analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://ocsp.comodoca.com

Full analysis: https://app.any.run/tasks/c7ceeb7f-0d0c-4637-9ffa-e4902160bc1c
Verdict: Malicious activity
Analysis date: May 20, 2022, 17:37:24
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

8C0D8EC1DE24F5D278840EB0BE24D2E6

SHA1:

6554EFE5DE01EA9EDA2728CE929F7A46438FB08E

SHA256:

A0C433D3AB74AB9230B21FF200DDA1DBF7A5EDEEA3DC24DC22B3BE3679DE3568

SSDEEP:

3:N8PSCLGKIn:2aCLKn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 3332)
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 1204)
      • iexplore.exe (PID: 952)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3332)
    • Executed via COM

      • sdiagnhost.exe (PID: 372)
    • Drops a file with a compile date too recent

      • msdt.exe (PID: 3332)
    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 372)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 1204)
      • iexplore.exe (PID: 952)
      • msdt.exe (PID: 3332)
      • ipconfig.exe (PID: 752)
      • ROUTE.EXE (PID: 3644)
      • sdiagnhost.exe (PID: 372)
      • makecab.exe (PID: 3780)
      • control.exe (PID: 4008)
      • rundll32.exe (PID: 2592)
    • Reads the computer name

      • iexplore.exe (PID: 952)
      • iexplore.exe (PID: 1204)
      • msdt.exe (PID: 3332)
      • ROUTE.EXE (PID: 3644)
      • sdiagnhost.exe (PID: 372)
      • ipconfig.exe (PID: 752)
      • control.exe (PID: 4008)
      • rundll32.exe (PID: 2592)
    • Changes internet zones settings

      • iexplore.exe (PID: 952)
    • Application launched itself

      • iexplore.exe (PID: 952)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 952)
      • msdt.exe (PID: 3332)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1204)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 952)
      • msdt.exe (PID: 3332)
      • sdiagnhost.exe (PID: 372)
    • Changes settings of System certificates

      • iexplore.exe (PID: 952)
    • Creates files in the user directory

      • iexplore.exe (PID: 952)
    • Manual execution by user

      • rundll32.exe (PID: 2592)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 952)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 952)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
9
Malicious processes
0
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs control.exe no specs rundll32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
952"C:\Program Files\Internet Explorer\iexplore.exe" "https://ocsp.comodoca.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1204"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:952 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3332 -modal 131384 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF73F5.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
372C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
752"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3644"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3780"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4008"C:\Windows\System32\control.exe" /name Microsoft.Troubleshooting /page "resultPage?keywords=+;NetworkDiagnostics"C:\Windows\System32\control.exemsdt.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Control Panel
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2592"C:\Windows\System32\rundll32.exe" werconcpl.dll, LaunchErcApp -queuereportingC:\Windows\System32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
13 731
Read events
13 320
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
42
Text files
45
Unknown types
6

Dropped files

PID
Process
Filename
Type
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:B35EB45260B37DEC4B2D74E29624F731
SHA256:4887A3BE29054A90EAC45AE925FE4045BFC7A06D3F56BB54C0535560E4721E18
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:755F7747EC2E2210D3281A20BC8707B8
SHA256:5267337D6C6756D701B2005488F2C3F433EC6D30D130C9E526D30ADD5B0A9ED8
952iexplore.exeC:\Users\admin\AppData\Local\Temp\NDF73F5.tmpbinary
MD5:AB3A5CE8D0340D5A6B334616A6C0E99E
SHA256:E225D48EA30D2C3423ADCA40A6E7397761C8825914C44335460955ED64568960
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:FA526918A211E850A6078FB1D00B2045
SHA256:396B94C667643AFA59D155EF4D812DA6F4D67DD50CEC97194E1CA3A1B3ECE3FE
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC8FE9D561E9E7288AECF13F03AEA3D1
SHA256:CECD911136F3CCBE6F4869CBCBD9FD15B3FA91CD2FD49B9655FA3BCF8E932C05
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:91AEA7BF3E5EDE9D4DD04F7214789DB2
SHA256:16CE5D3B95CF0D32B016F2543C436BBCF861EB8AEB8CE2ED130AD3B35C3A3587
952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
43
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
952
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA177el9ggmWelJjG4vdGL0%3D
US
der
471 b
whitelisted
952
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?5f835ff804f18e6a
US
compressed
4.70 Kb
whitelisted
952
iexplore.exe
GET
200
67.27.233.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?403681cf10338ed3
US
compressed
4.70 Kb
whitelisted
952
iexplore.exe
GET
200
67.27.233.126:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f2852c8b8397ced7
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1204
iexplore.exe
172.64.155.188:443
ocsp.comodoca.com
US
suspicious
952
iexplore.exe
8.241.9.254:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
952
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
952
iexplore.exe
13.107.21.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
1204
iexplore.exe
104.18.32.68:443
ocsp.comodoca.com
Cloudflare Inc
US
suspicious
952
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
952
iexplore.exe
67.27.233.126:80
ctldl.windowsupdate.com
Level 3 Communications, Inc.
US
suspicious
952
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
952
iexplore.exe
131.253.33.203:443
www.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
ocsp.comodoca.com
  • 172.64.155.188
  • 104.18.32.68
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 8.241.9.254
  • 67.27.233.126
  • 8.248.117.254
  • 8.248.131.254
  • 8.253.204.249
  • 23.216.77.69
  • 23.216.77.80
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 96.16.143.41
  • 104.90.179.99
whitelisted
www.msn.com
  • 131.253.33.203
whitelisted

Threats

PID
Process
Class
Message
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
824
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
824
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
1204
iexplore.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
No debug info