analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://trigunaintisolusi.com/lgcf-W8HakXX2m7CMqZ_OJnhWXwK-CHP/InvoiceCodeChanges/scan/EN_en/Past-Due-Invoices

Full analysis: https://app.any.run/tasks/d1da7332-92c4-4c51-9925-0a0792397be1
Verdict: Malicious activity
Analysis date: December 18, 2018, 11:53:09
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

DD4ACD3B96466267488D4067B11F5369

SHA1:

E3C50F805700E47B05B4DF29C33448FF584FDE4B

SHA256:

56D1D0F859DF0D6D86F0137696776E3C6E4037D69A3C1CAE0473509A5764562C

SSDEEP:

3:N1KKXMCiSQLGGDXU5vsbbH3nWAjoRWGELKuKWIoHW:CKXDi3GmXUkDnWAjpHKnIW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3212)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3212)
    • Changes internet zones settings

      • iexplore.exe (PID: 2944)
    • Application launched itself

      • iexplore.exe (PID: 2944)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
31
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2944"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3212"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2944 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
365
Read events
320
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
0
Text files
18
Unknown types
3

Dropped files

PID
Process
Filename
Type
2944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2944iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\style[1].csstext
MD5:4D86CB14973930AD14AA8D3FDDF6F8BC
SHA256:6D893D2E3E7F12E1EB413118E28B0AC2ED4AD43CD7761B972F6DD9CB85730A4C
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\main[1].jstext
MD5:EC38AEC4A3AC30FA978A0B2D06D25B5F
SHA256:DBA0CE130C66A62E10D1BD6DB8E4DADCE9E4080970806BC18FBAFD260B563DB2
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\main.min[1].jstext
MD5:339AFF387FD204D0D6C018F0846A447E
SHA256:B7589ED96AA13BAC0CB666DC1E38D46E9F95929195F69CBECC0D950F76F327BE
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\css[1].txttext
MD5:FE131365FE44CD7405BDCF22A9288343
SHA256:BFF53226D344068B23C9761E349F6CFA78282C3231A1EFDB91B78DE4412264C2
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\owl.theme[1].csstext
MD5:FFBA95672003952A6095617CF00F2788
SHA256:796654D6A972D8F8B2697370C77BE6D881B1F3A3E1A33A25BBA8267F103BA248
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\Meter-gas-orifice-1[1].jpgimage
MD5:D888373D29BB56ACFC525ADC3CD79995
SHA256:54FC4ACD4868A190C7E67060E829D6A308734ED023F78B1DAFCEAC988210FC0A
2944iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3212iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\wp-emoji-release.min[1].jstext
MD5:15D0C302DC74FD87BD9CFEAB513E13E4
SHA256:D2458B9FD9089FDCB9DE317093E004EF3A65597DC68B9ADFDEB15A7C9968D0D5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
13
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3212
iexplore.exe
GET
301
103.233.102.18:80
http://trigunaintisolusi.com/lgcf-W8HakXX2m7CMqZ_OJnhWXwK-CHP/InvoiceCodeChanges/scan/EN_en/Past-Due-Invoices
ID
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/themes/bizworx/style.css?ver=5.0.1
ID
text
38.6 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/plugins/bizworx-tools/js/main.js?ver=20180228
ID
text
1.61 Kb
malicious
3212
iexplore.exe
GET
404
103.233.102.18:80
http://www.trigunaintisolusi.com/lgcf-W8HakXX2m7CMqZ_OJnhWXwK-CHP/InvoiceCodeChanges/scan/EN_en/Past-Due-Invoices
ID
html
15.9 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/themes/bizworx/js/main.min.js?ver=20180213
ID
text
2.86 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.1
ID
text
1.65 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/themes/bizworx/css/owl.carousel.css?ver=5.0.1
ID
text
1.44 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-includes/js/jquery/jquery.js?ver=1.12.4
ID
text
94.9 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/themes/bizworx/fonts/font-awesome.min.css?ver=5.0.1
ID
text
30.2 Kb
malicious
3212
iexplore.exe
GET
200
103.233.102.18:80
http://www.trigunaintisolusi.com/wp-content/themes/bizworx/css/bootstrap/bootstrap.min.css?ver=1
ID
text
16.2 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2944
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3212
iexplore.exe
103.233.102.18:80
trigunaintisolusi.com
PT MITRA VISIONER PRATAMA
ID
malicious
3212
iexplore.exe
172.217.168.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3212
iexplore.exe
103.233.102.18:443
trigunaintisolusi.com
PT MITRA VISIONER PRATAMA
ID
malicious
3212
iexplore.exe
172.217.168.35:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
trigunaintisolusi.com
  • 103.233.102.18
malicious
www.trigunaintisolusi.com
  • 103.233.102.18
malicious
fonts.googleapis.com
  • 172.217.168.42
whitelisted
fonts.gstatic.com
  • 172.217.168.35
whitelisted

Threats

PID
Process
Class
Message
3212
iexplore.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri
3212
iexplore.exe
A Network Trojan was detected
SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri
No debug info