Malware analysis http://mail.75rogrscust-etrs.com/ROGERS/index.php/files/files/files/files/files/files/files/files/files/files/files/doc Malicious activity

Add for printing

URL:	http://mail.75rogrscust-etrs.com/ROGERS/index.php/files/files/files/files/files/files/files/files/files/files/files/doc
Full analysis:	https://app.any.run/tasks/183b3045-9ef9-44c1-98ca-78b2ca35bdfe
Verdict:	Malicious activity
Analysis date:	April 23, 2019, 15:47:42
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	adware
Indicators:
MD5:	D83AC9CB207678F7FF89B90A585382BC
SHA1:	AF26AB08C0116205B7579B362DAD7ED14472D417
SHA256:	79786377BDDC5D67730BA752B969D7FB9AEDF4A88A95BDF26768C6AC58730210
SSDEEP:	3:N1KTLKCXm4QLRaiKMkHYImffffffffffX:CR2OikHYL

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
No malicious indicators.
SUSPICIOUS
No suspicious indicators.
INFO
- Application launched itself
  - iexplore.exe (PID: 2928)
- Reads internet explorer settings
  - iexplore.exe (PID: 3188)
- Creates files in the user directory
  - iexplore.exe (PID: 3188)
- Changes internet zones settings
  - iexplore.exe (PID: 2928)
- Reads Internet Cache Settings
  - iexplore.exe (PID: 3188)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Parent process
2928	"C:\Program Files\Internet Explorer\iexplore.exe" -nohome	C:\Program Files\Internet Explorer\iexplore.exe	explorer.exe
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)
3188	"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2928 CREDAT:71937	C:\Program Files\Internet Explorer\iexplore.exe	iexplore.exe
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255)

Add for printing

Total events

370

Read events

310

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
2928	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico		—
		MD5:—	SHA256:—
2928	iexplore.exe	C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico		—
		MD5:—	SHA256:—
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XECVHYW6\fwdssp_com[1].txt		—
		MD5:—	SHA256:—
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FEBMDMAD\fwdssp_com[1].txt		—
		MD5:—	SHA256:—
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat		dat
		MD5:085D93A5E3187CB779C3AF6733744E6B	SHA256:7B7DBCD5C71BD20DAA9FB03C244EC218F28F1ABAE70F2D4CA0D54057B439D726
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YSRBWKB0\suspendedpage[1].htm		html
		MD5:CDE938937ED62ECAEF91572879F25F7F	SHA256:81C3BF0E0990030F5AF502C896EA05ED1C21AC83F3173C5E633B86DD50C1D7F7
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\6FTAYW3C\min[1].js		text
		MD5:5563332AD6AF63C9C94CEF15761BE544	SHA256:4EFEC11A42893D4DF0249174CBE5AFAE24A5734F5DED35C5E84C56BF9F473EC2
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat		dat
		MD5:A016F27CC121B2155D57F23D49226711	SHA256:6DE53E35F3D8EB8C10C05F69C597B345C1D7634620A399E63774DDB3745ADC34
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XECVHYW6\fwdssp_com[1].htm		html
		MD5:A8826B74E9F7EE016A7F2907E93DA51B	SHA256:CC87D520096E02854A5416C39B292FD269FE830292E7B3726689180612B6E777
3188	iexplore.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FEBMDMAD\fwdssp_com[1].htm		html
		MD5:6B311F54E785126D1F8AC9ED49F7B1BC	SHA256:677676F31DC606064A3DEEDFDDF8522A8D26B238D24544D0BDAA333BD2FA2B57

