URL: | http://url2407.cuellarayala.com |
Full analysis: | https://app.any.run/tasks/c092293c-981e-4089-86d3-664dd545de78 |
Verdict: | Malicious activity |
Analysis date: | June 27, 2022, 10:53:11 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MD5: | 150696751B66509F5EF0ADF4C1D36416 |
SHA1: | 7D00398E42870999FE9403966B1BB2FE56C18C58 |
SHA256: | F5F63C574498F10E0F6D69E4159B0D2A42BE3AEE03BC63418A3CFF6A78F7053C |
SSDEEP: | 3:N1KL/GHsJEU1TKI:CTGHsJE6 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2088 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://url2407.cuellarayala.com" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
924 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2088 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
2852 | -modal 131374 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDFA0CB.tmp -ep NetworkDiagnosticsWeb | C:\Windows\system32\msdt.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Diagnostics Troubleshooting Wizard Exit code: 2 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3452 | C:\Windows\System32\sdiagnhost.exe -Embedding | C:\Windows\System32\sdiagnhost.exe | — | svchost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Scripted Diagnostics Native Host Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2568 | "C:\Windows\system32\ipconfig.exe" /all | C:\Windows\system32\ipconfig.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: IP Configuration Utility Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1248 | "C:\Windows\system32\ROUTE.EXE" print | C:\Windows\system32\ROUTE.EXE | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Route Command Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
1804 | "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf | C:\Windows\system32\makecab.exe | — | sdiagnhost.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft® Cabinet Maker Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2088 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\NDFA0CB.tmp | binary | |
MD5:425C57BDFBD74EF31990B7E51419E9F0 | SHA256:7CB4C03C1CBF21A86B9834476E771C1C3FEA062B30348E367C5AD157C5021E00 | |||
2852 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\InteractiveRes.ps1 | text | |
MD5:25B8543DBF571F040118423BC3C7A75E | SHA256:D78E6291D6F27AC6FEBDCF0A4D5A34521E7F033AF8875E026DF21BA7513AB64A | |||
2852 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\result\EE1F9AD1-885C-4058-9DEE-B040B3385E6A.Diagnose.0.etl | etl | |
MD5:61653D3605DC39995907745492931094 | SHA256:9302484E1E5ABEC3151ACE55A38A12C4B3D0F2FC8412053F0CDA4E814C70555B | |||
3452 | sdiagnhost.exe | C:\Users\admin\AppData\Local\Temp\tmpAC06.tmp\route.print.txt | text | |
MD5:74BFCE2A5F05B874D42D161A4C0C7067 | SHA256:3C53C162AACD792C4940E8922B8A62FEE8FC514AFA11178E8B08FAECF82848DE | |||
2852 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\result\results.xsl | xml | |
MD5:310E1DA2344BA6CA96666FB639840EA9 | SHA256:67401342192BABC27E62D4C1E0940409CC3F2BD28F77399E71D245EAE8D3F63C | |||
2852 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\UtilityFirewall.ps1 | text | |
MD5:B004AFC224E9216115EC3B0BF5D43BA2 | SHA256:31B97632CA31D1BB21917A07757B2FF415DBB6A4E7DD7B533ECC52431ACF65B5 | |||
2852 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\HTInteractiveRes.ps1 | text | |
MD5:C25ED2111C6EE9299E6D9BF51012F2F5 | SHA256:8E326EE0475208D4C943D885035058FAD7146BBA02B66305F7C9F31F6A57E81B | |||
2852 | msdt.exe | C:\Users\admin\AppData\Local\Temp\SDIAG_6a47ac34-c0aa-4398-98f2-fe31651ccd08\StartDPSService.ps1 | text | |
MD5:A660422059D953C6D681B53A6977100E | SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813 | |||
3452 | sdiagnhost.exe | C:\Users\admin\AppData\Local\Temp\EE1F9AD1-885C-4058-9DEE-B040B3385E6A.Diagnose.0.etl | etl | |
MD5:61653D3605DC39995907745492931094 | SHA256:9302484E1E5ABEC3151ACE55A38A12C4B3D0F2FC8412053F0CDA4E814C70555B | |||
3452 | sdiagnhost.exe | C:\Users\admin\AppData\Local\Temp\tmpAC06.tmp\ipconfig.all.txt | text | |
MD5:829DDB4CB30A415C756D32BE189EB91E | SHA256:36DC91B5FA8905C645EE315752EA62E7183F2A42F2FCBF5016B02F187A40D2A1 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2088 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
2088 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.78 Kb | whitelisted |
2088 | iexplore.exe | GET | 200 | 23.216.77.80:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ad6a947468c49ea5 | US | compressed | 4.70 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2088 | iexplore.exe | 23.216.77.80:80 | ctldl.windowsupdate.com | NTT DOCOMO, INC. | US | suspicious |
— | — | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2088 | iexplore.exe | 13.107.22.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2088 | iexplore.exe | 131.253.33.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2088 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
2088 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
url2407.cuellarayala.com |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
r20swj13mr.microsoft.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |