analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://work.a-poster.info

Full analysis: https://app.any.run/tasks/eadec54c-1ffe-4b9a-95d9-3e052bd82436
Verdict: Malicious activity
Analysis date: August 12, 2022, 18:02:10
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

4E101EA8D4159202EAAB42F8E7D0174E

SHA1:

1F8FEEFDD09E444D6F8B456BFB07535CCD709DB2

SHA256:

704A4E343F83BAD37A56B960F97089F3D278371BE84B3AA5BC4BB315B6112271

SSDEEP:

3:N1KJKeLRj3Kn:CEeLRj3K

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 4080)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2056)
    • Drops a file with a compile date too recent

      • msdt.exe (PID: 4080)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 4080)
    • Executed via COM

      • sdiagnhost.exe (PID: 420)
      • sdiagnhost.exe (PID: 984)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2056)
      • iexplore.exe (PID: 2944)
      • msdt.exe (PID: 4080)
      • sdiagnhost.exe (PID: 420)
      • ipconfig.exe (PID: 3516)
      • ROUTE.EXE (PID: 3732)
      • sdiagnhost.exe (PID: 984)
    • Checks supported languages

      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2056)
      • msdt.exe (PID: 4080)
      • sdiagnhost.exe (PID: 420)
      • ROUTE.EXE (PID: 3732)
      • ipconfig.exe (PID: 3516)
      • makecab.exe (PID: 736)
      • sdiagnhost.exe (PID: 984)
    • Application launched itself

      • iexplore.exe (PID: 2944)
    • Changes internet zones settings

      • iexplore.exe (PID: 2944)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2944)
      • iexplore.exe (PID: 2056)
      • msdt.exe (PID: 4080)
      • sdiagnhost.exe (PID: 420)
      • sdiagnhost.exe (PID: 984)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2056)
      • iexplore.exe (PID: 2944)
      • msdt.exe (PID: 4080)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2056)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 2944)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2944)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
8
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs sdiagnhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\Internet Explorer\iexplore.exe" "http://work.a-poster.info"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2056"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
4080 -modal 131368 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF6389.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
420C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3516"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3732"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
736"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
984C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
15 099
Read events
14 919
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
29
Text files
81
Unknown types
6

Dropped files

PID
Process
Filename
Type
2056iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\YKGW8KRW.txttext
MD5:0AA1EC3983C814EEBC5FC6D36A478CF2
SHA256:23EAB7D1459B424CC6FDA3F9AE3B759B2A42D245DE34F3DC02435058132A7E9A
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:AF2881814AE642F1F20A4831416CAA87
SHA256:E7BA89152B556813C927CC0EEF602DA4C857672851235B05D6EDE7258FDAB3BC
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:A116D9B77272349AB117FC4842633194
SHA256:9848E64E388488EF8654409D0D9307E9B5B39926D59792751D4F7A6F060AFC73
2056iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8TJML2W1.txttext
MD5:14F57E1CB3E1D105992AC8B4DE59E4D0
SHA256:F3E22DA039EC3C5D69C892D42BB6A8C2F02D09AE5404DE3F56E60629B34186AE
2056iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\2IQKDF1V.txttext
MD5:4970A6C220765C8D9E4E4FB8307C291D
SHA256:37A9E07378BF34FBD3986C4C63A409A4675B0BEB541C01175819579C5095A978
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:F4DF08DCDDC9284F78E35D50BA3D023A
SHA256:CF3168CA4F7EA8AD1B05287B1B9A47B5DDB46A66118FE2B03F51496A9FF93859
2056iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\3ITMC9UC.txttext
MD5:48E990C45ECEDBD676348230610D0E4E
SHA256:BBBBBB3B3E30534BBA622B989B669E665307F38B130E1BB07BB3DEB64F532472
2056iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\D501PGDG.txttext
MD5:93E955707084F39426FE7FEDAF9BCE10
SHA256:B14DB19B9377931348934B91528C8F408C01A19EB292DD07BBAB95CFF94C1F57
2944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
40
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2944
iexplore.exe
GET
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
whitelisted
2944
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2944
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootG2.crl
US
der
926 b
whitelisted
2944
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
2944
iexplore.exe
GET
200
8.248.119.254:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ec9037d63de0d4ca
US
compressed
4.70 Kb
whitelisted
2056
iexplore.exe
GET
403
37.1.217.172:80
http://work.a-poster.info/
DE
html
963 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2944
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2056
iexplore.exe
37.1.217.172:80
work.a-poster.info
Leaseweb Deutschland GmbH
DE
malicious
2056
iexplore.exe
13.107.5.80:443
api.bing.com
Microsoft Corporation
US
whitelisted
2056
iexplore.exe
37.1.217.172:2500
work.a-poster.info
Leaseweb Deutschland GmbH
DE
malicious
2944
iexplore.exe
8.248.119.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
2944
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2944
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
708
svchost.exe
37.1.217.172:2500
work.a-poster.info
Leaseweb Deutschland GmbH
DE
malicious
2944
iexplore.exe
204.79.197.203:443
www.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
work.a-poster.info
  • 37.1.217.172
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 8.248.119.254
  • 8.248.131.254
  • 67.27.157.254
  • 8.253.204.121
  • 67.27.159.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 96.16.143.41
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

No threats detected
No debug info