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3188	iexplore.exe	GET	200	208.91.196.46:80	http://fwdssp.com/?domain=75rogrscust-etrs.com&dn=75rogrscust-etrs.com&fp=HjIr6cRwn8WcwfKxlHFsQFYaVovYm4t%2BhzDMPG91zKA61axHmiEbPKxVm%2Fj9SorBQhQYEed7iPEO06MxKZeJcLd4fLjRQmBK5s9gNTPkH%2B6IHM830mCIohyStCM1n%2FXSrx1G0jGPn9JPZnBUjOrxadPZcZo2F2xmkP%2FtIDoqH5zs1lvAu0gkApISv8XbKun6&prvtof=FrBzFD9aBKp2iFUs7fCzSRdWqcNpMv%2BtteVekZ%2FwEQ2b1lHwcLExQFiIOlAE%2FJb4rWtR2ro3wUaSB%2BuBAIzxx1CbCBMuAUNochrJYwOVIMI%3D&poru=f8HWIZZWAFCIe2aZDpYqAgtai2sKfiYsiEsbuPWU6pnrM3KfNJ9AvwV%2FWM1c0aHQqcxSKsyz8JoqM6%2Fr8GV2bWj2Od1PRwBYtwqj8%2FNHLBY%3D&	VG	html	6.93 Kb	whitelisted
3188	iexplore.exe	GET	200	2.16.186.106:80	http://i1.cdn-image.com/__media__/js/min.js?v2.2	unknown	text	2.97 Kb	whitelisted
3188	iexplore.exe	GET	302	162.144.12.143:80	http://mail.75rogrscust-etrs.com/ROGERS/index.php/files/files/files/files/files/files/files/files/files/files/files/doc	US	html	317 b	malicious
3188	iexplore.exe	GET	200	2.16.186.64:80	http://i4.cdn-image.com/__media__/fonts/ubuntu-b/ubuntu-b.eot?	unknown	eot	110 Kb	whitelisted
3188	iexplore.exe	GET	200	208.91.196.46:80	http://fwdssp.com/px.js?ch=1	VG	text	346 b	whitelisted
3188	iexplore.exe	GET	200	2.16.186.64:80	http://i3.cdn-image.com/__media__/pics/12471/logo.png	unknown	image	3.86 Kb	whitelisted
3188	iexplore.exe	GET	200	162.144.12.143:80	http://mail.75rogrscust-etrs.com/cgi-sys/suspendedpage.cgi	US	html	437 b	malicious
3188	iexplore.exe	GET	200	208.91.196.46:80	http://fwdssp.com/?dn=referer_detect&pid=5POL4F2O4	VG	html	1.81 Kb	whitelisted
3188	iexplore.exe	GET	200	2.16.186.64:80	http://i4.cdn-image.com/__media__/pics/12471/libg.png	unknown	image	1.07 Kb	whitelisted
3188	iexplore.exe	GET	200	208.91.196.46:80	http://fwdssp.com/px.js?ch=2	VG	text	346 b	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2928	iexplore.exe	204.79.197.200:80	www.bing.com	Microsoft Corporation	US	whitelisted
—	—	208.91.196.4:80	searchdiscovered.com	Confluence Networks Inc	VG	malicious
3188	iexplore.exe	2.16.186.64:80	i1.cdn-image.com	Akamai International B.V.	—	whitelisted
3188	iexplore.exe	2.16.186.106:80	i1.cdn-image.com	Akamai International B.V.	—	whitelisted
3188	iexplore.exe	162.144.12.143:80	mail.75rogrscust-etrs.com	Unified Layer	US	malicious
2928	iexplore.exe	162.144.12.143:80	mail.75rogrscust-etrs.com	Unified Layer	US	malicious
3188	iexplore.exe	208.91.196.4:80	searchdiscovered.com	Confluence Networks Inc	VG	malicious
3188	iexplore.exe	208.91.196.46:80	fwdssp.com	Confluence Networks Inc	VG	malicious

DNS requests

Domain	IP	Reputation
www.bing.com	204.79.197.200 13.107.21.200	whitelisted
mail.75rogrscust-etrs.com	162.144.12.143	malicious
fwdssp.com	208.91.196.46	whitelisted
i1.cdn-image.com	2.16.186.106 2.16.186.64	whitelisted
i4.cdn-image.com	2.16.186.64 2.16.186.106	whitelisted
searchdiscovered.com	208.91.196.4	malicious
i3.cdn-image.com	2.16.186.64 2.16.186.106	whitelisted
freeresultsguide.com	208.91.196.4	whitelisted

Threats

PID	Process	Class	Message
3188	iexplore.exe	Misc activity	ADWARE [PTsecurity] InstantAccess

Add for printing

No debug info

General Info

http://mail.75rogrscust-etrs.com/ROGERS/index.php/files/files/files/files/files/files/files/files/files/files/files/doc

D83AC9CB207678F7FF89B90A585382BC

AF26AB08C0116205B7579B362DAD7ED14472D417

79786377BDDC5D67730BA752B969D7FB9AEDF4A88A95BDF26768C6AC58730210

3:N1KTLKCXm4QLRaiKMkHYImffffffffffX:CR2OikHYL

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

SUSPICIOUS

INFO

Application launched itself

Reads internet explorer settings

Creates files in the user directory

Changes internet zones settings

Reads Internet Cache Settings

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings