download: | income-tax |
Full analysis: | https://app.any.run/tasks/a56f195e-2fa8-4245-874d-8336688d1e27 |
Verdict: | Malicious activity |
Analysis date: | April 23, 2019, 23:08:59 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ASCII text |
MD5: | 42390C101ACB4BE47A20A1CAB1FC172E |
SHA1: | D6640109FF56B85D229245428218263572EBC71A |
SHA256: | 8749A08CEEE3EE33BD2BDBAECA256BCB83076896FD4B62B84465D641FC6D5606 |
SSDEEP: | 6:hxuJL/sGeqhJVCNJbS0wTv9s43HEpOgrv7ZlmKF/jn0APnwxjWAEd0Gb:hYeZqhCa1bO43kpPrR/9wxjWAEdjb |
.html | | | HyperText Markup Language (100) |
---|
Refresh: | 0; url=http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/authenticate.php |
---|
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3332 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\income-tax.html | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2520 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2840 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:137473 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
3332 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
3332 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZC56FQ3\authenticate[1].php | — | |
MD5:— | SHA256:— | |||
3332 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DFD5D7E9E4DBB01E54.TMP | — | |
MD5:— | SHA256:— | |||
3332 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D097D1A2-661C-11E9-A370-5254004A04AF}.dat | binary | |
MD5:DF0B94AA3A5F48B69E3A3CC1B3864995 | SHA256:3CDBB833D95A1DE7062F34B118D4450B3457DCD5A33DCA24A5A82B14C9F6FE04 | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UD7UN2Y4\ie8-theme.min[1].css | text | |
MD5:9E8C09271619BBA8D3A7AB0254945CAE | SHA256:5916320CEF1D6443200BB12DFD4FBF7CD58252A4FAA68A17DD4D672CAED490F5 | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UD7UN2Y4\theme.min[1].css | text | |
MD5:13DFAE749617A354E1428F529A65B492 | SHA256:E3536EF9CB8BCFF43B17377A72B2657DB0D020529137688B1FDF4B2EC7A2C105 | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZC56FQ3\authenticate[1].htm | html | |
MD5:BAF72C1ED9BAD0EB9BA18B10ED31C29D | SHA256:5EF3C998FE2BBF14498C5D10D5BE4D92EB261328A00D3F4BE2720BC6D3A5FC40 | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OWBG76ZJ\timeout[1].css | text | |
MD5:F4DDBD91CF58609F73D833E1124B1F31 | SHA256:447A4A6C6D785D6FC009367D1FD835B3245114E3162A5DAFE288EA54FFD7E0C7 | |||
2840 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZC56FQ3\common[1].css | text | |
MD5:58812FF96C6D5C2109D366BE32695E64 | SHA256:93C11C985807FA11DEE8E93DABECE88C3B74C1E945FA8911C032E75DDD2A6F2D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/common.css | US | text | 920 b | malicious |
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/apps.css | US | text | 1.12 Kb | malicious |
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/theme.min.css | US | text | 34.2 Kb | malicious |
2840 | iexplore.exe | GET | 404 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/wet-boew/fonts/glyphicons-halflings-regular.eot? | US | html | 361 b | malicious |
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/jquery.min.js | US | text | 28.8 Kb | malicious |
2840 | iexplore.exe | GET | 404 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/fonts/fontawesome-webfont.eot? | US | html | 538 b | malicious |
2840 | iexplore.exe | GET | 200 | 185.225.208.133:80 | http://waust.at/d.js | unknown | text | 6.99 Kb | malicious |
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/ie8-theme.min.css | US | text | 33.6 Kb | malicious |
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/timeout.css | US | text | 241 b | malicious |
2840 | iexplore.exe | GET | 200 | 157.230.127.140:80 | http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/authenticate.php | US | html | 2.93 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2840 | iexplore.exe | 185.225.208.133:80 | waust.at | — | — | suspicious |
2840 | iexplore.exe | 67.202.94.86:80 | whos.amung.us | Steadfast | US | suspicious |
3332 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2840 | iexplore.exe | 157.230.127.140:80 | grillitrestaurant.com | Joao Carlos de Almeida Silveira trading as Bitcanal | US | suspicious |
3332 | iexplore.exe | 157.230.127.140:80 | grillitrestaurant.com | Joao Carlos de Almeida Silveira trading as Bitcanal | US | suspicious |
2840 | iexplore.exe | 172.217.23.170:443 | fonts.googleapis.com | Google Inc. | US | whitelisted |
2840 | iexplore.exe | 23.8.3.89:443 | www.canada.ca | Akamai International B.V. | NL | whitelisted |
2840 | iexplore.exe | 2.18.232.23:443 | assets.adobedtm.com | Akamai International B.V. | — | whitelisted |
2840 | iexplore.exe | 216.58.210.10:443 | ajax.googleapis.com | Google Inc. | US | whitelisted |
2840 | iexplore.exe | 216.58.206.3:443 | fonts.gstatic.com | Google Inc. | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
grillitrestaurant.com |
| malicious |
waust.at |
| malicious |
whos.amung.us |
| whitelisted |
www.canada.ca |
| suspicious |
assets.adobedtm.com |
| whitelisted |
ajax.googleapis.com |
| whitelisted |
fonts.googleapis.com |
| whitelisted |
fonts.gstatic.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
2840 | iexplore.exe | A Network Trojan was detected | ET POLICY Suspicious CVV Parameter in HTTP POST - Possible Phishing |
2840 | iexplore.exe | Generic Protocol Command Decode | SURICATA STREAM excessive retransmissions |