analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/785ef91c-4075-43ae-93a5-c7b2d8d55908
Verdict: Malicious activity
Analysis date: April 23, 2019, 19:39:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines
MD5:

E3BC091C0FEF28E5EB6CA0DD435226B0

SHA1:

FFF1C12D818FD67F1313A499720C8206A551D2AD

SHA256:

0795802F5CB8EB383710CEFB8896FBBE3DD0DCA5DA78DB6D619D36C2A62D4D1F

SSDEEP:

96:jioOKIZRGKv7/xSOZ1fzDW4BuUHmhJ14tuk8MownOCwnv3fXRQy:jiozWYaDU2W4BXHd6MZnOCwvvRQy

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Connects to CnC server

      • iexplore.exe (PID: 2760)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 2600)
      • iexplore.exe (PID: 2760)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2148)
      • iexplore.exe (PID: 2600)
      • iexplore.exe (PID: 2760)

    • Application launched itself

      • iexplore.exe (PID: 2148)

    • Changes internet zones settings

      • iexplore.exe (PID: 2148)

    • Creates files in the user directory

      • iexplore.exe (PID: 2148)
      • iexplore.exe (PID: 2760)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 992)
      • WINWORD.EXE (PID: 2072)
      • WINWORD.EXE (PID: 3612)
      • WINWORD.EXE (PID: 1836)

    • Reads Microsoft Office registry keys

      • WINWORD.EXE (PID: 1836)
      • WINWORD.EXE (PID: 3612)
      • WINWORD.EXE (PID: 2072)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe flashutil32_26_0_0_131_activex.exe no specs winword.exe no specs winword.exe no specs winword.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2148"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2600"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2148 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2760"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2148 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
992C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Exit code:
0
Version:
26,0,0,131
1836"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\membershipbag.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
3612"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\modelstandards.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
2072"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\oralbus.rtf"C:\Program Files\Microsoft Office\Office14\WINWORD.EXEexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Word
Exit code:
0
Version:
14.0.6024.1000
Total events
2 838
Read events
2 515
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
51
Unknown types
19

Dropped files

PID
Process
Filename
Type
2148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2148iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\X1GTP6VG\ww25_sharebutton_co[1].txt
MD5:
SHA256:
2148iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF852F7A31BB08A090.TMP
MD5:
SHA256:
2148iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:6A0F0DA33D6F4C567FB08DA87A53947E
SHA256:1D8FFAD870F3143905A677EBFE83E2B421E295EAE3947581040075962BD1A234
2760iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:51658702A95A7BE63DED18786271FEA9
SHA256:43D9AA6A75EECC430159E1B13911F209EE1C687CB673CE4881B4583F4A1E0C55
2600iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019042320190424\index.datdat
MD5:29CED880E64EE53237144D9A093CD587
SHA256:620647BDC3C407BBBDDD933434457E3137820C15F29C071DBF9497E50BAA9E82
2760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:85DD64CBB3AB47F1AB99A6F4519ACFB6
SHA256:F511757EC4CCC366EF6AAB253D859E06E374BB4BA5E7ECA5AFA724FCF512AA87
2760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\42AOVN5N\caf[1].jstext
MD5:82DF91BD1E1D71716FE9281C50ACC824
SHA256:1812F2064F9870032DE63D872EAB082D78923F339B35EAFABF57842959258275
2760iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:3C982033F3DB2BB51970BD11B856A510
SHA256:F97A1A5692CDC58DA25008EA982F78188C7208DF83A845C34FE86D09F33B92ED
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
33
TCP/UDP connections
23
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2760
iexplore.exe
GET
302
103.224.182.250:80
http://sharebutton.co/
AU
malicious
2760
iexplore.exe
GET
301
199.83.128.102:80
http://aerogarden.com/
US
unknown
2760
iexplore.exe
GET
302
103.224.182.250:80
http://sharebutton.co/
AU
malicious
2760
iexplore.exe
GET
200
199.59.242.151:80
http://ww25.sharebutton.co/
US
html
3.93 Kb
malicious
2760
iexplore.exe
GET
200
172.217.16.196:80
http://www.google.com/adsense/domains/caf.js
US
text
55.3 Kb
whitelisted
2760
iexplore.exe
GET
200
199.59.242.151:80
http://ww25.sharebutton.co/glp?r=&u=http%3A%2F%2Fww25.sharebutton.co%2F&rw=1280&rh=720&ww=788&wh=460&ie=8
US
text
8.28 Kb
malicious
2148
iexplore.exe
GET
404
199.59.242.151:80
http://ww25.sharebutton.co/favicon.ico
US
html
3.93 Kb
malicious
2760
iexplore.exe
GET
200
199.59.242.151:80
http://ww25.sharebutton.co/
US
html
3.93 Kb
malicious
2760
iexplore.exe
GET
200
199.59.242.151:80
http://ww25.sharebutton.co/px.gif?ch=2&rn=6.32911647115849
US
image
42 b
malicious
2760
iexplore.exe
GET
200
199.59.242.151:80
http://ww25.sharebutton.co/px.gif?ch=2&rn=3.2279405013886535
US
image
42 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2148
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2148
iexplore.exe
199.59.242.151:80
ww25.sharebutton.co
Bodis, LLC
US
malicious
2760
iexplore.exe
216.58.207.78:80
www.google-analytics.com
Google Inc.
US
whitelisted
2760
iexplore.exe
199.59.242.151:80
ww25.sharebutton.co
Bodis, LLC
US
malicious
2760
iexplore.exe
172.217.16.196:80
www.google.com
Google Inc.
US
whitelisted
2760
iexplore.exe
172.217.22.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2760
iexplore.exe
103.224.182.250:80
sharebutton.co
Trellian Pty. Limited
AU
unknown
2760
iexplore.exe
172.217.18.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted
199.83.128.102:443
aerogarden.com
Incapsula Inc
US
unknown
2760
iexplore.exe
199.83.128.102:443
aerogarden.com
Incapsula Inc
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
sharebutton.co
  • 103.224.182.250
malicious
ww25.sharebutton.co
  • 199.59.242.151
malicious
www.google.com
  • 172.217.16.196
whitelisted
fonts.googleapis.com
  • 172.217.22.74
whitelisted
www.google-analytics.com
  • 216.58.207.78
whitelisted
fonts.gstatic.com
  • 172.217.18.163
whitelisted
aerogarden.com
  • 199.83.128.102
  • 192.230.81.102
  • 45.60.121.110
  • 45.60.131.110
unknown

Threats

PID
Process
Class
Message
2760
iexplore.exe
A Network Trojan was detected
ET CNC Ransomware Tracker Reported CnC Server group 1
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html