analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://url2407.cuellarayala.com

Full analysis: https://app.any.run/tasks/c092293c-981e-4089-86d3-664dd545de78
Verdict: Malicious activity
Analysis date: June 27, 2022, 10:53:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

150696751B66509F5EF0ADF4C1D36416

SHA1:

7D00398E42870999FE9403966B1BB2FE56C18C58

SHA256:

F5F63C574498F10E0F6D69E4159B0D2A42BE3AEE03BC63418A3CFF6A78F7053C

SSDEEP:

3:N1KL/GHsJEU1TKI:CTGHsJE6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • msdt.exe (PID: 2852)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 924)

    • Executable content was dropped or overwritten

      • msdt.exe (PID: 2852)

    • Executed via COM

      • sdiagnhost.exe (PID: 3452)

    • Drops a file with a compile date too recent

      • msdt.exe (PID: 2852)

    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 3452)

  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2088)
      • iexplore.exe (PID: 924)
      • msdt.exe (PID: 2852)
      • sdiagnhost.exe (PID: 3452)
      • ipconfig.exe (PID: 2568)
      • makecab.exe (PID: 1804)
      • ROUTE.EXE (PID: 1248)

    • Reads the computer name

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 2088)
      • msdt.exe (PID: 2852)
      • sdiagnhost.exe (PID: 3452)
      • ipconfig.exe (PID: 2568)
      • ROUTE.EXE (PID: 1248)

    • Application launched itself

      • iexplore.exe (PID: 2088)

    • Changes internet zones settings

      • iexplore.exe (PID: 2088)

    • Reads internet explorer settings

      • iexplore.exe (PID: 924)

    • Checks Windows Trust Settings

      • msdt.exe (PID: 2852)
      • sdiagnhost.exe (PID: 3452)
      • iexplore.exe (PID: 2088)

    • Reads settings of System Certificates

      • msdt.exe (PID: 2852)
      • iexplore.exe (PID: 2088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
7
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2088"C:\Program Files\Internet Explorer\iexplore.exe" "http://url2407.cuellarayala.com"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
924"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2088 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2852 -modal 131374 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFA0CB.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3452C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2568"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1248"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1804"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
10 969
Read events
10 793
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
40
Text files
36
Unknown types
5

Dropped files

PID
Process
Filename
Type
2088iexplore.exeC:\Users\admin\AppData\Local\Temp\NDFA0CB.tmpbinary
MD5:425C57BDFBD74EF31990B7E51419E9F0
SHA256:7CB4C03C1CBF21A86B9834476E771C1C3FEA062B30348E367C5AD157C5021E00
2852msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\InteractiveRes.ps1text
MD5:25B8543DBF571F040118423BC3C7A75E
SHA256:D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A
2852msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\result\EE1F9AD1-885C-4058-9DEE-B040B3385E6A.Diagnose.0.etletl
MD5:61653D3605DC39995907745492931094
SHA256:9302484E1E5ABEC3151ACE55A38A12C4B3D0F2FC8412053F0CDA4E814C70555B
3452sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\tmpAC06.tmp\route.print.txttext
MD5:74BFCE2A5F05B874D42D161A4C0C7067
SHA256:3C53C162AACD792C4940E8922B8A62FEE8FC514AFA11178E8B08FAECF82848DE
2852msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\result\results.xslxml
MD5:310E1DA2344BA6CA96666FB639840EA9
SHA256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C
2852msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\UtilityFirewall.ps1text
MD5:B004AFC224E9216115EC3B0BF5D43BA2
SHA256:31B97632CA31D1BB21917A07757B2FF415DBB6A4E7DD7B533ECC52431ACF65B5
2852msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\HTInteractiveRes.ps1text
MD5:C25ED2111C6EE9299E6D9BF51012F2F5
SHA256:8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B
2852msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\StartDPSService.ps1text
MD5:A660422059D953C6D681B53A6977100E
SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813
3452sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\EE1F9AD1-885C-4058-9DEE-B040B3385E6A.Diagnose.0.etletl
MD5:61653D3605DC39995907745492931094
SHA256:9302484E1E5ABEC3151ACE55A38A12C4B3D0F2FC8412053F0CDA4E814C70555B
3452sdiagnhost.exeC:\Users\admin\AppData\Local\Temp\tmpAC06.tmp\ipconfig.all.txttext
MD5:829DDB4CB30A415C756D32BE189EB91E
SHA256:36DC91B5FA8905C645EE315752EA62E7183F2A42F2FCBF5016B02F187A40D2A1
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
11
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2088
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
2088
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
2088
iexplore.exe
GET
200
23.216.77.80:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ad6a947468c49ea5
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2088
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
NTT DOCOMO, INC.
US
suspicious
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2088
iexplore.exe
13.107.22.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2088
iexplore.exe
131.253.33.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2088
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2088
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
url2407.cuellarayala.com
suspicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 131.253.33.200
  • 13.107.22.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://url2407.cuellarayala.com