URL:

http://130.117.190.139/updates/kdbma64/arm64/diffs/ext643b.kdc.hta

Full analysis: https://app.any.run/tasks/7fe4dcc8-b759-4d6f-970f-504e5c3ff412
Verdict: Malicious activity
Analysis date: April 23, 2024, 05:19:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
cve-2017-0199
exploit
Indicators:
MD5:

0430630803FD23A98FDF9A85F94A16A2

SHA1:

2C0B5805803940297944D0A5791809F7A40EA516

SHA256:

27C8549C3A0EC3ECD1D38FFB51BEE8FFE3F51C2CA1F2C82ADF149410B034999D

SSDEEP:

3:N1KuV0ZhkLEANINRAdDDQALhEn:CuC8LgtA2n

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads the Internet Settings

      • mshta.exe (PID: 3604)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 3416)

    • Checks proxy server information

      • mshta.exe (PID: 3604)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 3604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe mshta.exe

Process information

PID
CMD
Path
Indicators
Parent process
3416"C:\Program Files\Internet Explorer\iexplore.exe" "http://130.117.190.139/updates/kdbma64/arm64/diffs/ext643b.kdc.hta"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3604C:\Windows\System32\mshta.exe -EmbeddingC:\Windows\System32\mshta.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft (R) HTML Application host
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\windows\system32\mshta.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
c:\windows\system32\api-ms-win-downlevel-version-l1-1-0.dll
4032"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3416 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
12 268
Read events
12 079
Write events
135
Delete events
54

Modification events

(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
1
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchLowDateTime
Value:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
31102269
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31102269
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3416) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
0
Suspicious files
9
Text files
5
Unknown types
3

Dropped files

PID
Process
Filename
Type
4032iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\ext643b.kdc[1].htabinary
MD5:F7E7EB63323310A31D9CA3BDF9CBC402
SHA256:84F9FBEB1FAA77CCC61CC61AAC17F97B0703839EBD58E1A68CA056542FA1A9D6
3416iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF8587B83481E0FDE7.TMPgmc
MD5:52BACA72EAC1450A6636D32722A5C041
SHA256:7BF7760255290CE7A001BC890D319369E057E34BE033BD6B3BF042D1348A1C94
3416iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\urlblockindex[1].binbinary
MD5:FA518E3DFAE8CA3A0E495460FD60C791
SHA256:775853600060162C4B4E5F883F9FD5A278E61C471B3EE1826396B6D129499AA7
3604mshta.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\ext643b.kdc[1].htabinary
MD5:F7E7EB63323310A31D9CA3BDF9CBC402
SHA256:84F9FBEB1FAA77CCC61CC61AAC17F97B0703839EBD58E1A68CA056542FA1A9D6
3416iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3416iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF754718F59DDF68D9.TMPgmc
MD5:22D9CEF9E5A9A049730DCE9A01C63572
SHA256:F61EA13FDA8170541B08743D426C7BA2E1F3C15E1279DA9C4573083B92D5CF33
3416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3416iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{17975A3B-0131-11EF-AE0A-12A9866C77DE}.datbinary
MD5:B6001F5B0EBA33ABBD79AAC012BE868E
SHA256:22B6664411E20DA93DEA19EA31F92F053C9EA376008B44F3741FC0F7AC746F97
3416iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver526D.tmpxml
MD5:CBD0581678FA40F0EDCBC7C59E0CAD10
SHA256:159BD4343F344A08F6AF3B716B6FA679859C1BD1D7030D26FF5EF0255B86E1D9
3416iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:5B55E9A55D598B8ACF7139C18E36C406
SHA256:6F10BA4185E5E165D23B0B781274F46AC4105B089F729292DB192A123A070A68
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
16
DNS requests
11
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4032
iexplore.exe
GET
200
130.117.190.139:80
http://130.117.190.139/updates/kdbma64/arm64/diffs/ext643b.kdc.hta
unknown
unknown
3416
iexplore.exe
GET
304
95.101.54.121:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?3ed6d2b4a8fbdc40
unknown
unknown
3416
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAzlnDD9eoNTLi0BRrMy%2BWU%3D
unknown
unknown
3604
mshta.exe
GET
200
130.117.190.139:80
http://130.117.190.139/updates/kdbma64/arm64/diffs/ext643b.kdc.hta
unknown
unknown
3416
iexplore.exe
GET
304
95.101.54.121:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ccd3f16cad753a85
unknown
unknown
3416
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown
4032
iexplore.exe
130.117.190.139:80
COGENT-174
DE
unknown
3416
iexplore.exe
104.126.37.145:443
www.bing.com
Akamai International B.V.
DE
unknown
3416
iexplore.exe
95.101.54.121:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
3416
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
3604
mshta.exe
130.117.190.139:80
COGENT-174
DE
unknown
3416
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 104.126.37.145
  • 104.126.37.155
  • 104.126.37.154
  • 104.126.37.144
  • 104.126.37.153
  • 104.126.37.139
  • 104.126.37.162
  • 104.126.37.161
  • 104.126.37.160
whitelisted
ctldl.windowsupdate.com
  • 95.101.54.121
  • 95.101.54.195
  • 95.101.54.129
  • 95.101.54.200
  • 95.101.54.120
  • 95.101.54.128
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
4032
iexplore.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host HTA Request
4032
iexplore.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3604
mshta.exe
Potentially Bad Traffic
ET POLICY Possible HTA Application Download
3604
mshta.exe
Potentially Bad Traffic
ET INFO Dotted Quad Host HTA Request
3604
mshta.exe
Attempted User Privilege Gain
ET EXPLOIT SUSPICIOUS Possible CVE-2017-0199 IE7/NoCookie/Referer HTA dl
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://130.117.190.139/updates/kdbma64/arm64/diffs/ext643b.kdc.hta