URL: | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/index.php |
Full analysis: | https://app.any.run/tasks/070ba588-0c0d-471a-98f4-9b6f0c3fddc8 |
Verdict: | Malicious activity |
Analysis date: | January 18, 2019, 03:07:05 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 1D384EE6C0A945BACA2C52EAAF15A326 |
SHA1: | 148D9F4476659FBF7E77F511D1E6427C5F20767D |
SHA256: | B72810DD89783535DE729E47F88F9929AE118EC8FC7484AB085BDA5BD515B0A8 |
SSDEEP: | 3:N1KQ3WYhmGNN54KXuGTeEMLKBbQadXL6hHn:CQ3WGxhHeGvRBMsXLQHn |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2948 | "C:\Program Files\Internet Explorer\iexplore.exe" -nohome | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3092 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2948 CREDAT:71937 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3640 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" -Embedding | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | svchost.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\index[1].php | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2948 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[3].png | — | |
MD5:— | SHA256:— | |||
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\index[1].php | — | |
MD5:— | SHA256:— | |||
3092 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\invoice%20CGR%20Kennington%20rd[1].doc | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC852.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{C0C3525A-8494-4D0E-B7FC-8E8E734D8658} | — | |
MD5:— | SHA256:— | |||
3640 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\{F887BC05-AE21-47A7-B7EF-A532AAF28E3A} | — | |
MD5:— | SHA256:— |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3092 | iexplore.exe | GET | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/dropbox_files/dropboxbkg.png | NL | image | 42.7 Kb | malicious |
3640 | WINWORD.EXE | HEAD | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/invoice%20CGR%20Kennington%20rd.doc | NL | — | — | malicious |
3092 | iexplore.exe | GET | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/index.php | NL | html | 4.96 Kb | malicious |
980 | svchost.exe | OPTIONS | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/ | NL | html | 23.9 Kb | malicious |
3092 | iexplore.exe | GET | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/dropbox_files/dropboxlogo.png | NL | image | 13.2 Kb | malicious |
2948 | iexplore.exe | GET | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/dropbox_files/favicon.ico | NL | image | 1.19 Kb | malicious |
3092 | iexplore.exe | GET | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/invoice%20CGR%20Kennington%20rd.doc | NL | document | 8.58 Kb | malicious |
980 | svchost.exe | OPTIONS | 301 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox | NL | html | 270 b | malicious |
3092 | iexplore.exe | GET | 200 | 84.22.102.75:80 | http://newshop.dutchhealthstore.com/Domain/db/dropbox/dropbox/dropbox_files/jquery.min.js | NL | html | 32.8 Kb | malicious |
2948 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2948 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3640 | WINWORD.EXE | 84.22.102.75:80 | newshop.dutchhealthstore.com | Tilaa B.V. | NL | suspicious |
3092 | iexplore.exe | 84.22.102.75:80 | newshop.dutchhealthstore.com | Tilaa B.V. | NL | suspicious |
2948 | iexplore.exe | 84.22.102.75:80 | newshop.dutchhealthstore.com | Tilaa B.V. | NL | suspicious |
980 | svchost.exe | 84.22.102.75:443 | newshop.dutchhealthstore.com | Tilaa B.V. | NL | suspicious |
980 | svchost.exe | 84.22.102.75:80 | newshop.dutchhealthstore.com | Tilaa B.V. | NL | suspicious |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
newshop.dutchhealthstore.com |
| malicious |
dutchhealthstore.com |
| suspicious |
PID | Process | Class | Message |
---|---|---|---|
3092 | iexplore.exe | A Network Trojan was detected | ET INFO Suspicious Dropbox Page - Possible Phishing Landing |
3092 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL |
3092 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Http Client Body contains passwd= in cleartext |
3092 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri |
3092 | iexplore.exe | Potential Corporate Privacy Violation | ET POLICY Http Client Body contains passwd= in cleartext |
3092 | iexplore.exe | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri |
3640 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious DOC loader of embedded OLE from external source |
3640 | WINWORD.EXE | A Network Trojan was detected | SC TROJAN_DOWNLOADER Suspicious request with 'invoice' in http uri |
980 | svchost.exe | A Network Trojan was detected | ET INFO Suspicious Dropbox Page - Possible Phishing Landing |
980 | svchost.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Possible Dropbox Phishing Landing - Title over non SSL |