URL:

http://si.12333.gov.cn/157570.jhtml

Full analysis: https://app.any.run/tasks/23ca12e0-9387-4b76-9408-443d654a59b5
Verdict: Malicious activity
Analysis date: December 07, 2023, 09:54:57
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

16EF1FD26DCB40AD917C10CF550AAD89

SHA1:

5D451D1F81B346EA8C6F2BF7C674916830DC06A1

SHA256:

B2883CBC9590525C5383DA30A3F06644001E7C63E6BB8F9CB0AA62CFAE683220

SSDEEP:

3:N1KNMLfJHGEjSqJ:CebjrJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 1996)

    • Checks supported languages

      • wmpnscfg.exe (PID: 3216)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 3216)

    • Reads the computer name

      • wmpnscfg.exe (PID: 3216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
3
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe wmpnscfg.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1996"C:\Program Files\Internet Explorer\iexplore.exe" "http://si.12333.gov.cn/157570.jhtml"C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
2632"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1996 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\api-ms-win-downlevel-advapi32-l1-1-0.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\iertutil.dll
3216"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
14 644
Read events
14 572
Write events
70
Delete events
2

Modification events

(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPDaysSinceLastAutoMigration
Value:
0
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TabbedBrowsing
Operation:writeName:NTPLastLaunchHighDateTime
Value:
30847387
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\UrlBlockManager
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
30847437
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(1996) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
13
Text files
61
Unknown types
0

Dropped files

PID
Process
Filename
Type
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\Netof.UIManager[1].jstext
MD5:CB3CD052A06C8057EA832773757F35FB
SHA256:55A4F057B449360F2D503673E4E36052CE2BA75B0D50D79DBFB97AFC17147DA1
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\157570[1].htmhtml
MD5:A1416992C66AC42433C3C87616EB3176
SHA256:F0EFCBBEAD4091F89BD623C86FAD656BDB53ED26FEA98C97637A6795309B533B
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\Netof.Util[1].jstext
MD5:CFDF82EF68C867EA6A900F53E7CF1DDA
SHA256:FB3ADE13FD4B722627BACBB70F8EBD0265EB1AB8C5DF6F8DD55E256CED51963F
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\new.fancybox[1].csstext
MD5:78CDF17D2CEA93452092C9125F64A942
SHA256:511B3A56AA1BA2AB203D52285BE5F9ABE69D4A37B1A6DC7F0796E7EF507C2876
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\Netof.tabs[1].jstext
MD5:57969689E26D038451F0C77127A7D338
SHA256:FEF39698667D315179791548C58E73A9577D1165812638EB645754B57298A25E
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\base[1].csstext
MD5:7AA96F9C285C3CC4ADBDA6C229E598BD
SHA256:5284226F1B4C37BCF0C5EB0E4E753AED5EE799FCEF58538847A0EFB94E24AA08
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\validform[1].csstext
MD5:AF0D4E6535E3C9835F2628596CA5BAB1
SHA256:EBBB5BF3EE4BE328E04C76FF613C15DEB34553395620AEFC53C83D0488CE47C7
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\Netof[1].jstext
MD5:F3B9F205AF10A60C298B80EF6EBAD4D9
SHA256:215A580A5A720F742DABBBF259C811EE658B7060277509E83F18902E2A64B5F4
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\alert[1].csstext
MD5:B02E4C989D8BA1E378A59058E8D7036B
SHA256:7FC39ACE6279785418663F57961166CEE838A9CE31BC2A8157A25024B819D06D
2632iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YTOWV792\Netof.fit[1].jstext
MD5:52791EC8F093C2C3C32B9E919AAC52CD
SHA256:A9BA348802AAE7613CAD06D868475D153095ED5A6185A656899373640BA94014
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
31
DNS requests
14
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/157570.jhtml
unknown
html
11.4 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/jquery-3.5.0.min.js
unknown
text
87.3 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/netof/Netof.js?v=0.0.1
unknown
text
16.5 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/plugins/rdkey/AESUtil.js?v=0.0.1
unknown
text
201 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/netof/Netof.UIManager.js?v=0.0.1
unknown
text
2.35 Kb
unknown
2632
iexplore.exe
GET
200
122.189.171.111:80
http://gov.govwza.cn/dist/aria.js?appid=d082323bb8c99ca7979589f6b8e0d831
unknown
text
116 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/js/netof/Netof.Util.js?v=0.0.1
unknown
text
8.82 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/plugins/validform/css/validform.css?v=0.0.1
unknown
text
2.07 Kb
unknown
2632
iexplore.exe
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/sys/plugins/fancybox/new.fancybox.css?v=0.0.1
unknown
text
5.42 Kb
unknown
GET
200
124.127.91.118:80
http://si.12333.gov.cn/nethall/resource/ls/skin/wt.css?v=0.0.1
unknown
text
42.4 Kb
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2632
iexplore.exe
124.127.91.118:80
si.12333.gov.cn
China Networks Inter-Exchange
CN
unknown
1080
svchost.exe
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2588
svchost.exe
239.255.255.250:1900
whitelisted
2632
iexplore.exe
122.189.171.111:80
gov.govwza.cn
CHINA UNICOM China169 Backbone
CN
unknown
1996
iexplore.exe
104.126.37.130:443
www.bing.com
Akamai International B.V.
DE
unknown
1996
iexplore.exe
23.216.77.60:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1996
iexplore.exe
23.216.77.67:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
unknown
1996
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
si.12333.gov.cn
  • 124.127.91.118
unknown
gov.govwza.cn
  • 122.189.171.111
  • 122.189.171.55
  • 118.212.235.109
  • 218.29.50.234
  • 1.62.64.108
  • 119.167.229.212
  • 42.7.60.104
  • 110.249.196.101
  • 36.248.54.85
  • 58.144.226.248
  • 42.56.81.104
  • 118.212.235.231
  • 211.93.212.232
  • 118.212.235.102
  • 42.231.136.215
unknown
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 104.126.37.130
  • 104.126.37.131
  • 104.126.37.145
  • 104.126.37.128
  • 104.126.37.153
  • 104.126.37.137
  • 104.126.37.152
  • 104.126.37.139
  • 104.126.37.146
whitelisted
ctldl.windowsupdate.com
  • 23.216.77.60
  • 23.216.77.45
  • 23.216.77.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
service.govwza.cn
  • 120.53.134.123
unknown
ocsp.comodoca.com
  • 104.18.38.233
  • 172.64.149.23
whitelisted
ocsp.trust-provider.cn
  • 111.206.23.199
  • 112.50.95.96
  • 117.27.246.96
  • 119.36.90.164
  • 36.143.236.7
  • 36.248.38.100
  • 111.13.153.152
  • 111.48.138.18
malicious
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
2632
iexplore.exe
A Network Trojan was detected
SUSPICIOUS [ANY.RUN] VBS is used to run Shell
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://si.12333.gov.cn/157570.jhtml