analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment Copy.html

Full analysis: https://app.any.run/tasks/e7e63da7-01cb-4e72-9453-aadbce7256e1
Verdict: Malicious activity
Analysis date: January 17, 2020, 15:51:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
phish-excel
opendir
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

30A3B6BD9C16FB19D18777A258DF9B44

SHA1:

16D5E11A48D812B4B29B007D4C268EDB4D87063B

SHA256:

159D7A1FFE592359A3092712F06BABAEB8AC54AE11EEA0C197036C26F99789CD

SSDEEP:

3:nmNjJMzVJu+0vKV4EJAhVLWEkB2LGGESAIAR7e5MJ7M+uB1zWRKlSyTP:GMRJiKrOhVLWEkBsREzIA45IIJ1zWKll

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Excel phishing page detected

      • iexplore.exe (PID: 2068)

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 788)
      • iexplore.exe (PID: 2068)

    • Creates files in the user directory

      • iexplore.exe (PID: 1296)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2068)
      • iexplore.exe (PID: 1296)

    • Changes internet zones settings

      • iexplore.exe (PID: 1296)

    • Application launched itself

      • iexplore.exe (PID: 1296)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
1296"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Payment Copy.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
788"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1296 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2068"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1296 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
540
Read events
453
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
17
Unknown types
7

Dropped files

PID
Process
Filename
Type
1296iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26XM8XBN\excelz[1].txt
MD5:
SHA256:
1296iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD49BF955ADF7D66C.TMP
MD5:
SHA256:
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26XM8XBN\bizmail[1].php
MD5:
SHA256:
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\NNULWE6K\wait[1].php
MD5:
SHA256:
788iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012020011720200118\index.datdat
MD5:A774FA00E98A069DB0D3A15438BDDAF6
SHA256:BB7D01F77421F90285BF0B66C6C725A3DADC24F2A9FE14095B05707182D1DB4E
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012020011720200118\index.datdat
MD5:BD74CFD38E0E46D3AF0F0C6AA23A92B7
SHA256:DA7482B8F226EA2F3BE61C5F4E070473D3F60C47C5775DFF9FEDE870033E2233
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:A8B02DCAC0B09EE4584D2A449C476291
SHA256:74B01E6E9E5257A3BA8208367354EE711CF1EFDB03DDD2ADFF3B36C96DB9712C
2068iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\26XM8XBN\styles[1].csstext
MD5:BA31A650BF67E374ADA4C9DD08899DCF
SHA256:66F05ABCA65A210DCCFFFC1C7E444C7E01BFB6F12F9D8BF7A281EFB739DEA9D7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
13
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2068
iexplore.exe
GET
200
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/remove.php
US
html
475 b
malicious
2068
iexplore.exe
GET
304
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/css/wait.css
US
compressed
475 b
malicious
2068
iexplore.exe
GET
200
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/index.php
US
text
131 b
malicious
2068
iexplore.exe
GET
304
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/img/ex.png
US
malicious
2068
iexplore.exe
GET
304
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/css/styles.css
US
compressed
607 b
malicious
1296
iexplore.exe
GET
200
64.111.117.104:80
http://saleamp.saleampdev.com/favicon.ico
US
malicious
2068
iexplore.exe
GET
304
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/img/ex.png
US
malicious
2068
iexplore.exe
GET
200
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/wait.php
US
html
415 b
malicious
2068
iexplore.exe
GET
304
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/img/pdf.png
US
compressed
475 b
malicious
2068
iexplore.exe
GET
200
64.111.117.104:80
http://saleamp.saleampdev.com/lower/Excelz/excelz/bizmail.php?email=&.rand=13vqcr8bp0gud&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
US
html
607 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2068
iexplore.exe
216.58.207.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1296
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2068
iexplore.exe
172.217.18.99:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1296
iexplore.exe
200.168.237.76:443
www.firb.br
Telefonica Data S.A.
BR
unknown
2068
iexplore.exe
64.111.117.104:80
saleamp.saleampdev.com
New Dream Network, LLC
US
malicious
1296
iexplore.exe
64.111.117.104:80
saleamp.saleampdev.com
New Dream Network, LLC
US
malicious

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
saleamp.saleampdev.com
  • 64.111.117.104
malicious
fonts.googleapis.com
  • 216.58.207.74
whitelisted
fonts.gstatic.com
  • 172.217.18.99
whitelisted
www.firb.br
  • 200.168.237.76
unknown

Threats

PID
Process
Class
Message
2068
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Possible Successful Generic Phish
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Payment Copy.html