analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Payment#2068.html

Full analysis: https://app.any.run/tasks/d9e40b6e-3207-453f-8348-e3881836e972
Verdict: Malicious activity
Analysis date: October 04, 2022, 20:09:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5:

2AC213AB3A81BF7456EAACB4AA7103E9

SHA1:

DCB398DD20F0C8CD65C1048D3842C131C5827224

SHA256:

6125393E8592C331FA726B6C0BCB23813303D5A4C9A74135255D3F15144A567C

SSDEEP:

24576:sPP2Drpn14IsIBq5fHoky6DNzrn/RmDbvSnKVDwFX:bl9A5ffzz0DbKH

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3764)
    • Checks supported languages

      • WinRAR.exe (PID: 3804)
      • WinRAR.exe (PID: 1260)
      • OUTLOOK.EXE (PID: 3216)
      • WinRAR.exe (PID: 1040)
      • notepad++.exe (PID: 3228)
      • vlc.exe (PID: 4084)
    • Reads the computer name

      • WinRAR.exe (PID: 3804)
      • WinRAR.exe (PID: 1260)
      • WinRAR.exe (PID: 1040)
      • OUTLOOK.EXE (PID: 3216)
      • vlc.exe (PID: 4084)
    • Executed via COM

      • OUTLOOK.EXE (PID: 3216)
      • DllHost.exe (PID: 1704)
    • Searches for installed software

      • OUTLOOK.EXE (PID: 3216)
    • Creates files in the user directory

      • OUTLOOK.EXE (PID: 3216)
      • vlc.exe (PID: 4084)
  • INFO

    • Reads the computer name

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3764)
      • iexplore.exe (PID: 452)
      • explorer.exe (PID: 2436)
      • DllHost.exe (PID: 1704)
      • explorer.exe (PID: 3008)
    • Checks supported languages

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3764)
      • iexplore.exe (PID: 452)
      • explorer.exe (PID: 2436)
      • DllHost.exe (PID: 1704)
      • explorer.exe (PID: 3008)
    • Changes internet zones settings

      • iexplore.exe (PID: 3452)
    • Application launched itself

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3764)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3764)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3764)
    • Manual execution by user

      • explorer.exe (PID: 2436)
      • WinRAR.exe (PID: 3804)
      • WinRAR.exe (PID: 1260)
      • explorer.exe (PID: 3008)
      • vlc.exe (PID: 4084)
      • notepad++.exe (PID: 3228)
    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 3764)
    • Creates files in the user directory

      • iexplore.exe (PID: 3452)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3452)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3452)
    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 1260)
      • OUTLOOK.EXE (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
12
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe no specs explorer.exe no specs winrar.exe no specs winrar.exe no specs outlook.exe no specs winrar.exe no specs PhotoViewer.dll no specs explorer.exe no specs notepad++.exe vlc.exe

Process information

PID
CMD
Path
Indicators
Parent process
3452"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\Desktop\Payment#2068.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3764"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3452 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3452 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2436"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3804"C:\Program Files\WinRAR\WinRAR.exe" a -ep1 -scul -r0 -iext -- Downloads.rar C:\Users\admin\Links\Downloads.lnkC:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1260"C:\Program Files\WinRAR\WinRAR.exe" a -ieml. -ep1 -scul -r0 -iext -- . C:\Users\admin\Links\Downloads.lnkC:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3216C:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXE -EmbeddingC:\PROGRA~1\MICROS~1\Office14\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
14.0.6025.1000
1040"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Outlook\PVOVPR6F\Downloads.zip"C:\Program Files\WinRAR\WinRAR.exeOUTLOOK.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1704C:\Windows\system32\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3008"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
23 728
Read events
22 913
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
16
Text files
25
Unknown types
9

Dropped files

PID
Process
Filename
Type
3452iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:0589FDFB0535775EE7F9873C703F7FBD
SHA256:C4266F4C7A9C1A56815A29E02A40F35DC04D46B279E4993B748569201283D103
3452iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
3452iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776der
MD5:AFC3E2584B32E1E7C23C33E9534089A5
SHA256:61597F5F937DA250A5ED7B4B82867BEBC546A5A35C0029982A003B1E9CBD2E7E
3452iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\8RRAOHZP.txttext
MD5:E9D33A357B19B00AE8038AE1AE62116A
SHA256:527207086EB4D0294C02906B6125BA3C87AE1436293B31D954193E0E16AE5A20
3452iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\5JRJ4QFI.txttext
MD5:8E1D5BEB7E30112ED5D36C439A03F572
SHA256:F61298A4FADEEBE1F842FB6C69C9668E882261BEDB40FCD2F3A8EC6F6BF98390
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3452iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776binary
MD5:5C0E6DE5966DFC5351E40B52E8EE8068
SHA256:172688AB4F9F6FF52EFFF241B32B61EB17EAD462D4DE054820DC504E5F6EB2F4
3452iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\3UIP8N4F.txttext
MD5:84702BBC9F5A5BF91B2F29FFF06FFC3A
SHA256:397E7292D2898734097F757532E35E9E37CFC2D49B2669C2566B6343D991BD2E
3452iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:2848C3D50DE571EEC4E97A3B0C903E4D
SHA256:BB08D14C1ACCB1413E014947E748AD5D07904706A836830E8010D94B1EC3CCBB
3804WinRAR.exeC:\Users\admin\Links\Downloads.rarcompressed
MD5:C4ABC4E1B905843E8AE4D12F3FA737D5
SHA256:D17ED58A212FE98638AB5715EABE3707F7CFDCBC0D4F1FFFA6EC7E3D4206A2FA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
3452
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3452
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3452
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?bf6eac7388a3a672
US
compressed
4.70 Kb
whitelisted
3452
iexplore.exe
GET
200
23.216.77.69:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?472ad9bca4dc9a86
US
compressed
4.70 Kb
whitelisted
3452
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3452
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
3452
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
3452
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3764
iexplore.exe
152.199.19.161:443
r20swj13mr.microsoft.com
EDGECAST
US
whitelisted
3452
iexplore.exe
131.253.33.203:443
www.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3452
iexplore.exe
23.216.77.69:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
suspicious
3452
iexplore.exe
96.16.143.41:443
go.microsoft.com
AKAMAI-AS
DE
whitelisted
3452
iexplore.exe
20.25.53.147:443
query.prod.cms.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.69
  • 23.216.77.80
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 96.16.143.41
whitelisted
www.msn.com
  • 131.253.33.203
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\plugins\Config\nppPluginList.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe