URL: | https://pza.sanbi.org |
Full analysis: | https://app.any.run/tasks/d1dd977c-b59d-46f0-b069-42d7f0652698 |
Verdict: | Malicious activity |
Analysis date: | August 12, 2022, 15:12:17 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | D2B1B651A619066DF0F6765A8006061C |
SHA1: | E643AF33847F49CC0943317906BA5AE4EA8621EF |
SHA256: | 7B4647225A211A3CF00423C77C2CAEAC29E1BD2D23CCBF0084311134FCDBC437 |
SSDEEP: | 3:N8bEikMLKXCn:2nn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3152 | "C:\Program Files\Internet Explorer\iexplore.exe" "https://pza.sanbi.org" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2884 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3152 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3712 | -modal 131368 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFF044.tmp -ep NetworkDiagnosticsWeb | C:\Windows\system32\msdt.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 4294967295 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
2244 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3152 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\NDFF044.tmp | binary | |
MD5:D07E00DFC28FBECF2B7003CFD1BE2864 | SHA256:D7B4DC9F4F77C75C3615BB7ACA9F3BE06ABB7E91211AD84A9BAEA6DB8C184B3D | |||
2884 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\96DD3FB36E520A44B4555F9239BEA849_8D3DB60EE876B77A3F8E091C01496D06 | binary | |
MD5:E8126F32B0A264B8BAACD3C85DBA4D34 | SHA256:DD233EA18ACF9635179CFC6612E84BD1BB1E65C7CE203929846143921D512787 | |||
3152 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:CDA7C739F2081B22FAD77DABFF207C0F | SHA256:FA34EF1F43DFD42563472E13B933A52621FF7A1B2483FA94AE94AEC63ADAADCA | |||
2884 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\69C6F6EC64E114822DF688DC12CDD86C | binary | |
MD5:A6EADCF2E17F508CA7357EE547F9D9CA | SHA256:C1A034CAB0A3A567D85C709966826CCB6E6FF4CD5796D8A1F3522F872F14B2DA | |||
3152 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | binary | |
MD5:E99B552C10A4C66C6948A7083EB45580 | SHA256:5096C673AD1CFA03B196A0E91CF1B9C4998ABD331BB7363BD397E95F73E57DA2 | |||
3152 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63 | der | |
MD5:EE87BB11E233C12009CC11725035DBDC | SHA256:D82930A5B051B3C3F1639C24E83BDDF41D5AA66E467A0944D1AC3D59AE6330C5 | |||
2884 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\96DD3FB36E520A44B4555F9239BEA849_8D3DB60EE876B77A3F8E091C01496D06 | der | |
MD5:5C5C01EFB9BDB1331C1692318FD286D5 | SHA256:35D926BF68B19594D738FEF37721A71D72664CAC52F9653821CD2D6F6E6A80EE | |||
2884 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\69C6F6EC64E114822DF688DC12CDD86C | der | |
MD5:2B747E5CE2A2683F775CCC6D2AFFAE32 | SHA256:2B0CC895C8EA6988CC2B96BF351FFF1CDF72527AE8265D958FC6F4901F66E9BC | |||
3152 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 | |||
3152 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[1].ico | image | |
MD5:DA597791BE3B6E732F0BC8B20E38EE62 | SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2884 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/DigiCertGlobalRootCA.crl | US | der | 631 b | whitelisted |
3152 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D | US | der | 1.47 Kb | whitelisted |
2884 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSY%2BQAyqcBl6zxPqFEOTI24pxAWAwQUpbTW6zbE52um38RkCwEqIAS4ZiMCEAzhlJWyL%2FYNNsFFwbyyqIM%3D | US | der | 727 b | whitelisted |
3152 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D | US | der | 471 b | whitelisted |
2884 | iexplore.exe | GET | 200 | 8.249.61.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?7cb162f88bb97b9e | US | compressed | 4.70 Kb | whitelisted |
3152 | iexplore.exe | GET | 200 | 8.249.61.254:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1583a2bb1261b62d | US | compressed | 4.70 Kb | whitelisted |
2884 | iexplore.exe | GET | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQDyjRAUcVc1IArKByftf8KS | US | der | 472 b | whitelisted |
2884 | iexplore.exe | GET | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
2884 | iexplore.exe | GET | 200 | 142.250.185.99:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
2884 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTubeiRal9hlMRbT70r8I4mClph2gQUEsmImy%2FJRHp9EvHfQANCmJLHJNYCEAcCGA93OBA6vvC7OQ5PEok%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3152 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2884 | iexplore.exe | 8.249.61.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
2884 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3152 | iexplore.exe | 13.107.22.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2884 | iexplore.exe | 41.203.16.131:443 | pza.sanbi.org | HETZNER | ZA | suspicious |
3152 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3152 | iexplore.exe | 8.249.61.254:80 | ctldl.windowsupdate.com | Level 3 Communications, Inc. | US | suspicious |
3152 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
732 | svchost.exe | 41.203.16.131:443 | pza.sanbi.org | HETZNER | ZA | suspicious |
3152 | iexplore.exe | 204.79.197.200:443 | ieonline.microsoft.com | Microsoft Corporation | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
pza.sanbi.org |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
ieonline.microsoft.com |
| whitelisted |
go.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |
732 | svchost.exe | Potentially Bad Traffic | ET INFO TLS Handshake Failure |