analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/ab478b50-c493-47c7-9526-401dde016a56
Verdict: Malicious activity
Analysis date: February 21, 2020, 18:35:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5:

C50AA3E723AE7778BBE713A1E1C3D9D8

SHA1:

52A6D9FB3F811FCCDC17686F9229B187C4B3DFBF

SHA256:

583DF0F2A1FC08CE8D190F38E6DBBC859C5376FDF8AF81D6F3B8F45783AB8B77

SSDEEP:

384:W+vrQXieV/CwscWC8FjxL+eq+6n8tqJt41VYP2h1d/qvFFvUbGdp8no0RQa4B+lK:WXiAuhryHHt43G8XXFBHE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 2340)

    • Application launched itself

      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3112)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2816)
      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2340)

    • Changes internet zones settings

      • iexplore.exe (PID: 2952)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2816)
      • iexplore.exe (PID: 2340)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3112)

    • Creates files in the user directory

      • iexplore.exe (PID: 2816)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 2340)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2816)
      • iexplore.exe (PID: 3112)
      • iexplore.exe (PID: 2952)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2816)
      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

viewport: width=device-width, initial-scale=1
HTTPEquivXUACompatible: IE=edge
Title: LOUIS VUITTON Outlets
Description: LOUIS VUITTON Outlets
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3112"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2816"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:144390 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2340"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:398593 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
Total events
16 815
Read events
1 580
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
58
Text files
228
Unknown types
29

Dropped files

PID
Process
Filename
Type
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\bootstrap.min[1].csstext
MD5:736A02DCFE63B1518EAFCE38458AA860
SHA256:E9A910706B5173F97B91A7735AC329E16F08C8F4001F73405843ECDA080D70F2
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\stylesheet[1].csstext
MD5:14A00B5CAB9E2AF183A3CBF54BA7C4DD
SHA256:46F1A3CE31A57167937E119EEFA91BE3666CDFDF34547F557A9593D4F7A69537
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\owl.carousel[1].csstext
MD5:77D4A6743002B35EF36AF74D6AADF1A1
SHA256:ABFE00030C88CC24133BA14D537C987275F00D92A6971D683590E787E12FE924
3112iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\bootstrap.min[1].csstext
MD5:736A02DCFE63B1518EAFCE38458AA860
SHA256:E9A910706B5173F97B91A7735AC329E16F08C8F4001F73405843ECDA080D70F2
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\font-awesome.min[1].csstext
MD5:B3A7BE0EBC63F653346DCFAABADF94F0
SHA256:8EA3141CBB9DFF3217A9586B2F0E60952E9491ACF11F7370285F346B22DAA4D0
3112iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\css[1].csstext
MD5:AF295E1236B929C0829E01C8961DCF52
SHA256:99AA57BD15A22388367A98420E33298BB795FA9FAE4D384C6BEFC88EF76FD88F
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\m40780-1-200x200[1].jpgimage
MD5:C02F19F268A4B249E7274DA0C80E7942
SHA256:4735385FCB38B2A0B56281B2806EBD114B977779A6E4E4C4F3BA4F64C294531C
3112iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6Z2BCOUL\11124f-2280x760[1].jpgimage
MD5:141B6321AA44C2B97684DE1847BAE775
SHA256:CED904F935404BF0B5C929BF6172F6F79AEB421DB6E92BA0634E1E97A1BEC9C3
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\n41358-1-200x200[1].jpgimage
MD5:AC4962D9823294563F5E3EA646073446
SHA256:225CD9564F987C57B07C706A763AF39A188A5451F03195F79A4C4F50CAA7554C
2816iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\m41066-1-200x200[1].jpg
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
249
TCP/UDP connections
154
DNS requests
35
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3112
iexplore.exe
GET
200
216.58.208.42:80
http://fonts.googleapis.com/css?family=Open+Sans:400,400i,300,700
US
text
284 b
whitelisted
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/catalog/view/javascript/font-awesome/css/font-awesome.min.css
US
text
5.79 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/catalog/view/theme/default/stylesheet/stylesheet.css
US
text
3.42 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/image/cache/catalog/1/112/9-200x200.jpg
US
image
8.51 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/image/cache/catalog/2019-11-08_19-32-19-76565-2280x760-2280x760.jpg
US
image
345 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/image/cache/catalog/lv/m40780-1-200x200.jpg
US
image
9.98 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/image/cache/catalog/lv/652n41605-1-200x200.jpg
US
image
11.7 Kb
suspicious
3112
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/image/cache/catalog/11124f-2280x760.jpg
US
image
616 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/catalog/view/javascript/bootstrap/css/bootstrap.min.css
US
text
20.2 Kb
suspicious
2816
iexplore.exe
GET
200
104.24.106.14:80
http://www.aaabagsonsale.top/image/cache/catalog/lv/n41358-1-200x200.jpg
US
image
10.8 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3112
iexplore.exe
220.242.182.12:443
js.users.51.la
CN
suspicious
3112
iexplore.exe
104.24.106.14:80
www.aaabagsonsale.top
Cloudflare Inc
US
shared
2816
iexplore.exe
220.242.182.12:443
js.users.51.la
CN
suspicious
3112
iexplore.exe
216.58.208.42:80
fonts.googleapis.com
Google Inc.
US
whitelisted
2816
iexplore.exe
104.24.106.14:80
www.aaabagsonsale.top
Cloudflare Inc
US
shared
2952
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2816
iexplore.exe
172.217.16.163:80
fonts.gstatic.com
Google Inc.
US
whitelisted
2816
iexplore.exe
216.58.208.42:80
fonts.googleapis.com
Google Inc.
US
whitelisted
2816
iexplore.exe
104.24.107.14:80
www.aaabagsonsale.top
Cloudflare Inc
US
unknown
3112
iexplore.exe
104.24.107.14:80
www.aaabagsonsale.top
Cloudflare Inc
US
unknown

DNS requests

Domain
IP
Reputation
www.aaabagsonsale.top
  • 104.24.106.14
  • 104.24.107.14
suspicious
fonts.googleapis.com
  • 216.58.208.42
whitelisted
js.users.51.la
  • 220.242.182.12
  • 220.242.139.165
  • 220.242.140.187
  • 163.171.128.16
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
fonts.gstatic.com
  • 172.217.16.163
whitelisted
ocsp.globalsign.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
whitelisted
ocsp2.globalsign.com
  • 151.101.2.133
  • 151.101.66.133
  • 151.101.130.133
  • 151.101.194.133
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.top domain - Likely Hostile
2816
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2340
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2340
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2340
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2340
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2340
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
2340
iexplore.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2340
iexplore.exe
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html