URL:

http://si.12333.gov.cn/157570.jhtml

Full analysis: https://app.any.run/tasks/23ca12e0-9387-4b76-9408-443d654a59b5
Verdict: Malicious activity
Analysis date: December 07, 2023, 09:54:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

16EF1FD26DCB40AD917C10CF550AAD89

SHA1:

5D451D1F81B346EA8C6F2BF7C674916830DC06A1

SHA256:

B2883CBC9590525C5383DA30A3F06644001E7C63E6BB8F9CB0AA62CFAE683220

SSDEEP:

3:N1KNMLfJHGEjSqJ:CebjrJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Checks supported languages

      • wmpnscfg.exe (PID: 3216)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3216)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3216)

    • Application launched itself

      • iexplore.exe (PID: 1996)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1996"C:\Program Files\Internet Explorer\iexplore.exe" "http://si.12333.gov.cn/157570.jhtml"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2632"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1996 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3216"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
14 644
Read events
14 572
Write events
70
Delete events
2

Modification events

(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
13
Text files
61
Unknown types
0

Dropped files

PID
Process
Filename
Type
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\Netof.UIManager[1].jstext
MD5:CB3CD052A06C8057EA832773757F35FB
SHA256:55A4F057B449360F2D503673E4E36052CE2BA75B0D50D79DBFB97AFC17147DA1
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\157570[1].htmhtml
MD5:A1416992C66AC42433C3C87616EB3176
SHA256:F0EFCBBEAD4091F89BD623C86FAD656BDB53ED26FEA98C97637A6795309B533B
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\validform[1].csstext
MD5:AF0D4E6535E3C9835F2628596CA5BAB1
SHA256:EBBB5BF3EE4BE328E04C76FF613C15DEB34553395620AEFC53C83D0488CE47C7
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\jquery-3.5.0.min[1].jstext
MD5:561ACB3E541133BBDD2C0C19F8EE35A1
SHA256:9FDE6DA568DB31801E29243A903BF24F342256B41E3C01E7D018FF7C566CE7FC
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\Netof.Util[1].jstext
MD5:CFDF82EF68C867EA6A900F53E7CF1DDA
SHA256:FB3ADE13FD4B722627BACBB70F8EBD0265EB1AB8C5DF6F8DD55E256CED51963F
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\aria[1].jstext
MD5:1CD587F38FA0FA7B7856090ABC92C84B
SHA256:C6B249636F11AC46DF0E62C202B32CDDEAAAC9083DEAF3AFC48AD534F8F6C045
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\base[1].csstext
MD5:7AA96F9C285C3CC4ADBDA6C229E598BD
SHA256:5284226F1B4C37BCF0C5EB0E4E753AED5EE799FCEF58538847A0EFB94E24AA08
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\initiaLization[1].jstext
MD5:33EC78D2CD5E513F06637C65B8E81758
SHA256:35B1F38FE0EC85C5DA214823BB62AC9E8C615FBF4F94DC78D5152CD57ADF4C90
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\wt[1].csstext
MD5:792B8698281255AA74CBF44962A7C0C7
SHA256:28D490525AA34EF697B25273506D25F55F6A5F305B970A2F6D74FB766EA1425C
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\Netof[1].jstext
MD5:F3B9F205AF10A60C298B80EF6EBAD4D9
SHA256:215A580A5A720F742DABBBF259C811EE658B7060277509E83F18902E2A64B5F4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
31
DNS requests
14
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/157570.jhtml
unknown
html
11.4 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/jquery-3.5.0.min.js
unknown
text
87.3 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/netof/Netof.UIManager.js?v=0.0.1
unknown
text
2.35 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/plugins/rdkey/AESUtil.js?v=0.0.1
unknown
text
201 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/netof/Netof.js?v=0.0.1
unknown
text
16.5 Kb
unknown
2632
iexplore.exe
GET
200
122.189.171.111:80
http://gov.govwza.cn/dist/aria.js?appid=d082323bb8c99ca7979589f6b8e0d831
unknown
text
116 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/netof/Netof.Util.js?v=0.0.1
unknown
text
8.82 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/plugins/validform/css/validform.css?v=0.0.1
unknown
text
2.07 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/plugins/fancybox/new.fancybox.css?v=0.0.1
unknown
text
5.42 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/ls/skin/base.css?v=0.0.1
unknown
text
616 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2632
iexplore.exe
124.127.91.118:80
si.12333.gov.cn
China Networks Inter-Exchange
CN
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
2632
iexplore.exe
122.189.171.111:80
gov.govwza.cn
CHINA UNICOM China169 Backbone
CN
unknown
1996
iexplore.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
unknown
1996
iexplore.exe
23.216.77.60:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1996
iexplore.exe
23.216.77.67:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1996
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
si.12333.gov.cn
  • 124.127.91.118
unknown
gov.govwza.cn
  • 122.189.171.111
  • 122.189.171.55
  • 118.212.235.109
  • 218.29.50.234
  • 1.62.64.108
  • 119.167.229.212
  • 42.7.60.104
  • 110.249.196.101
  • 36.248.54.85
  • 58.144.226.248
  • 42.56.81.104
  • 118.212.235.231
  • 211.93.212.232
  • 118.212.235.102
  • 42.231.136.215
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.137
  • 104.126.37.152
  • 104.126.37.139
  • 104.126.37.146
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.60
  • 23.216.77.45
  • 23.216.77.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
service.govwza.cn
  • 120.53.134.123
unknown
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.trust-provider.cn
  • 111.206.23.199
  • 112.50.95.96
  • 117.27.246.96
  • 119.36.90.164
  • 36.143.236.7
  • 36.248.38.100
  • 111.13.153.152
  • 111.48.138.18
malicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
2632
iexplore.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://si.12333.gov.cn/157570.jhtml