analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://cld.pt/dl/download/e30c7587-c1e1-4911-ab27-d6d061fa9074/Fact.Endesa-Ref-27-06-2022.zip

Full analysis: https://app.any.run/tasks/1d837ab5-7129-4c1b-afc3-6c590387ab85
Verdict: Malicious activity
Analysis date: June 27, 2022, 09:24:43
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7E9C0CE027C9E23556215CFA5AD6130C

SHA1:

D5314E9BA943284F1380215841505A8589BD3B3F

SHA256:

27C3E1317ED09BC3D10601AA2E6C01540E953F007C38B232EEA8B220AF86ECC0

SSDEEP:

3:N8U9VRK/a4z8dS36a/CVIpjEGtO2WWUXC5U:2U3RKCE8dT6CVINEGO7

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msiexec.exe (PID: 1980)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 4020)

    • Reads the computer name

      • WinRAR.exe (PID: 3696)
      • msiexec.exe (PID: 1980)
      • MsiExec.exe (PID: 3436)

    • Checks supported languages

      • WinRAR.exe (PID: 3696)
      • msiexec.exe (PID: 1980)
      • MsiExec.exe (PID: 3436)

    • Reads Windows owner or organization settings

      • msiexec.exe (PID: 2392)
      • msiexec.exe (PID: 1980)

    • Reads the Windows organization settings

      • msiexec.exe (PID: 2392)
      • msiexec.exe (PID: 1980)

    • Drops a file with a compile date too recent

      • msiexec.exe (PID: 1980)

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 1980)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2504)
      • iexplore.exe (PID: 4020)
      • msiexec.exe (PID: 2392)

    • Reads the computer name

      • iexplore.exe (PID: 2504)
      • iexplore.exe (PID: 4020)
      • msiexec.exe (PID: 2392)

    • Changes internet zones settings

      • iexplore.exe (PID: 2504)

    • Application launched itself

      • iexplore.exe (PID: 2504)
      • msiexec.exe (PID: 1980)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 4020)
      • iexplore.exe (PID: 2504)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 4020)

    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 2504)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 2504)

    • Manual execution by user

      • msiexec.exe (PID: 2392)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs iexplore.exe winrar.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2504"C:\Program Files\Internet Explorer\iexplore.exe" "https://cld.pt/dl/download/e30c7587-c1e1-4911-ab27-d6d061fa9074/Fact.Endesa-Ref-27-06-2022.zip"C:\Program Files\Internet Explorer\iexplore.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4020"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2504 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3696"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Fact.Endesa-Ref-27-06-2022.zip"C:\Program Files\WinRAR\WinRAR.exeiexplore.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
2392"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Desktop\Fact.Endesa-Ref-27-06-2022.MSI" C:\Windows\System32\msiexec.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1980C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3436C:\Windows\system32\MsiExec.exe -Embedding D0BB0E29A0DE568EFC20917DE809CFF1C:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
9 757
Read events
9 641
Write events
0
Delete events
0

Modification events

No data
Executable files
3
Suspicious files
13
Text files
1
Unknown types
7

Dropped files

PID
Process
Filename
Type
3696WinRAR.exeC:\Users\admin\Desktop\Fact.Endesa-Ref-27-06-2022.MSI
MD5:
SHA256:
1980msiexec.exeC:\Windows\Installer\fd151.msi
MD5:
SHA256:
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F44A34ED92AD7211E39CA121176C5EA7
SHA256:56A04A653F80FB9722FED1B6D20CB0100B1056A935AB18293704F82ECDA42D29
4020iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Fact.Endesa-Ref-27-06-2022.zip.lb9o67y.partialcompressed
MD5:5625ED8FAE76FED9717BBF04C467C959
SHA256:4236E1FF4666929880EFE6ACA0FFF52EA7D06F8FE64EFD4DE25BA8BCB2397AAB
2504iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFF4CE4F4A959AA75E.TMPgmc
MD5:001E76A963E991723A60B0A85B4C44E0
SHA256:5B8F647953810EDA00281B1121C4C53C3B70497EAFAD96A63D7ABAFCACA4A1B3
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\35DDEDF268117918D1D277A171D8DF7B_DA58D95BD38CF7D8DB4249810F70B0D9binary
MD5:F5C09E1C8D285A15FFDDC3278669843C
SHA256:C0DB6FD33928F71395569EABD5DFC2F2C19856304A1308F3911D59FB047D823B
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\35DDEDF268117918D1D277A171D8DF7B_DA58D95BD38CF7D8DB4249810F70B0D9der
MD5:1A6BD090F22E97B6B7E999D60B0331D9
SHA256:58E39946EF6F384D1E3E98812BDB18FFBBDBB65D228FA6B347C5B5DE9CB2DE68
2504iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\Fact.Endesa-Ref-27-06-2022.zipcompressed
MD5:5625ED8FAE76FED9717BBF04C467C959
SHA256:4236E1FF4666929880EFE6ACA0FFF52EA7D06F8FE64EFD4DE25BA8BCB2397AAB
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABder
MD5:6D676CF8CC0E0E8C814461805E761CCA
SHA256:EFDFEA3D85CEA32051FDE431C7C5CAD519C0FD4803ECB466BD6282ADA744381F
4020iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5ABbinary
MD5:1032EB2283D1B6EB20C193ECF5699505
SHA256:E292FC56E3609D17064DD32F6C30F4D3D50592F84306F47BE207154620174374
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
7
DNS requests
6
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4020
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEATh56TcXPLzbcArQrhdFZ8%3D
US
der
471 b
whitelisted
4020
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f443ad68667e6b58
US
compressed
4.70 Kb
whitelisted
4020
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?684e7b3ad5972330
US
compressed
4.70 Kb
whitelisted
4020
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTPJvUY%2Bsl%2Bj4yzQuAcL2oQno5fCgQUUWj%2FkK8CB3U8zNllZGKiErhZcjsCEA5q8Sc%2FJmSklHRWiYBeK%2FY%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4020
iexplore.exe
213.13.26.152:443
cld.pt
Servicos De Comunicacoes E Multimedia S.A.
PT
suspicious
4020
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
4020
iexplore.exe
13.107.4.50:80
ctldl.windowsupdate.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
cld.pt
  • 213.13.26.152
  • 213.13.26.154
  • 213.13.26.153
whitelisted
ctldl.windowsupdate.com
  • 13.107.4.50
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET INFO Public Cloud Domain in DNS Lookup (cld .pt)
Potentially Bad Traffic
ET INFO Public Cloud Domain in DNS Lookup (cld .pt)
4020
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Public Cloud Domain (cld .pt in TLS SNI)
4020
iexplore.exe
Potentially Bad Traffic
ET INFO Observed Public Cloud Domain (cld .pt in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://cld.pt/dl/download/e30c7587-c1e1-4911-ab27-d6d061fa9074/Fact.Endesa-Ref-27-06-2022.zip