analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.zdsrb.com/

Full analysis: https://app.any.run/tasks/591f76d6-c6c3-4022-8df2-a4f9197dcc68
Verdict: Malicious activity
Analysis date: May 20, 2022, 17:48:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

489C98C6B70E5FC2C9B82A6F2142F5A2

SHA1:

0AE4F8F3567D0FE679F914627AEA56091C33344B

SHA256:

994B74142D180813F5F62A8DC7CAADCC1983FCDBE966D98A498AA9669E57721B

SSDEEP:

3:N8DSLpSZ3n:2OLI3n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3300)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 2932)
      • iexplore.exe (PID: 3300)
    • Checks supported languages

      • iexplore.exe (PID: 2932)
      • iexplore.exe (PID: 3300)
    • Changes internet zones settings

      • iexplore.exe (PID: 2932)
    • Application launched itself

      • iexplore.exe (PID: 2932)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2932)
      • iexplore.exe (PID: 3300)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3300)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 2932)
      • iexplore.exe (PID: 3300)
    • Creates files in the user directory

      • iexplore.exe (PID: 3300)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2932)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\Internet Explorer\iexplore.exe" "https://www.zdsrb.com/"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3300"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2932 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
Total events
15 031
Read events
14 908
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
90
Unknown types
9

Dropped files

PID
Process
Filename
Type
2932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
3300iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751binary
MD5:E41522DB4AEED49E77FC2016DC6E0955
SHA256:E7CC899038F1CED4382684F8366F682C13776FDE944B1575B504DE96E28CAD4F
3300iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61binary
MD5:A7C3F28D31FCD76CA89AE9A98842061D
SHA256:5B6076BECDEB4F98FC3325E3D2E8274FEAFBFC6D0CD3769FD486590239C1DAC5
2932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:04CEE294FE91677179465353FB62196E
SHA256:67D60D9D5BE2626E4F67CCE1E6617316B9404939E67D4C00F06E14BCBBCA5836
3300iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27der
MD5:41FBBFEF77C9E15DF36E1CB541503D98
SHA256:1C596FD0B7231E43E672CB027BE6117200830DD98929F060C3A97F8EFC4EAE17
3300iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0F66AE770D6A04BBC5B544A67AD2CAC1binary
MD5:C6BB43F2A78911C17F0F041E5B9D2BA2
SHA256:36DA58CEBEDEE503E463DEFD576FD706BE0A5AB5D5E52E1E9FCFD57F83A10D9B
3300iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27binary
MD5:D43023367C72259428997D8EE08BD776
SHA256:8D2137C9A4ADD3E985AB74EF346DC6E8ED91FDC1329029B2ABED30F6DD79A0D8
3300iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar2D6C.tmpcat
MD5:E721613517543768F0DE47A6EEEE3475
SHA256:3163B82D1289693122EF99ED6C3C1911F68AA2A7296907CEBF84C897141CED4E
2932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:0F70AF49CC204CAAD7B0E5058F79EE77
SHA256:DECD8F6F0D14746B29031C4F491EFAEE6F4BA1119FD8A37B850CAAF90FF82DD3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
33
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2932
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3300
iexplore.exe
GET
200
8.252.108.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?32d69f427658f80a
US
compressed
60.0 Kb
whitelisted
3300
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEAo3h2ReX7SMIk79G%2B0UDDw%3D
US
der
1.47 Kb
whitelisted
3300
iexplore.exe
GET
200
8.252.108.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?9535bc8dec02140c
US
compressed
60.0 Kb
whitelisted
3300
iexplore.exe
GET
200
96.16.145.230:80
http://x2.c.lencr.org/
US
der
299 b
whitelisted
3300
iexplore.exe
GET
200
96.16.145.230:80
http://x1.c.lencr.org/
US
der
717 b
whitelisted
2932
iexplore.exe
GET
200
8.252.108.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5d5316d772b7bea3
US
compressed
4.70 Kb
whitelisted
2932
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3300
iexplore.exe
GET
200
184.24.77.79:80
http://e1.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBTvkAFw3ViPKmUeIVEf3NC7b1ErqwQUWvPtK%2Fw2wjd5uVIw6lRvz1XLLqwCEgRVZhZzztJBLpfAIUNLp4MyAw%3D%3D
US
der
345 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2932
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3300
iexplore.exe
104.21.95.157:443
www.zdsrb.com
Cloudflare Inc
US
suspicious
3300
iexplore.exe
172.67.145.231:443
www.zdsrb.com
US
suspicious
2932
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2932
iexplore.exe
172.67.145.231:443
www.zdsrb.com
US
suspicious
3300
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2932
iexplore.exe
8.252.108.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
3300
iexplore.exe
184.24.77.79:80
e1.o.lencr.org
Time Warner Cable Internet LLC
US
suspicious
3300
iexplore.exe
8.252.108.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
unknown
2932
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
www.zdsrb.com
  • 172.67.145.231
  • 104.21.95.157
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 8.252.108.126
  • 8.252.188.254
  • 8.250.163.254
  • 8.252.177.254
  • 8.252.41.254
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.dszrb.com
  • 188.114.97.10
  • 188.114.96.10
malicious
x1.c.lencr.org
  • 96.16.145.230
whitelisted
x2.c.lencr.org
  • 96.16.145.230
whitelisted
e1.o.lencr.org
  • 184.24.77.79
  • 184.24.77.48
  • 184.24.77.62
  • 184.24.77.56
  • 184.24.77.53
whitelisted
s.8o.cm
  • 188.114.97.10
  • 188.114.96.10
malicious

Threats

No threats detected
No debug info