analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

income-tax

Full analysis: https://app.any.run/tasks/a56f195e-2fa8-4245-874d-8336688d1e27
Verdict: Malicious activity
Analysis date: April 23, 2019, 23:08:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
Indicators:
MIME: text/html
File info: HTML document, ASCII text
MD5:

42390C101ACB4BE47A20A1CAB1FC172E

SHA1:

D6640109FF56B85D229245428218263572EBC71A

SHA256:

8749A08CEEE3EE33BD2BDBAECA256BCB83076896FD4B62B84465D641FC6D5606

SSDEEP:

6:hxuJL/sGeqhJVCNJbS0wTv9s43HEpOgrv7ZlmKF/jn0APnwxjWAEd0Gb:hYeZqhCa1bO43kpPrR/9wxjWAEdjb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3332)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2520)
      • iexplore.exe (PID: 2840)
    • Creates files in the user directory

      • iexplore.exe (PID: 2840)
      • iexplore.exe (PID: 3332)
    • Application launched itself

      • iexplore.exe (PID: 3332)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2840)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 2840)
      • iexplore.exe (PID: 3332)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3332)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Refresh: 0; url=http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/authenticate.php
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3332"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\income-tax.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2520"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2840"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3332 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
715
Read events
612
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
72
Unknown types
12

Dropped files

PID
Process
Filename
Type
3332iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3332iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZC56FQ3\authenticate[1].php
MD5:
SHA256:
3332iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD5D7E9E4DBB01E54.TMP
MD5:
SHA256:
3332iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{D097D1A2-661C-11E9-A370-5254004A04AF}.datbinary
MD5:DF0B94AA3A5F48B69E3A3CC1B3864995
SHA256:3CDBB833D95A1DE7062F34B118D4450B3457DCD5A33DCA24A5A82B14C9F6FE04
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UD7UN2Y4\ie8-theme.min[1].csstext
MD5:9E8C09271619BBA8D3A7AB0254945CAE
SHA256:5916320CEF1D6443200BB12DFD4FBF7CD58252A4FAA68A17DD4D672CAED490F5
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\UD7UN2Y4\theme.min[1].csstext
MD5:13DFAE749617A354E1428F529A65B492
SHA256:E3536EF9CB8BCFF43B17377A72B2657DB0D020529137688B1FDF4B2EC7A2C105
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZC56FQ3\authenticate[1].htmhtml
MD5:BAF72C1ED9BAD0EB9BA18B10ED31C29D
SHA256:5EF3C998FE2BBF14498C5D10D5BE4D92EB261328A00D3F4BE2720BC6D3A5FC40
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OWBG76ZJ\timeout[1].csstext
MD5:F4DDBD91CF58609F73D833E1124B1F31
SHA256:447A4A6C6D785D6FC009367D1FD835B3245114E3162A5DAFE288EA54FFD7E0C7
2840iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BZC56FQ3\common[1].csstext
MD5:58812FF96C6D5C2109D366BE32695E64
SHA256:93C11C985807FA11DEE8E93DABECE88C3B74C1E945FA8911C032E75DDD2A6F2D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
44
TCP/UDP connections
42
DNS requests
10
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/common.css
US
text
920 b
malicious
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/apps.css
US
text
1.12 Kb
malicious
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/theme.min.css
US
text
34.2 Kb
malicious
2840
iexplore.exe
GET
404
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/wet-boew/fonts/glyphicons-halflings-regular.eot?
US
html
361 b
malicious
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/jquery.min.js
US
text
28.8 Kb
malicious
2840
iexplore.exe
GET
404
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/fonts/fontawesome-webfont.eot?
US
html
538 b
malicious
2840
iexplore.exe
GET
200
185.225.208.133:80
http://waust.at/d.js
unknown
text
6.99 Kb
malicious
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/ie8-theme.min.css
US
text
33.6 Kb
malicious
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/details_files/timeout.css
US
text
241 b
malicious
2840
iexplore.exe
GET
200
157.230.127.140:80
http://grillitrestaurant.com/.apps1.ams-sga.cra-arc.gc.ca/33554432&REALMOID=06-26a97681-2e5a-105d-9505-84cb2b4afb5e&GUID=&SMAUTHREASON=0&METHOD=GET&SMAGENTNAME=-SM-VBsyLaEZXwIUFhq8C3N4UGC2G2ZbCouqrx0srbXXaEq8VpjzECfDP+xPlNszQNRnOgP9/authenticate.php
US
html
2.93 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2840
iexplore.exe
185.225.208.133:80
waust.at
suspicious
2840
iexplore.exe
67.202.94.86:80
whos.amung.us
Steadfast
US
suspicious
3332
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2840
iexplore.exe
157.230.127.140:80
grillitrestaurant.com
Joao Carlos de Almeida Silveira trading as Bitcanal
US
suspicious
3332
iexplore.exe
157.230.127.140:80
grillitrestaurant.com
Joao Carlos de Almeida Silveira trading as Bitcanal
US
suspicious
2840
iexplore.exe
172.217.23.170:443
fonts.googleapis.com
Google Inc.
US
whitelisted
2840
iexplore.exe
23.8.3.89:443
www.canada.ca
Akamai International B.V.
NL
whitelisted
2840
iexplore.exe
2.18.232.23:443
assets.adobedtm.com
Akamai International B.V.
whitelisted
2840
iexplore.exe
216.58.210.10:443
ajax.googleapis.com
Google Inc.
US
whitelisted
2840
iexplore.exe
216.58.206.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
grillitrestaurant.com
  • 157.230.127.140
malicious
waust.at
  • 185.225.208.133
malicious
whos.amung.us
  • 67.202.94.86
  • 67.202.94.94
  • 67.202.94.93
whitelisted
www.canada.ca
  • 23.8.3.89
suspicious
assets.adobedtm.com
  • 2.18.232.23
whitelisted
ajax.googleapis.com
  • 216.58.210.10
  • 172.217.16.202
  • 172.217.18.106
  • 172.217.21.202
  • 216.58.205.234
  • 172.217.21.234
  • 172.217.22.10
  • 172.217.18.170
  • 172.217.23.138
  • 216.58.206.10
  • 216.58.207.42
  • 216.58.207.74
  • 172.217.16.170
  • 216.58.208.42
  • 172.217.16.138
  • 172.217.22.42
whitelisted
fonts.googleapis.com
  • 172.217.23.170
whitelisted
fonts.gstatic.com
  • 216.58.206.3
whitelisted

Threats

PID
Process
Class
Message
2840
iexplore.exe
A Network Trojan was detected
ET POLICY Suspicious CVV Parameter in HTTP POST - Possible Phishing
2840
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
1 ETPRO signatures available at the full report
No debug info