analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://forfishpescados.com.br%20DETECTION

Full analysis: https://app.any.run/tasks/2b07ac25-816b-40b3-b5f0-bb073d809419
Verdict: Malicious activity
Analysis date: June 16, 2021, 21:04:07
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

41C296F5F0A6E1CF26A9BC4019E856E3

SHA1:

09CE7D2C871EA8026D25B3965725A0EB392A2E31

SHA256:

15DAFB1E2A570FEB11D6E9A755D8B558284E478F5E50A48371390EAEAA58F54E

SSDEEP:

3:N1KYPKjZSf:CYPJf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 3752)
      • msdt.exe (PID: 3876)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3028)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3752)
      • msdt.exe (PID: 3876)

    • Drops a file with too old compile date

      • msdt.exe (PID: 3752)
      • msdt.exe (PID: 3876)

    • Executed via COM

      • sdiagnhost.exe (PID: 1376)
      • sdiagnhost.exe (PID: 2236)
      • sdiagnhost.exe (PID: 3420)
      • sdiagnhost.exe (PID: 3276)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 1376)
      • sdiagnhost.exe (PID: 3420)

  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3912)
      • iexplore.exe (PID: 3028)
      • msdt.exe (PID: 3752)
      • sdiagnhost.exe (PID: 1376)
      • ipconfig.exe (PID: 2988)
      • ROUTE.EXE (PID: 1324)
      • sdiagnhost.exe (PID: 2236)
      • msdt.exe (PID: 3876)
      • ipconfig.exe (PID: 3192)
      • sdiagnhost.exe (PID: 3420)
      • ROUTE.EXE (PID: 3348)
      • sdiagnhost.exe (PID: 3276)
      • control.exe (PID: 2992)
      • rundll32.exe (PID: 2320)

    • Checks supported languages

      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3912)
      • msdt.exe (PID: 3752)
      • ipconfig.exe (PID: 2988)
      • sdiagnhost.exe (PID: 1376)
      • ROUTE.EXE (PID: 1324)
      • sdiagnhost.exe (PID: 2236)
      • msdt.exe (PID: 3876)
      • makecab.exe (PID: 3436)
      • sdiagnhost.exe (PID: 3420)
      • ipconfig.exe (PID: 3192)
      • sdiagnhost.exe (PID: 3276)
      • makecab.exe (PID: 3524)
      • ROUTE.EXE (PID: 3348)
      • control.exe (PID: 2992)
      • rundll32.exe (PID: 2320)

    • Application launched itself

      • iexplore.exe (PID: 3912)

    • Changes internet zones settings

      • iexplore.exe (PID: 3912)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3912)
      • msdt.exe (PID: 3752)
      • msdt.exe (PID: 3876)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3912)
      • msdt.exe (PID: 3752)
      • sdiagnhost.exe (PID: 1376)
      • sdiagnhost.exe (PID: 2236)
      • sdiagnhost.exe (PID: 3420)
      • msdt.exe (PID: 3876)
      • sdiagnhost.exe (PID: 3276)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3028)

    • Manual execution by user

      • rundll32.exe (PID: 2320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
16
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs sdiagnhost.exe no specs msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs sdiagnhost.exe no specs control.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3912"C:\Program Files\Internet Explorer\iexplore.exe" "http://forfishpescados.com.br%20DETECTION"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3028"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3912 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3752 -modal 327996 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFA619.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
1376C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\ole32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
2988"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ipconfig.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dnsapi.dll
c:\windows\system32\ws2_32.dll
1324"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\route.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winnsi.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
3436"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft� Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\makecab.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\version.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2236C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
3876 -modal 327996 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFFFF2.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msdt.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3420C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\sdiagnhost.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ntdll.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ole32.dll
c:\windows\system32\gdi32.dll
Total events
19 706
Read events
19 512
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
47
Text files
91
Unknown types
8

Dropped files

PID
Process
Filename
Type
3912iexplore.exeC:\Users\admin\AppData\Local\Temp\NDFA619.tmpbinary
MD5:ADD87BAC769F70BD944D3861BF251CCB
SHA256:27DF2FC95B9A950ADB1AEC7231A68E285E6853FF0B22E5F5BD49579D3ED7EF8D
3912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:488DACCB827E28A2EB7C5098B0E4AD98
SHA256:270E0A8246CBD35CE44D58F85BDB840EA64BE8F5D89D66A92C762C9F7A88127F
3912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:4A752A1BB47E194AB324C47A73C84F0A
SHA256:55F0DEE37CC14ED23A47C58DC627FAB7583B5D64D79FBE253D14AAE8FB247CD7
3752msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_06004d1b-a384-4ed1-be84-90c542a8f0e8\StartDPSService.ps1text
MD5:A660422059D953C6D681B53A6977100E
SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813
3752msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_06004d1b-a384-4ed1-be84-90c542a8f0e8\UtilityFunctions.ps1text
MD5:2F7C3DB0C268CF1CF506FE6E8AECB8A0
SHA256:886A625F71E0C35E5722423ED3AA0F5BFF8D120356578AB81A64DE2AB73D47F3
3912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
3752msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_06004d1b-a384-4ed1-be84-90c542a8f0e8\NetworkDiagnosticsTroubleshoot.ps1text
MD5:1D192CE36953DBB7DC7EE0D04C57AD8D
SHA256:935A231924AE5D4A017B0C99D4A5F3904EF280CEA4B3F727D365283E26E8A756
3912iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3752msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_06004d1b-a384-4ed1-be84-90c542a8f0e8\UtilityFirewall.ps1text
MD5:B004AFC224E9216115EC3B0BF5D43BA2
SHA256:31B97632CA31D1BB21917A07757B2FF415DBB6A4E7DD7B533ECC52431ACF65B5
3912iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:B1A2FEB2F1E0D46701F5D38BBF818F64
SHA256:E63C3154A4F0272AF56C68AEDB80FA0FAD7A407A844CD2A498E797C7B6A47E36
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
8
DNS requests
9
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3912
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3912
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?4df2f36229149746
US
compressed
4.70 Kb
whitelisted
3912
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3e97ab501b0f05ea
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3912
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3912
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3912
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3912
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://forfishpescados.com.br%20DETECTION