analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Claim_Copy_3657_Sep_20.html

Full analysis: https://app.any.run/tasks/059fb0ee-c65c-4180-be67-12e5d92e466b
Verdict: Malicious activity
Analysis date: October 05, 2022, 07:05:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
MD5:

D7EA398ADA030C834B54E11387337F97

SHA1:

1F52A598EB7DEB5E82F1D09F50311A387C3F4A00

SHA256:

C9E38DD0A37E5122F129463AD99188113715FAE3983DE9C10E2E1C139C3773FC

SSDEEP:

12288:zfs8YEtCns3tMEwYtgoCkcnj5Zk0bTcw1eLxvk35IWjXLWjH:DysduNnj9ww1ehk3yWj6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • The DLL Hijacking

      • rundll32.exe (PID: 3644)
      • rundll32.exe (PID: 3152)
      • rundll32.exe (PID: 3636)
      • rundll32.exe (PID: 3248)
    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 2140)
    • Loads dropped or rewritten executable

      • regsvr32.exe (PID: 2664)
    • Registers / Runs the DLL via REGSVR32.EXE

      • cmd.exe (PID: 592)
  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 2236)
    • Reads Internet Settings

      • WinRAR.exe (PID: 2236)
    • Application launched itself

      • WinRAR.exe (PID: 2236)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2140)
    • Starts CMD.EXE for commands execution

      • WScript.exe (PID: 3932)
  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2784)
      • iexplore.exe (PID: 3624)
    • Modifies the phishing filter of IE

      • iexplore.exe (PID: 3624)
    • Manual execution by user

      • rundll32.exe (PID: 3644)
      • rundll32.exe (PID: 3636)
      • rundll32.exe (PID: 3152)
      • rundll32.exe (PID: 3248)
      • WScript.exe (PID: 3932)
      • explorer.exe (PID: 3552)
    • Process checks LSA protection

      • WinRAR.exe (PID: 2236)
      • WinRAR.exe (PID: 2140)
    • Checks supported languages

      • WinRAR.exe (PID: 2236)
      • WinRAR.exe (PID: 2140)
    • Reads the machine GUID from the registry

      • rundll32.exe (PID: 3636)
    • Reads the computer name

      • WinRAR.exe (PID: 2236)
      • WinRAR.exe (PID: 2140)
    • Creates files in the user directory

      • rundll32.exe (PID: 3636)
      • WinRAR.exe (PID: 2236)
      • WinRAR.exe (PID: 2140)
      • explorer.exe (PID: 3600)
    • Changes default file association

      • rundll32.exe (PID: 3636)
    • Creates a file in a temporary directory

      • WinRAR.exe (PID: 2236)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
58
Monitored processes
15
Malicious processes
5
Suspicious processes
1

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe iexplore.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs rundll32.exe no specs winrar.exe no specs winrar.exe explorer.exe no specs wscript.exe no specs cmd.exe no specs regsvr32.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3624"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\Claim_Copy_3657_Sep_20.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3836"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3624 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2784"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3624 CREDAT:6042626 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
696"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3624 CREDAT:398593 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3644"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3248"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3152"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3636"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20C:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2236"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\Claim_Copy_3657_Sep_20"C:\Program Files\WinRAR\WinRAR.exerundll32.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
2140"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIb2236.40582\Claim_Copy_3657.isoC:\Program Files\WinRAR\WinRAR.exe
WinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Total events
26 437
Read events
26 020
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
13
Text files
24
Unknown types
26

Dropped files

PID
Process
Filename
Type
2784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565der
MD5:DBE650BA1D1EB0B65CB29924AB369F1B
SHA256:2DF229C762B997F438A51379186347842250A82FC3C1234FAFB0781C9276E636
3624iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442der
MD5:B8BDA0B382A7D056A4241B388338B778
SHA256:7BAA967F6686CCE471826B20FFA5CB7FEB4BF3C5C0BF43F51F08E84EB5850DD2
2784iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_ADE4E4D3A3BCBCA5C39C54D362D88565binary
MD5:8DB198EDEA1F5AA3B2167C0A75587A06
SHA256:688EFF92CDA13562DFA91AD57B14C07D16CB1FF5C6382E0A2B6D2DADB37FB5EA
3836iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:9F8CD32D642331047C9D1EEFC1F817C8
SHA256:A07E5BBCC6B149422398BEBF4D3B5749F83CDD621C67FDFADE8748715CDAC631
3624iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442binary
MD5:40E8356F15ADC3ACF1DADF4BD69EB834
SHA256:F87ABC37D69F62C292A8F272AA2E3FB9D3046EA4816B0819D63DCE662EE22EDC
3836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\Claim_Copy_3657_Sep_20[1]compressed
MD5:9A5055816FFC1FAE19E65BD2056CB821
SHA256:FE6C8ED26A1A209C19E31FAB9EF7E048FB01F1C846B19F0994AA1B158F1E15DB
3624iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\B6QGX7LP\favicon[1].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3624iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
2784iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\d[1]woff
MD5:83E5380B9DC2077B664E383CF6FCF47E
SHA256:741A4BC7D04FC8385F9A1DB0CCC586A224F14233B08D764D37EA165163A247A0
3836iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\78RFYB7Z\d[4]woff
MD5:83E5380B9DC2077B664E383CF6FCF47E
SHA256:741A4BC7D04FC8385F9A1DB0CCC586A224F14233B08D764D37EA165163A247A0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
69
DNS requests
12
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2784
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAfy81yHqHeveu%2FpR5k1Jb0%3D
US
der
471 b
whitelisted
3624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
3836
iexplore.exe
GET
200
93.184.220.29:80
http://crl3.digicert.com/DigiCertGlobalRootCA.crl
US
der
631 b
whitelisted
2784
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e838b31f5e0052e3
US
compressed
4.70 Kb
whitelisted
2784
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?049eee27546cc246
US
compressed
4.70 Kb
whitelisted
3836
iexplore.exe
GET
200
209.197.3.8:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f0fa1b8d7dee6b5a
US
compressed
4.70 Kb
whitelisted
3624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3624
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3836
iexplore.exe
184.24.77.156:443
use.typekit.net
Akamai International B.V.
DE
suspicious
3836
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
2784
iexplore.exe
184.24.77.156:443
use.typekit.net
Akamai International B.V.
DE
suspicious
3836
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted
2784
iexplore.exe
209.197.3.8:80
ctldl.windowsupdate.com
STACKPATH-CDN
US
whitelisted
3624
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3836
iexplore.exe
184.24.77.144:443
use.typekit.net
Akamai International B.V.
DE
suspicious
184.24.77.144:443
use.typekit.net
Akamai International B.V.
DE
suspicious
2784
iexplore.exe
184.24.77.144:443
use.typekit.net
Akamai International B.V.
DE
suspicious
2784
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
EDGECAST
GB
whitelisted

DNS requests

Domain
IP
Reputation
use.typekit.net
  • 184.24.77.156
  • 184.24.77.144
whitelisted
ctldl.windowsupdate.com
  • 209.197.3.8
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
crl3.digicert.com
  • 93.184.220.29
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ieonline.microsoft.com
  • 204.79.197.200
whitelisted
go.microsoft.com
  • 96.16.143.41
whitelisted

Threats

No threats detected
No debug info