download: | drop |
Full analysis: | https://app.any.run/tasks/4349e48a-c946-4668-b192-4b8db06c6f16 |
Verdict: | Malicious activity |
Analysis date: | October 09, 2019, 15:13:15 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/plain |
File info: | ASCII text, with no line terminators |
MD5: | EB25B905964EAEFBAD86914C3FE7C795 |
SHA1: | 04329B5BCDC844483C0B72E3497BCBE807CD8F56 |
SHA256: | 9A2E63769009BACF150A5110C2C996AA10DD36EEC0C40C94585FCA897F27CDAF |
SSDEEP: | 6:GpeffQcESSpuSj2QlWjucwIRF2Q+DRjG+L8aLUtpfQQKS2Gb:Gpef7SISiQlOYQ+DY0DLUttXb |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2804 | "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\drop | C:\Windows\system32\rundll32.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2516 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\drop | C:\Program Files\Internet Explorer\iexplore.exe | rundll32.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3232 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2516 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3176 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2516 CREDAT:203009 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) |
(PID) Process: | (2804) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Windows\system32\NOTEPAD.EXE |
Value: Notepad | |||
(PID) Process: | (2804) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\PROGRA~1\MICROS~1\Office14\OIS.EXE |
Value: Microsoft Office 2010 | |||
(PID) Process: | (2804) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
Operation: | write | Name: | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Value: Microsoft Word | |||
(PID) Process: | (2804) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2804) rundll32.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2804) rundll32.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\72\52C64B7E |
Operation: | write | Name: | LanguageList |
Value: en-US | |||
(PID) Process: | (2516) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
(PID) Process: | (2516) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
(PID) Process: | (2516) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
Operation: | write | Name: | AutoDetect |
Value: 1 | |||
(PID) Process: | (2516) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
Operation: | write | Name: | SecuritySafe |
Value: 1 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3232 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019092020190921\index.dat | — | |
MD5:— | SHA256:— | |||
2516 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2516 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2516 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF97C96BC295E87DBA.TMP | — | |
MD5:— | SHA256:— | |||
3176 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat | dat | |
MD5:DF29345E6AB1893AE7E46AA745657387 | SHA256:5371308D6D725EDD03DC73E23F94FF377030352673F62F1501EFF302B4411B69 | |||
3176 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.dat | dat | |
MD5:2C711BC62F371702CC54F616BAE9E09E | SHA256:F1764373E64D580D62C8515B5DA93F7CEBC285DBF3BF5C43B6E81E8D668157F6 | |||
3232 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019100920191010\index.dat | dat | |
MD5:0E856971124F6B0951FDAA69B66B459B | SHA256:3CA925873156441377C8DE148610F5D93522765206148AC252090BBCEFD58C1F | |||
2516 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{5CD2FD04-EAA7-11E9-837B-5254004A04AF}.dat | binary | |
MD5:EBA681D65E7E436CBD7D52B1EB249FC1 | SHA256:C1589A9BF4420AE613E19C4DE3B75ED74D5D06A0D7AAECDC702EA14DB2506287 | |||
3176 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\IW6XOOH8\text[1].png | image | |
MD5:915783A9B6004C68FCF891CCF94D118F | SHA256:D244E9C9D783B80316658C0D37B200BD5D9DE471601573B49B3CDE4D786C90AD | |||
3176 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019100920191010\index.dat | dat | |
MD5:8C83736AA9AEDF34CD344F72A87EEB21 | SHA256:F02CF2815C8B1AFF307B93908720BB375429259FBE78AED25F96AF7E204C6C90 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
2516 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/favicon.ico | US | — | — | malicious |
3176 | iexplore.exe | GET | — | 199.204.248.115:80 | http://trespetit.com/drop/page2.php | US | — | — | malicious |
2516 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/favicon.ico | US | — | — | malicious |
3176 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/drop/ | US | text | 248 b | malicious |
3176 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/drop/images/sa.png | US | image | 5.09 Kb | malicious |
3176 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/drop/images/text.PNG | US | image | 31.8 Kb | malicious |
3176 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/drop/images/a.png | US | image | 35.0 Kb | malicious |
3176 | iexplore.exe | GET | 301 | 199.204.248.115:80 | http://trespetit.com/drop | US | html | 234 b | malicious |
3176 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/drop/images/t.PNG | US | image | 4.06 Kb | malicious |
3176 | iexplore.exe | GET | 200 | 199.204.248.115:80 | http://trespetit.com/drop/page.php?rand=13OutboxLiteaspxn.4345453232&fid.4.345345923&fid=1&fav.1&rand.13OutboxLite.aspxn.4345453232&fid.345345923&fid.1&fav.1&email=&.rand=13OutboxLite.aspx?n=4345453232&fid=4 | US | html | 3.22 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2516 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3176 | iexplore.exe | 199.204.248.115:80 | trespetit.com | CONTINENTAL BROADBAND PENNSYLVANIA, INC. | US | malicious |
2516 | iexplore.exe | 199.204.248.115:80 | trespetit.com | CONTINENTAL BROADBAND PENNSYLVANIA, INC. | US | malicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
trespetit.com |
| malicious |
PID | Process | Class | Message |
---|---|---|---|
3176 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] Adobe PDF Phishing Landing |