analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Audio305610.htm

Full analysis: https://app.any.run/tasks/e216113d-baec-4cef-86be-67e7a16c47e3
Verdict: Malicious activity
Analysis date: October 20, 2020, 06:23:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with no line terminators
MD5:

EA376E2333DDBBE73029471BDCD11214

SHA1:

77CB653E9297343368454A1664A1B80EE03947BC

SHA256:

FBE8F26034C13B9C3318106FB05596757A8E3D2D473C8055C20A4B0FD286CA7A

SSDEEP:

3:nmNjJMzVJu+1vK3VYfCZVxLGe2b0tJHbT9GVVBUMaB/WU80b:GMRJVSOfCrxyfI7HW3lv0b

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executed via COM

      • sdiagnhost.exe (PID: 1764)
      • sdiagnhost.exe (PID: 2848)
      • helppane.exe (PID: 2484)
    • Uses IPCONFIG.EXE to discover IP address

      • sdiagnhost.exe (PID: 1764)
    • Executable content was dropped or overwritten

      • msdt.exe (PID: 3424)
    • Reads internet explorer settings

      • helppane.exe (PID: 2484)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1772)
      • iexplore.exe (PID: 896)
    • Changes internet zones settings

      • iexplore.exe (PID: 896)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 896)
      • iexplore.exe (PID: 2824)
    • Reads internet explorer settings

      • iexplore.exe (PID: 1772)
      • iexplore.exe (PID: 3380)
      • iexplore.exe (PID: 2824)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 896)
    • Manual execution by user

      • rundll32.exe (PID: 2080)
    • Changes settings of System certificates

      • iexplore.exe (PID: 896)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 896)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
13
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe no specs iexplore.exe no specs msdt.exe sdiagnhost.exe no specs ipconfig.exe no specs route.exe no specs makecab.exe no specs sdiagnhost.exe no specs control.exe no specs rundll32.exe no specs helppane.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
896"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Audio305610.htmC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:896 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2824"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:896 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3380"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:896 CREDAT:144390 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3424 -modal 262596 -skip TRUE -path C:\Windows\diagnostics\system\networking -af C:\Users\admin\AppData\Local\Temp\NDF667F.tmp -ep NetworkDiagnosticsWebC:\Windows\system32\msdt.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1764C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2240"C:\Windows\system32\ipconfig.exe" /allC:\Windows\system32\ipconfig.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
IP Configuration Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2760"C:\Windows\system32\ROUTE.EXE" printC:\Windows\system32\ROUTE.EXEsdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
TCP/IP Route Command
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3880"C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddfC:\Windows\system32\makecab.exesdiagnhost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® Cabinet Maker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2848C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 244
Read events
1 077
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
9
Text files
50
Unknown types
5

Dropped files

PID
Process
Filename
Type
896iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\httpErrorPagesScripts[1]
MD5:
SHA256:
2824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\errorPageStrings[2]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
2824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\errorPageStrings[1]text
MD5:E3E4A98353F119B80B323302F26B78FA
SHA256:9466D620DC57835A2475F8F71E304F54AEE7160E134BA160BAAE0F19E5E71E66
896iexplore.exeC:\Users\admin\AppData\Local\Temp\NDF667F.tmpbinary
MD5:2E48CE6D4B9B006FE368EBECB8EC1597
SHA256:4B251CC833419434012E34969D86D29B80FBF17F3D0B1EB7020518EC28D4FCFB
3424msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_28358f53-3f56-4ba3-a26e-10edb8269893\DiagPackage.diagpkgxml
MD5:C9FB87FA3460FAE6D5D599236CFD77E2
SHA256:CDE728C08A4E50A02FCFF35C90EE2B3B33AB24C8B858F180B6A67BFA94DEF35F
3424msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_28358f53-3f56-4ba3-a26e-10edb8269893\NetworkDiagnosticsTroubleshoot.ps1text
MD5:1D192CE36953DBB7DC7EE0D04C57AD8D
SHA256:935A231924AE5D4A017B0C99D4A5F3904EF280CEA4B3F727D365283E26E8A756
3424msdt.exeC:\Users\admin\AppData\Local\Temp\SDIAG_28358f53-3f56-4ba3-a26e-10edb8269893\StartDPSService.ps1text
MD5:A660422059D953C6D681B53A6977100E
SHA256:D19677234127C38A52AEC23686775A8EB3F4E3A406F4A11804D97602D6C31813
2824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\NewErrorPageTemplate[1]text
MD5:CDF81E591D9CBFB47A7F97A2BCDB70B9
SHA256:204D95C6FB161368C795BB63E538FE0B11F9E406494BB5758B3B0D60C5F651BD
2824iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\httpErrorPagesScripts[2]text
MD5:3F57B781CB3EF114DD0B665151571B7B
SHA256:46E019FA34465F4ED096A9665D1827B54553931AD82E98BE01EDB1DDBC94D3AD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
7
DNS requests
16
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
896
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
896
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
896
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
896
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
896
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
896
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
buzzinga.gr
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info