analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

PO-July-82779.xls.htm

Full analysis: https://app.any.run/tasks/4c5fa3db-3e73-4814-ab26-a27ad7a6e0b5
Verdict: Malicious activity
Analysis date: July 18, 2019, 04:07:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with CRLF line terminators
MD5:

A1D158FE38220CF7C6612031CB3E737F

SHA1:

FA216503674DDC24139ABC7B406A7F3D640B9299

SHA256:

04F490CF71E9991C918BD0A3A15E5F9BFFF7DF87AD0EC0FFC87FB5246A80F07D

SSDEEP:

12:hnMEwhuX4w4vy4Wh96QclfVI9xuIcADq75b8Kc1Gb:hMhmMvy4Wvsq9VcAD+wKP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Creates files in the user directory

      • iexplore.exe (PID: 940)
      • iexplore.exe (PID: 3376)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 940)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3468)
      • iexplore.exe (PID: 940)

    • Application launched itself

      • iexplore.exe (PID: 3376)

    • Changes internet zones settings

      • iexplore.exe (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

Title: Untitled Document
Refresh: 1;url=http://gogianguyen.com/extension/reader/[email protected]
ContentType: text/html; charset=iso-8859-1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3376"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\PO-July-82779.xls.htmC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3468"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3376 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
940"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3376 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
533
Read events
424
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
41
Unknown types
4

Dropped files

PID
Process
Filename
Type
3376iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF67B1906E25C903E0.TMP
MD5:
SHA256:
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:E6309CF6AE325752E1D1EADD1D37B15D
SHA256:E85BFEF5DF63A4683CB43AD60D8C1948FF4315051A6A51FDC26998EF9CA938F1
3468iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019071820190719\index.datdat
MD5:A4254B33A1FF62D0682B64F0F1993144
SHA256:D57E9CF3E4BB6D24A88C5551BBD90CA459D6E9374E5AAB26EF7902C3BDA0E52A
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IVNFW21D\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{A3277AC8-A911-11E9-B2FD-5254004A04AF}.datbinary
MD5:74A746790013D398331A306CDCD97E5E
SHA256:C0A50DEACD686EFA468DAE583EFE3D27E48AD496F52300A78C49E793CD216FAA
3376iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\favicon[1].ico
MD5:
SHA256:
3376iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:5A86EA60411D46D3C3A8DF0E24969D9D
SHA256:B5EDC2426FDB4636742659FA398BD8B40B70F090CB9C85B924570072F76E2D69
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\JSJOBE0U\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
940iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IVNFW21D\background_gradient[1]image
MD5:20F0110ED5E4E0D5384A496E4880139B
SHA256:1471693BE91E53C2640FE7BAEECBC624530B088444222D93F2815DFCE1865D5B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
21
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
940
iexplore.exe
GET
302
42.112.20.111:80
http://gogianguyen.com/extension/reader/[email protected]
VN
suspicious
940
iexplore.exe
GET
302
42.112.20.111:80
http://gogianguyen.com/extension/reader/?path=
VN
suspicious
940
iexplore.exe
GET
302
42.112.20.111:80
http://gogianguyen.com/extension/reader/[email protected]
VN
suspicious
940
iexplore.exe
GET
302
42.112.20.111:80
http://gogianguyen.com/extension/reader/[email protected]
VN
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3376
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
940
iexplore.exe
185.244.39.10:443
freshflands.co.za
unknown
185.244.39.10:443
freshflands.co.za
unknown
940
iexplore.exe
42.112.20.111:80
gogianguyen.com
The Corporation for Financing & Promoting Technology
VN
suspicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
gogianguyen.com
  • 42.112.20.111
suspicious
freshflands.co.za
  • 185.244.39.10
unknown

Threats

Found threats are available for the paid subscriptions
4 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
PO-July-82779.xls.htm