download:

waO-K

Full analysis: https://app.any.run/tasks/95e3ad72-1e14-4f04-acce-850fe83d0c2b
Verdict: No threats detected
Analysis date: January 29, 2020, 03:51:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines
MD5:

C1BD4E53712750B5D5D1322B1F342DB0

SHA1:

EFE50D149E659C5D33700F3F29313A1C9B83AC3C

SHA256:

02F514A7693458FA26FFB772C9C3D47F95C034E6829145CB6E6142B84F41CC87

SSDEEP:

96:/DrjJcAQw/H1qSJYHoGYBaBx3URDisj+sLbHT:/3j+zw/0u/GYEBx3Uosxn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2856)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3260)
      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 2928)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2856)
      • iexplore.exe (PID: 2928)

    • Application launched itself

      • iexplore.exe (PID: 2856)

    • Creates files in the user directory

      • iexplore.exe (PID: 3260)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 2856)
      • iexplore.exe (PID: 3260)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1544)
      • iexplore.exe (PID: 2856)
      • iexplore.exe (PID: 3260)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3260)
      • iexplore.exe (PID: 2856)
      • iexplore.exe (PID: 1544)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

ContentType: text/html; charset=UTF-8
Robots: noindex, nofollow
Title: -
viewport: user-scalable=false, initial-scale=1.0, maximum-scale=1.0
Keywords: -
Description: -
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1544"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:144390 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2856"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\waO-K.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2928"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:398593 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3260"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2856 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
12 727
Read events
1 619
Write events
7 430
Delete events
3 678

Modification events

(PID) Process:(3260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3260) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
2374142270
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30791255
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2856) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
Executable files
0
Suspicious files
56
Text files
14
Unknown types
30

Dropped files

PID
Process
Filename
Type
2856iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3260iexplore.exeC:\Users\admin\AppData\Local\Temp\CabE363.tmp
MD5:
SHA256:
3260iexplore.exeC:\Users\admin\AppData\Local\Temp\TarE364.tmp
MD5:
SHA256:
3260iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE3F2.tmp
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Temp\CabE603.tmp
MD5:
SHA256:
1544iexplore.exeC:\Users\admin\AppData\Local\Temp\TarE604.tmp
MD5:
SHA256:
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:
SHA256:
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\errorPageStrings[1]text
MD5:
SHA256:
2856iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
2928iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\ErrorPageTemplate[1]text
MD5:F4FE1CB77E758E1BA56B8A8EC20417C5
SHA256:8D018639281B33DA8EB3CE0B21D11E1D414E59024C3689F92BE8904EB5779B5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
48
DNS requests
27
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3260
iexplore.exe
GET
200
93.184.220.29:80
http://status.rapidssl.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJiUKgT2m88fZ4nxc1Lu6M%2FjvkagQUDNtsgkkPSmcKuBTuesRIUojrVjgCEAiAsZt%2B%2FK%2BOrNkrE99%2FwHw%3D
US
der
471 b
shared
3260
iexplore.exe
GET
200
2.22.118.40:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQX7PBbtvJ5dIIRtavQ9MLpng%3D%3D
GB
der
527 b
whitelisted
3260
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
3260
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
3260
iexplore.exe
GET
200
2.22.118.33:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
GB
der
1.37 Kb
whitelisted
3260
iexplore.exe
GET
200
50.63.243.230:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
3260
iexplore.exe
GET
200
50.63.243.230:80
http://ocsp.godaddy.com//MEQwQjBAMD4wPDAJBgUrDgMCGgUABBTkIInKBAzXkF0Qh0pel3lfHJ9GPAQU0sSw0pHUTBFxs2HLPaH%2B3ahq1OMCAxvnFQ%3D%3D
US
der
1.66 Kb
whitelisted
3260
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D
US
der
471 b
whitelisted
3260
iexplore.exe
GET
200
2.22.118.40:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQX7PBbtvJ5dIIRtavQ9MLpng%3D%3D
GB
der
527 b
whitelisted
3260
iexplore.exe
GET
200
151.139.128.14:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
US
der
727 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
52.59.161.204:80
wrison-subustall.com
Amazon.com, Inc.
DE
suspicious
3260
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
1544
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3260
iexplore.exe
172.217.18.104:443
www.googletagmanager.com
Google Inc.
US
suspicious
1544
iexplore.exe
172.217.18.104:443
www.googletagmanager.com
Google Inc.
US
suspicious
3260
iexplore.exe
94.130.38.41:443
eu.track.digitaladsystems.com
Hetzner Online GmbH
DE
unknown
3260
iexplore.exe
74.117.182.35:443
stats-d1272-serving.com
WZ Communications Inc.
US
unknown
3260
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
185.70.212.101:443
tracker.ero-advertising.com
Caveo Internet BV
NL
suspicious
94.130.38.41:443
eu.track.digitaladsystems.com
Hetzner Online GmbH
DE
unknown

DNS requests

Domain
IP
Reputation
www.googletagmanager.com
  • 172.217.18.104
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
wrison-subustall.com
  • 52.59.161.204
  • 52.59.185.192
shared
ocsp.pki.goog
  • 172.217.22.3
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
trafforsrv.com
  • 67.22.42.112
whitelisted
tracker.ero-advertising.com
  • 185.70.212.101
  • 185.70.212.100
suspicious
tsyndicate.com
  • 104.17.49.107
  • 104.17.51.107
  • 104.17.50.107
  • 104.17.48.107
  • 104.17.47.107
whitelisted

Threats

No threats detected
No debug info