analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/step2.php

Full analysis: https://app.any.run/tasks/8fedaa45-fa05-41fd-8ddc-d1c2b54076bc
Verdict: Malicious activity
Analysis date: January 22, 2019, 18:25:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
Indicators:
MD5:

C04532F45A8B9B642AA72C4E6D5C34D3

SHA1:

12BE1CE5573DEE64CC59EBC9209CB1DEB17DE40F

SHA256:

192C023FCDC77FD3A74FAE96CFC1187A3EFB9C8C5D4E7BE3CDE1DC7B944ADC82

SSDEEP:

6:CKXOGQrM/8fLVXKxlKN204AMfzvGLGKILqKBLAKXUibV:/fQfL6l649zNLWKXzx

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3028)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3604)
    • Application launched itself

      • iexplore.exe (PID: 3028)
    • Creates files in the user directory

      • iexplore.exe (PID: 3028)
      • iexplore.exe (PID: 3604)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3604)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3028"C:\Program Files\Internet Explorer\iexplore.exe" http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/step2.phpC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3604"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3028 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
435
Read events
373
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
16
Unknown types
2

Dropped files

PID
Process
Filename
Type
3028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
3028iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jquery.payment[1].jstext
MD5:B1EB4D2AC3B3C54098052F2ECB0DBC17
SHA256:60499C4335239D51FA6EF40BD909BA8E62A2A468B16B74F0FD9FADAC1EEE4BBF
3028iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.datdat
MD5:BD9DB61FD5FC0EFA89938DFC287B04BC
SHA256:A4C2F0474EED16DCD0BEEDF8EC0377EB3F12129EC46E95E04875B336BCAB135E
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\t1[1].pngimage
MD5:ED9430FB42911308D6FCC66353F6E9C7
SHA256:FD79F9D0D5BEBC9EA818DBE55EB7B18D4F7044C4B6F630A6903CCF4E3A8092F3
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\t2[1].pngimage
MD5:93980FCB4F017F689F1955F8561632EE
SHA256:7C8CEC44B72E594EFA89DC1F8BADE07643F46EC81A5D688D1884258A143723A9
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\step2[1].htmhtml
MD5:7E675C88E98312411B642D9E718E1FEA
SHA256:298AA0FD9C0D8F4FEF23F6974801CF1CB6BCC82DF48C905DC8E84F5761154EB9
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\tt[1].pngimage
MD5:6369E0E9B44D528B7ABE85479CF07521
SHA256:F54A74C2D792410E476DE16FF77D406AB3B5F399B6CA9DC336A630D32BC53BA6
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\cancl[1].pngimage
MD5:F93A12F36EC768C14336120D77965357
SHA256:32E0140BA7AEB62A0CE002E429ED49712B3E33514A16F115EA1449BA2E0611A1
3604iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\t11[1].pngimage
MD5:DA8518406FCE3C5770B758689A741C95
SHA256:C123CE34D7C55C7C999ABBC19B7FBEEF424F5F6F3B08FB62BE458C6CF576AA90
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
13
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/t1.png
AU
image
15.5 Kb
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/t9.png
AU
image
5.98 Kb
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/t11.png
AU
image
1.08 Kb
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/t2.png
AU
image
3.23 Kb
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/cancl.png
AU
image
866 b
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/step2.php
AU
html
4.32 Kb
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/continu.png
AU
image
920 b
suspicious
3604
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/tt.png
AU
image
2.55 Kb
suspicious
3028
iexplore.exe
GET
200
27.121.66.52:80
http://transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au/transed/lifeinsurance/images/favicon.ico
AU
image
1.12 Kb
suspicious
3028
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3604
iexplore.exe
104.19.199.151:443
cdnjs.cloudflare.com
Cloudflare Inc
US
shared
3028
iexplore.exe
27.121.66.52:80
transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au
NetRegistry Pty Ltd.
AU
suspicious
3028
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3604
iexplore.exe
27.121.66.52:80
transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au
NetRegistry Pty Ltd.
AU
suspicious

DNS requests

Domain
IP
Reputation
transamericaannuities.com.login.login.aspx.profile.web.ssocontroller.cmd.ssoresume.idpxuhs3.resumesaml20.idp.sso.pingspentityft.sharpiescharitychallenge.com.au
  • 27.121.66.52
suspicious
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
cdnjs.cloudflare.com
  • 104.19.199.151
  • 104.19.195.151
  • 104.19.197.151
  • 104.19.198.151
  • 104.19.196.151
whitelisted

Threats

PID
Process
Class
Message
3604
iexplore.exe
A Network Trojan was detected
ET INFO Suspicious HTML Decimal Obfuscated Title - Possible Phishing Landing Apr 19 2017
3604
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Chalbhai Phishing Landing Oct 23 2017
3604
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Generic Financial Phish Landing 2017-12-21
3604
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible Chalbhai (Multibrand) Phishing Landing 2018-05-10
3604
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Generic Chalbhai Phishing Landing 2018-08-30
No debug info