download:

/window.hta

Full analysis: https://app.any.run/tasks/79e247b3-5ea9-4672-9107-b166527389cd
Verdict: Malicious activity
Analysis date: June 04, 2024, 09:53:48
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cve-2017-0199
exploit
Indicators:
MIME: text/html
File info: HTML document, Unicode text, UTF-8 text, with CRLF line terminators
MD5:

4D4BFC553118C8A52D3AE50EC794F9A4

SHA1:

815539B8BCE2F71C611574A1203979AD3BD38A66

SHA256:

2079D557BD97B6F3A34770A0B8488E1BC534FF6AC60038A4ED72CEA9D7E4FECC

SSDEEP:

24:hPBCChyPzaFXp7QBJxAjWZmwB9+DomcXB7cCYMCQPIzAMf:tThCzG+fV70omcXB7cCPCUEXf

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • EXPLOIT has been detected (SURICATA)

      • mshta.exe (PID: 2624)

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 2624)

    • Connects to the server without a host name

      • mshta.exe (PID: 2624)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 4036)
      • iexplore.exe (PID: 3976)

    • Checks supported languages

      • wmpnscfg.exe (PID: 1056)

    • Reads the computer name

      • wmpnscfg.exe (PID: 1056)

    • Manual execution by a user

      • explorer.exe (PID: 1864)
      • wmpnscfg.exe (PID: 1056)

    • Checks proxy server information

      • mshta.exe (PID: 2624)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2624)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Viewport: width=device-width, initial-scale=1.0
Title: Safe Page
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe wmpnscfg.exe no specs explorer.exe no specs #EXPLOIT mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1116"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
1864"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2624C:\Windows\System32\mshta.exe -EmbeddingC:\Windows\System32\mshta.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
3976"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\window.hta.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
4036"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3976 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
27 686
Read events
27 335
Write events
223
Delete events
128

Modification events

(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
496896928
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31110757
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
797370678
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31110757
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3976) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
13
Text files
33
Unknown types
3

Dropped files

PID
Process
Filename
Type
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Ader
MD5:E4A6497C402DCDF41B5F7D0827824059
SHA256:98FC52BEA0AC5A888ED498FE0CC68A85945C1579AC8F692BD6C059FECA2342C5
3976iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
1116iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\qsml[1].htmxml
MD5:900F2072B471E83F265F26EE4BBB510C
SHA256:3F17B138DB474C7D22C1E7B681C0FA0D2D035BA1462218C76EEC8A12171730BE
3976iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118Abinary
MD5:C0EE139D946BF8543AC7EB41E535E7E7
SHA256:736AEC954D31E3CE2F57AE39BFA76D606865694E655D6A5902D40A6C8B103BF5
1116iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\FJ45OG75.txttext
MD5:009F6BCA96F1CC8CF8D584E20E228D5E
SHA256:0026CC930933E158EB75B6E65517212A56615B6F075C76AA8E9BED9496B13A35
1116iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177binary
MD5:75536E703B8F6A73D695B8BFB4E9513C
SHA256:10F39556B1E3B69D2BE0C8504DE3770E2E30F32A14D77EE8C15FDBDF08244BB4
1116iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\HE7YJY9H.txttext
MD5:A17085A3A345CCAA42FDFC8879DCE08F
SHA256:DFDC8BB82EB59E69BE1356FE4430F18F95FECC0E25097B907ADA397B97D805D8
1116iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\2M0MU7VJ.txttext
MD5:BA82D2DF163167B8EC90B079CF31F7B3
SHA256:68A8FBAE6E68A2600ABD4FDD5F1771C739EB2A7CCDF899A7898670AB070C7AE3
1116iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\BPPX2Z9Z.txttext
MD5:3EEB72215D505A6AE50CD000D6A4965A
SHA256:99BD3A9F26D47C24A1D277496BCA0DC15DE7C53C107EEAAEBC226392C50E6825
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
26
DNS requests
18
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3976
iexplore.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8644b833ad892dd7
unknown
unknown
3976
iexplore.exe
GET
304
199.232.214.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?c21588876f974d24
unknown
unknown
1116
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAxq6XzO1ZmDhpCgCp6lMhQ%3D
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
1116
iexplore.exe
GET
200
103.54.153.116:80
http://103.54.153.116/window.hta
unknown
unknown
1088
svchost.exe
GET
304
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f33259cc05673396
unknown
unknown
2624
mshta.exe
GET
200
103.54.153.116:80
http://103.54.153.116/window.hta
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
unknown
3976
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown
3976
iexplore.exe
2.19.120.21:443
www.bing.com
Akamai International B.V.
DE
unknown
3976
iexplore.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3976
iexplore.exe
199.232.214.172:80
ctldl.windowsupdate.com
FASTLY
US
unknown
3976
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1116
iexplore.exe
13.107.5.80:443
api.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1116
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 2.19.120.21
  • 2.19.120.29
whitelisted
ctldl.windowsupdate.com
  • 199.232.214.172
  • 199.232.210.172
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 184.28.89.167
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

PID
Process
Class
Message
1116
iexplore.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
1116
iexplore.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host HTA Request
1116
iexplore.exe
Attempted User Privilege Gain
ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199
1116
iexplore.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
1116
iexplore.exe
A Network Trojan was detected
LOADER [ANY.RUN] Gen.Powershell.Downloader Script Payload
2624
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
2624
mshta.exe
Attempted User Privilege Gain
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
2624
mshta.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host HTA Request
2624
mshta.exe
Attempted User Privilege Gain
ET WEB_CLIENT HTA File containing Wscript.Shell Call - Potential CVE-2017-0199
2624
mshta.exe
A Network Trojan was detected
ET EXPLOIT MSXMLHTTP Download of HTA (Observed in CVE-2017-0199)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
/window.hta