analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://link.zixcentral.com/u/1211f850/SLCqAhNE7RGaQ-oUh3soMg?u=http%3A%2F%2Fxz7w.s5cjeh.tatsuonocirurgiaplastica.com.br.%2F%2F%2Fbodcfv.%23.aHR0cHM6Ly9sbW8ubGVlYW5kYnVyZ2Vzcy5jb20vP3VzZXJuYW1lPWdlcnJ5Lmxld2lzQHVzcmFkaW9sb2d5LmNvbQ%3D%3D

Full analysis: https://app.any.run/tasks/6e31e4aa-638c-45e6-93fe-5785afa03af6
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:02:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

012A65DB4A5D8E6B8A8974F1D4CF3FF9

SHA1:

33752B359183C7F6112FD2ABC42612C28865A141

SHA256:

0B5762AA5C60BBEAA381F48FB212EDD049D5AA3D251D444FE7994D0A94ED7C2A

SSDEEP:

6:2MgUbz1T30pk3szzLNVBbcDLA5yZtyynUAW:2Mg2T30gsvLNVBbQbnU7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 3708)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1244)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3708)
    • Drops a file with a compile date too recent

      • msdt.exe (PID: 3708)
    • Executed via COM

      • sdiagnhost.exe (PID: 3960)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1244)
      • iexplore.exe (PID: 600)
      • msdt.exe (PID: 3708)
      • sdiagnhost.exe (PID: 3960)
    • Reads the computer name

      • iexplore.exe (PID: 1244)
      • iexplore.exe (PID: 600)
      • msdt.exe (PID: 3708)
      • sdiagnhost.exe (PID: 3960)
    • Changes internet zones settings

      • iexplore.exe (PID: 600)
    • Application launched itself

      • iexplore.exe (PID: 600)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 600)
      • msdt.exe (PID: 3708)
      • iexplore.exe (PID: 1244)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1244)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 600)
      • sdiagnhost.exe (PID: 3960)
      • msdt.exe (PID: 3708)
      • iexplore.exe (PID: 1244)
    • Changes settings of System certificates

      • iexplore.exe (PID: 600)
    • Creates files in the user directory

      • iexplore.exe (PID: 600)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 600)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
4
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
600"C:\Program Files\Internet Explorer\iexplore.exe" "https://link.zixcentral.com/u/1211f850/SLCqAhNE7RGaQ-oUh3soMg?u=http%3A%2F%2Fxz7w.s5cjeh.tatsuonocirurgiaplastica.com.br.%2F%2F%2Fbodcfv.%23.aHR0cHM6Ly9sbW8ubGVlYW5kYnVyZ2Vzcy5jb20vP3VzZXJuYW1lPWdlcnJ5Lmxld2lzQHVzcmFkaW9sb2d5LmNvbQ%3D%3D"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1244"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:600 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3708 -modal 131368 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF44B2.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
4294967295
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3960C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
13 756
Read events
13 577
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
17
Text files
41
Unknown types
7

Dropped files

PID
Process
Filename
Type
600iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
600iexplore.exeC:\Users\admin\AppData\Local\Temp\NDF44B2.tmpbinary
MD5:18620FC1A9092A413946EAAC9B4A3A99
SHA256:23F75A7CB2B5EB58A59827CC8497A6CE7DC629D71D56D19EE09D56E4138CF8A9
600iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:45634FAC95929BFEE781DCB6F45022CF
SHA256:75C748FF68602B7060A47B259260D3A10ED4E0A18429EBF362B7290C7256198E
600iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:A84B34D826ED3F5FC7AC6D9DB3463D5C
SHA256:6365090113AAA2D3F10D7BB8DE526CA763A7203A740F53943DAB66FF29EA64DD
600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3708msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_33b7ab01-ff4c-42a5-a0ac-978af107e6c0\NetworkDiagnosticsTroubleshoot.ps1text
MD5:1D192CE36953DBB7DC7EE0D04C57AD8D
SHA256:935A231924AE5D4A017B0C99D4A5F3904EF280CEA4B3F727D365283E26E8A756
3708msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_33b7ab01-ff4c-42a5-a0ac-978af107e6c0\UtilityFirewall.ps1text
MD5:B004AFC224E9216115EC3B0BF5D43BA2
SHA256:31B97632CA31D1BB21917A07757B2FF415DBB6A4E7DD7B533ECC52431ACF65B5
3708msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_33b7ab01-ff4c-42a5-a0ac-978af107e6c0\UtilitySetConstants.ps1text
MD5:0C75AE5E75C3E181D13768909C8240BA
SHA256:DE5C231C645D3AE1E13694284997721509F5DE64EE5C96C966CDFDA9E294DB3F
3708msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_33b7ab01-ff4c-42a5-a0ac-978af107e6c0\DiagPackage.diagpkgxml
MD5:C9FB87FA3460FAE6D5D599236CFD77E2
SHA256:CDE728C08A4E50A02FCFF35C90EE2B3B33AB24C8B858F180B6A67BFA94DEF35F
3708msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_33b7ab01-ff4c-42a5-a0ac-978af107e6c0\HTInteractiveRes.ps1text
MD5:C25ED2111C6EE9299E6D9BF51012F2F5
SHA256:8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
43
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1244
iexplore.exe
GET
200
23.48.23.12:80
http://crl.entrust.net/g2ca.crl
US
der
1.66 Kb
whitelisted
600
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
600
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1244
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEALYmhVz87O42hRbWDiYKQc%3D
US
der
1.47 Kb
whitelisted
600
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
1244
iexplore.exe
GET
200
96.16.142.215:80
http://ocsp.entrust.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTMbSIc9rRVLC%2BHkV9a%2FvDh7s6DzAQUgqJwdN28Uz%2FPe9T3zX%2BnYMYKTL8CEHCOyacXVQWafbNmMlD3UTM%3D
US
der
1.55 Kb
whitelisted
600
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?0239d82df03436c5
US
compressed
4.70 Kb
whitelisted
600
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
600
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ed2734d1445fd5da
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
600
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
1244
iexplore.exe
199.30.234.131:443
link.zixcentral.com
ASN-CUST
US
suspicious
600
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
720
svchost.exe
199.30.234.131:443
link.zixcentral.com
ASN-CUST
US
suspicious
600
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
600
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
1244
iexplore.exe
23.48.23.12:80
crl.entrust.net
Akamai International B.V.
DE
suspicious
1244
iexplore.exe
96.16.142.215:80
ocsp.entrust.net
AKAMAI-AS
DE
unknown
1244
iexplore.exe
104.18.11.207:443
maxcdn.bootstrapcdn.com
CLOUDFLARENET
suspicious
600
iexplore.exe
184.29.201.244:443
go.microsoft.com
AKAMAI-AS
NL
suspicious

DNS requests

Domain
IP
Reputation
link.zixcentral.com
  • 199.30.234.131
shared
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
ocsp.entrust.net
  • 96.16.142.215
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
crl.entrust.net
  • 23.48.23.12
  • 23.48.23.39
whitelisted
maxcdn.bootstrapcdn.com
  • 104.18.11.207
  • 104.18.10.207
whitelisted

Threats

PID
Process
Class
Message
720
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
720
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1244
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1244
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1244
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1244
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1244
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1244
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info