analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://home.btconnect.com/tomanjerry/refresh.htm

Full analysis: https://app.any.run/tasks/62fd1cf7-fd83-4ca0-bd23-1b58159de179
Verdict: Malicious activity
Analysis date: December 14, 2018, 13:52:34
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
phish-microsoft
phish-outlook
Indicators:
MD5:

BD61F0E14DB83CEF1BC6D2BB3373F07B

SHA1:

04B35DD5C0B4B5888AD12726B68DA8BA9830E966

SHA256:

66DD3D20BF558CD4D560E8762D07517046AF5566DCF9D456AB20CB72EACF520C

SSDEEP:

3:N1KWKpT0tlEcMmXAQNRI:CWKTAlEUAQNRI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3092)
    • Creates files in the user directory

      • iexplore.exe (PID: 2948)
      • iexplore.exe (PID: 3092)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3092)
    • Changes internet zones settings

      • iexplore.exe (PID: 2948)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2948)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2948)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
33
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2948"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3092"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2948 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
462
Read events
379
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
7
Text files
35
Unknown types
4

Dropped files

PID
Process
Filename
Type
2948iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
2948iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab72DF.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab72E0.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar72E1.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar72E2.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab72F2.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar72F3.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab7304.tmp
MD5:
SHA256:
3092iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar7305.tmp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
32
DNS requests
15
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3092
iexplore.exe
GET
200
209.235.144.28:80
http://home.btconnect.com/tomanjerry/refresh.htm
US
html
225 b
unknown
3092
iexplore.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.2 Kb
whitelisted
2948
iexplore.exe
GET
139.59.60.216:80
http://www.icnsi.org/CookieAuth.dll?GetPic?formdir=1&image=favicon.ico
IN
suspicious
3092
iexplore.exe
GET
139.59.60.216:80
http://www.icnsi.org/CookieAuth.dll?GetPic?formdir=1&image=lgnexlogo.gif
IN
suspicious
3092
iexplore.exe
GET
200
139.59.60.216:80
http://www.icnsi.org/wp-content/plugins/coo/OWAnewform.html
IN
html
9.57 Kb
suspicious
3092
iexplore.exe
GET
301
13.107.6.156:80
http://www.office.com/
US
whitelisted
3092
iexplore.exe
GET
200
2.16.186.81:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
unknown
compressed
55.2 Kb
whitelisted
2948
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3092
iexplore.exe
POST
302
193.106.122.90:80
http://www.maskinbladet.dk/cgi-bin/sendmig.cgi
DK
html
206 b
suspicious
3092
iexplore.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/8CF427FD790C3AD166068DE81E57EFBB932272D4.crt
US
der
1.06 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2948
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3092
iexplore.exe
162.130.196.190:443
owa.marriott.com
Marriot Corporation
US
unknown
2948
iexplore.exe
209.235.144.28:80
home.btconnect.com
InternetNamesForBusiness.com
US
unknown
3092
iexplore.exe
139.59.60.216:80
www.icnsi.org
Digital Ocean, Inc.
IN
suspicious
3092
iexplore.exe
209.235.144.28:80
home.btconnect.com
InternetNamesForBusiness.com
US
unknown
3092
iexplore.exe
13.107.4.50:80
www.download.windowsupdate.com
Microsoft Corporation
US
whitelisted
2948
iexplore.exe
139.59.60.216:80
www.icnsi.org
Digital Ocean, Inc.
IN
suspicious
3092
iexplore.exe
2.16.186.81:80
www.download.windowsupdate.com
Akamai International B.V.
whitelisted
3092
iexplore.exe
2.16.186.34:443
statics-uhf-neu.akamaized.net
Akamai International B.V.
whitelisted
3092
iexplore.exe
13.107.6.156:80
www.office.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
home.btconnect.com
  • 209.235.144.28
unknown
www.icnsi.org
  • 139.59.60.216
suspicious
owa.marriott.com
  • 162.130.196.190
unknown
www.download.windowsupdate.com
  • 2.16.186.81
  • 2.16.186.56
  • 13.107.4.50
whitelisted
www.maskinbladet.dk
  • 193.106.122.90
suspicious
www.office.com
  • 13.107.6.156
whitelisted
statics-uhf-neu.akamaized.net
  • 2.16.186.34
  • 2.16.186.26
whitelisted
weuofficehome.msocdn.com
  • 23.38.49.65
whitelisted
c.s-microsoft.com
  • 2.18.233.62
whitelisted

Threats

PID
Process
Class
Message
3092
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible OWA Mail Phishing Landing - Title over non SSL
3092
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Possible Successful Generic Phish Jan 14 2016
No debug info