8.56 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3276
iexplore.exe
204.79.197.203:80
www.msn.com
Microsoft Corporation
US
whitelisted
3276
iexplore.exe
40.77.226.250:443
web.vortex.data.msn.com
Microsoft Corporation
IE
whitelisted
3276
iexplore.exe
104.111.230.152:443
linkmaker.itunes.apple.com
Akamai International B.V.
NL
whitelisted
3276
iexplore.exe
23.55.161.132:80
static-global-s-msn-com.akamaized.net
Akamai International B.V.
US
whitelisted
3276
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3276
iexplore.exe
172.217.22.46:443
play.google.com
Google Inc.
US
whitelisted
1756
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3276
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted
3276
iexplore.exe
151.101.2.49:443
img.img-taboola.com
Fastly
US
malicious
3276
iexplore.exe
216.58.210.3:80
ocsp.pki.goog
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.msn.com
  • 23.37.57.231
  • 204.79.197.203
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
static-global-s-msn-com.akamaized.net
  • 23.55.161.132
  • 23.55.161.135
whitelisted
linkmaker.itunes.apple.com
  • 104.111.230.152
whitelisted
play.google.com
  • 172.217.22.46
whitelisted
web.vortex.data.msn.com
  • 40.77.226.250
whitelisted
ocsp.pki.goog
  • 216.58.210.3
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.msocsp.com
  • 104.18.24.243
  • 104.18.25.243
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted

Threats

PID
Process
Class
Message
3276
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
1756
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
3276
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://www.msn.com