URL: | http://oliva.co.id/iqpax/2719_882927/?name=%E5%8F%97%E4%BF%A1%E8%80%85%E5%90%8D%0A |
Full analysis: | https://app.any.run/tasks/1ce279e5-bdc8-41b5-b26a-db65b101eaa8 |
Verdict: | Malicious activity |
Threats: | Emotet is one of the most dangerous trojans ever created. Over the course of its lifetime, it was upgraded to become a very destructive malware. It targets mostly corporate victims but even private users get infected in mass spam email campaigns. |
Analysis date: | January 15, 2022, 00:33:13 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | EFF87C0B9CBC9A705EF32C10A2A72C91 |
SHA1: | BAED7BF217561941469F05F974C702C00BF8E7C4 |
SHA256: | C86BBB7D0DDF53E29EEF72F81B0275F21914CE788E8A0D93C3CADFC93C608917 |
SSDEEP: | 3:N1KRJMILC3KCUpwnuZn1edAXAS7kA8Vk:CjiTinIdAXAmkA8Vk |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
2200 | "C:\Program Files\Internet Explorer\iexplore.exe" "http://oliva.co.id/iqpax/2719_882927/?name=%E5%8F%97%E4%BF%A1%E8%80%85%E5%90%8D%0A" | C:\Program Files\Internet Explorer\iexplore.exe | Explorer.EXE | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
3108 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2200 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) Modules
| |||||||||||||||
2640 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | iexplore.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 Modules
| |||||||||||||||
1284 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Version: 14.0.6024.1000 Modules
|
PID | Process | Filename | Type | |
---|---|---|---|---|
3108 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 | binary | |
MD5:5C3BEFD2577E1203E96FFEE964F5A683 | SHA256:BB149737FA1A50827E216A4E2EF1A982E7CFA8525E547DCA4E0481661E4CCCB7 | |||
2200 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\82CB34DD3343FE727DF8890D352E0D8F | der | |
MD5:4CE3EBBC54BF47D856F19F1BDFD546BD | SHA256:03887A592E96C10969759D00F7E8E58A8323DE635FA9946B111CE1CF3ABC6D76 | |||
3108 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\2719_882927[1].htm | html | |
MD5:EDBA2A7DC6A428807494733FADAFDD7F | SHA256:939BFD4F386C80B5A2E6FB72489775BAD4AE3E3C7F9A9B5EDA9A334614F443DB | |||
3108 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | binary | |
MD5:4DAF4CFC34DC329D7573CB5E59601EC2 | SHA256:D3E3CF59411BD462B133542025548BFCA20B8515E3279DA3AA4B8C5170618CCC | |||
3108 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | binary | |
MD5:6DC9C9528F1611EBBB2AD36525FD6694 | SHA256:F7BE790A53E4C45BED2CE3BBFC7E1EE24B2A75FAB029207AEDC4A3CB1FD406F8 | |||
3108 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\oz_44[1].xlsm | document | |
MD5:E96624BDF1E84672D20C46AF2B3D63E5 | SHA256:B875B88289017D297BB55655B66A07651BCF017848B4C22A2F4980763D07EB38 | |||
3108 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA | der | |
MD5:2663BED1F902BED00647B84FABBF8DEA | SHA256:7A3C6A8BE401F6DE91999C00919EA0F3BDCF80D06EB0E8A15D801F8F9A465DE9 | |||
3108 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_BA334993752447F604AFDE6BD0E2382A | der | |
MD5:C8AF701A9DEEC2CBF83854F72D47C1F8 | SHA256:62BCB6B120E6BD2B069CEC506A4E408B507089AB2C45D76DD89CD59A7A730998 | |||
3108 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8VO4EV34.txt | text | |
MD5:EED7A2BCF04B02CA214AB5AE5335E4D2 | SHA256:DD78A637CABCD750121D8D0F2D6D0B70B185E638B69B46601BE65B546CC447D0 | |||
3108 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA | der | |
MD5:64E9B8BB98E2303717538CE259BEC57D | SHA256:76BD459EC8E467EFC3E3FB94CB21B9C77A2AA73C9D4C0F3FAF823677BE756331 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3108 | iexplore.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gtsr1/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBQwkcLWD4LqGJ7bE7B1XZsEbmfwUAQU5K8rJnEaK0gnhS9SZizv8IkTcT4CDQIDvFNZazTHGPUBUGY%3D | US | der | 724 b | whitelisted |
3108 | iexplore.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D | US | der | 1.41 Kb | whitelisted |
3108 | iexplore.exe | GET | 200 | 112.140.187.21:80 | http://oliva.co.id/iqpax/2719_882927/?i=1 | SG | document | 83.3 Kb | malicious |
2200 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://crl3.digicert.com/Omniroot2025.crl | US | der | 7.68 Kb | whitelisted |
3108 | iexplore.exe | GET | 200 | 112.140.187.21:80 | http://oliva.co.id/iqpax/2719_882927/?name=%E5%8F%97%E4%BF%A1%E8%80%85%E5%90%8D%0A | SG | html | 44.7 Kb | malicious |
3108 | iexplore.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gts1c3/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEQD0u1o6ejgsaAoAAAABJ949 | US | der | 472 b | whitelisted |
2200 | iexplore.exe | GET | 200 | 142.250.185.195:80 | http://ocsp.pki.goog/gts1c3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTHLnmK3f9hNLO67UdCuLvGwCQHYwQUinR%2Fr4XN7pXNPZzQ4kYU83E1HScCEG9FXshPqpwWCgAAAAEn3MY%3D | US | der | 471 b | whitelisted |
3108 | iexplore.exe | GET | 200 | 2.16.186.56:80 | http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?9088a5b52f6d8a4e | unknown | compressed | 4.70 Kb | whitelisted |
2200 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2200 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2200 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3108 | iexplore.exe | 142.250.185.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3108 | iexplore.exe | 142.250.186.132:443 | www.google.com | Google Inc. | US | whitelisted |
3108 | iexplore.exe | 2.16.186.56:80 | ctldl.windowsupdate.com | Akamai International B.V. | — | whitelisted |
2200 | iexplore.exe | 142.250.184.227:443 | ssl.gstatic.com | Google Inc. | US | whitelisted |
2200 | iexplore.exe | 142.250.185.195:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3108 | iexplore.exe | 112.140.187.21:80 | oliva.co.id | 10 Science Park Road | SG | malicious |
— | — | 13.107.21.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
2200 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
oliva.co.id |
| malicious |
ssl.gstatic.com |
| whitelisted |
www.google.com |
| whitelisted |
ctldl.windowsupdate.com |
| whitelisted |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp.pki.goog |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl3.digicert.com |
| whitelisted |
iecvlist.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3108 | iexplore.exe | A Network Trojan was detected | ET TROJAN Win32/Emotet HTML Template Response |