analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment#2068.html

Full analysis: https://app.any.run/tasks/22292ab6-6deb-4fad-b21f-01bd42dbd90a
Verdict: Malicious activity
Analysis date: October 04, 2022, 19:43:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5:

2AC213AB3A81BF7456EAACB4AA7103E9

SHA1:

DCB398DD20F0C8CD65C1048D3842C131C5827224

SHA256:

6125393E8592C331FA726B6C0BCB23813303D5A4C9A74135255D3F15144A567C

SSDEEP:

24576:sPP2Drpn14IsIBq5fHoky6DNzrn/RmDbvSnKVDwFX:bl9A5ffzz0DbKH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 2484)
    • Checks supported languages

      • WinRAR.exe (PID: 2212)
      • WinRAR.exe (PID: 1164)
      • WinRAR.exe (PID: 4064)
      • WinRAR.exe (PID: 1376)
      • WinRAR.exe (PID: 1748)
    • Reads the computer name

      • WinRAR.exe (PID: 2212)
      • WinRAR.exe (PID: 1376)
      • WinRAR.exe (PID: 1748)
      • WinRAR.exe (PID: 4064)
      • WinRAR.exe (PID: 1164)
    • Executed via COM

      • DllHost.exe (PID: 2864)
  • INFO

    • Checks supported languages

      • iexplore.exe (PID: 2236)
      • iexplore.exe (PID: 1160)
      • iexplore.exe (PID: 2484)
      • explorer.exe (PID: 3792)
      • DllHost.exe (PID: 2864)
    • Reads the computer name

      • iexplore.exe (PID: 1160)
      • iexplore.exe (PID: 2484)
      • iexplore.exe (PID: 2236)
      • explorer.exe (PID: 3792)
      • DllHost.exe (PID: 2864)
    • Application launched itself

      • iexplore.exe (PID: 2484)
      • iexplore.exe (PID: 1160)
    • Changes internet zones settings

      • iexplore.exe (PID: 1160)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2484)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 1160)
      • iexplore.exe (PID: 2484)
    • Changes settings of System certificates

      • iexplore.exe (PID: 1160)
    • Manual execution by user

      • explorer.exe (PID: 3792)
      • WinRAR.exe (PID: 2212)
      • WinRAR.exe (PID: 1748)
      • WinRAR.exe (PID: 1164)
      • WinRAR.exe (PID: 4064)
      • WinRAR.exe (PID: 1376)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 1160)
      • iexplore.exe (PID: 2484)
    • Creates files in the user directory

      • iexplore.exe (PID: 1160)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 1160)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
10
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe no specs explorer.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs winrar.exe no specs PhotoViewer.dll no specs

Process information

PID
CMD
Path
Indicators
Parent process
1160"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\Payment#2068.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2484"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1160 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2236"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1160 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3792"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2212"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- Downloads.rar C:\Users\admin\Links\Downloads.lnkC:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1748"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- Downloads.rar C:\Users\admin\DownloadsC:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1376"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads.rar"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1164"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- Downloads.rar C:\Users\admin\Links\Downloads.lnkC:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
4064"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads.rar" C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2864C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
15 105
Read events
14 845
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
13
Text files
16
Unknown types
4

Dropped files

PID
Process
Filename
Type
1160iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:AFC3E2584B32E1E7C23C33E9534089A5
SHA256:61597F5F937DA250A5ED7B4B82867BEBC546A5A35C0029982A003B1E9CBD2E7E
1160iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Y9BSEY9D.txttext
MD5:A0638C2491A7F1B6286BE3887E02F2E4
SHA256:8B1494A4861DF289A7F5182ECB1E2970A62A3F1DEE5C9507CA520324A3F2A619
1160iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8Fder
MD5:706D6538FD37693AD6E2784B2EA35218
SHA256:3BE2AF083FFD1E6BF9762687183226AA01EC65B391AFDFAE8ECDAFC247F5C77E
1160iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:D39DB824E460B95B892136F777A42F0F
SHA256:D110B37599EA2DCB6567FD1BF5526ADA1F69F44BB77891ADD8B8AE075DB041EE
2212WinRAR.exeC:\Users\admin\Links\Downloads.rarcompressed
MD5:C4ABC4E1B905843E8AE4D12F3FA737D5
SHA256:D17ED58A212FE98638AB5715EABE3707F7CFDCBC0D4F1FFFA6EC7E3D4206A2FA
1160iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\82CB34DD3343FE727DF8890D352E0D8Fbinary
MD5:2146735789906133A1F83403E9A4A0AB
SHA256:A29CACA5991E5B80F378A56216D5CBCC1B8C1B1B94C5770A806C3AF2234CB192
2484iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:1817776FAD6D1DA89697557E3E537527
SHA256:55D564F6FE4386C5CE54AC3556B8866160611DD42D9837FF1ACB0141978B370C
1160iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\GDYAITI7.txttext
MD5:CD3A15866C5792D07EBFCF9C1DEFAB44
SHA256:EE29C33A804B7B4F56D504A164B5A706224F12309B322FB227856A5E1DD00865
2484iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157compressed
MD5:F7DCB24540769805E5BB30D193944DCE
SHA256:6B88C6AC55BBD6FEA0EBE5A760D1AD2CFCE251C59D0151A1400701CB927E36EA
1160iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\K7GY3VAD.txttext
MD5:8EECA7963EE6E6FF83905200D24780EC
SHA256:3F097743DF54307C2740D837BDD4ECB315D8AB3A0F75B3CD7E2D06C36A1D0E86
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
26
DNS requests
14
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1160
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
1160
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/Omniroot2025.crl
US
der
7.78 Kb
whitelisted
1160
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
444
svchost.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9fb93d2205d0bb6e
US
compressed
4.70 Kb
whitelisted
2484
iexplore.exe
GET
200
13.107.4.50:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8cc4d465f42daea0
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1160
iexplore.exe
23.216.77.80:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
1160
iexplore.exe
13.107.21.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1160
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
1160
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1160
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
1160
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
2484
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
1160
iexplore.exe
204.79.197.203:443
www.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
444
svchost.exe
13.107.4.50:80
ctldl.windowsupdate.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
1160
iexplore.exe
20.25.53.147:443
query.prod.cms.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.80
  • 23.216.77.69
  • 13.107.4.50
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 96.16.143.41
whitelisted
www.msn.com
  • 204.79.197.203
whitelisted

Threats

No threats detected
No debug info