URL: | https://greenwattsrl.it/images/banner/index.php?web=am1vbGVzY0BldC5tZGUuZXMN |
Full analysis: | https://app.any.run/tasks/85129d79-89de-4d5c-8ebf-c5f92013897f |
Verdict: | Malicious activity |
Analysis date: | April 07, 2020, 11:04:55 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 6166FA2CE96163186435A804244D3C4D |
SHA1: | 3EFB12E6F1A4785C814E89039FEE981DC30C81FA |
SHA256: | CA4C1298B2BF9854CC95AFC67F88412056D81790F46557EE50BA79EDE383E24C |
SSDEEP: | 3:N82Au2EDu/dHZ7E9qEPnm/Kr:22A/dH3Euir |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
3312 | "C:\Program Files\Internet Explorer\iexplore.exe" https://greenwattsrl.it/images/banner/index.php?web=am1vbGVzY0BldC5tZGUuZXMN | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
1520 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3312 CREDAT:267521 /prefetch:2 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 11.00.9600.16428 (winblue_gdr.131013-1700) | ||||
3104 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /dde | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Excel Version: 14.0.6024.1000 | ||||
1708 | "C:\Program Files\Microsoft Office\Office14\EXCEL.EXE" /Embedding | C:\Program Files\Microsoft Office\Office14\EXCEL.EXE | — | EXCEL.EXE |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Excel Exit code: 0 Version: 14.0.6024.1000 | ||||
3812 | "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding | C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE | svchost.exe | |
User: admin Company: Design Science, Inc. Integrity Level: MEDIUM Description: Microsoft Equation Editor Exit code: 0 Version: 00110900 | ||||
2764 | cmd /c ren %tmp%\yy y.js&CSCRIPt %tmp%\y.js C | C:\Windows\system32\cmd.exe | — | EQNEDT32.EXE |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2136 | CSCRIPt C:\Users\admin\AppData\Local\Temp\y.js C | C:\Windows\system32\cscript.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 | ||||
3048 | "C:\Windows\System32\cmd.exe" /c cscript C:\Users\admin\AppData\Local\Temp\xx.vbs | C:\Windows\System32\cmd.exe | — | cscript.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
2740 | cscript C:\Users\admin\AppData\Local\Temp\xx.vbs | C:\Windows\system32\cscript.exe | cmd.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Console Based Script Host Exit code: 0 Version: 5.8.7600.16385 |
PID | Process | Filename | Type | |
---|---|---|---|---|
1520 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Cab4AA9.tmp | — | |
MD5:— | SHA256:— | |||
1520 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\Low\Tar4AAA.tmp | — | |
MD5:— | SHA256:— | |||
3312 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
1520 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\index[1].htm | html | |
MD5:5ADEF5FE964B219B28D841946DAF3640 | SHA256:FFC49310EFBC084C4EDDED471910252162855846284AAE049A15CD4512787A0C | |||
1520 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B | binary | |
MD5:742E58ACBA719386999DB1655111EC59 | SHA256:51BA6653E4C1232622F5561F16238378524FF537CE08E899BAE50B26E759DE0E | |||
1520 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_CBB16B7A61CE4E298043181730D3CE9B | der | |
MD5:C51B348C3C991D0DA7EB76E08CF0FB8C | SHA256:9FB2E802E0FEF995C2315DED53C09D258ABFC96D95FDBA4B34C5E33B9FF95091 | |||
1520 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\84F2D46C5E6F87198A3ACCAEC8B17577_4644C5FDCEC356D56D8CA29581BA1D2C | der | |
MD5:0C8FF484458F008B2C37EAC08B4F675A | SHA256:7BBF067DEB175D61938A7C7C6A2B70434404EE6E70491F6727DB970A42D2D72B | |||
1520 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\index[1].htm | html | |
MD5:A6E7303495E9039971F404E7C87EF091 | SHA256:7D8D89FD67F9944DA8C57D8071659F48FF0273FD50DAF7B68E3CB943DBB4699E | |||
1520 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\reset[1].css | text | |
MD5:3D5E5F2D7A747AE81366CA58B31455D6 | SHA256:C7650AC26C747B12A097CAD126E2FB041A80A8AAC8D81A37F96A9EB53B2CFB64 | |||
1520 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\index[1].htm | html | |
MD5:DF910E3270BA7EA3B0DFC892297AFF44 | SHA256:2952F85E9CBA09DEF469E0286927C69999E3FA5EFD79F3852CC7E818B0DC1E1A |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
1520 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCEBPqKHBb9OztDDZjCYBhQzY%3D | US | der | 471 b | whitelisted |
3312 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
1520 | iexplore.exe | GET | 200 | 109.70.240.130:80 | http://ocsp05.actalis.it/VA/AUTH-ROOT/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSw4x5v4bTlizjNRmTdkYSy7q0R9gQUUtiIOsifeGbtifN7OHCUyQICNtACEEXnjKX1%2B9NeCmwXM%2FgYu1Q%3D | IT | der | 2.00 Kb | whitelisted |
3312 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCkAupBWwzmuHYkGcvamagV | US | der | 472 b | whitelisted |
1520 | iexplore.exe | GET | 200 | 109.70.240.114:80 | http://ocsp06.actalis.it/VA/AUTHDV-G2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT9ly8u8k8W1yOzGFazHUJjdGMxHAQU1UAI95YiThmz2uVhk7q6tz7ruc0CEH8kftU2EGzLRi0Oww3q63w%3D | IT | der | 3.39 Kb | whitelisted |
3312 | iexplore.exe | GET | 200 | 204.79.197.200:80 | http://www.bing.com/favicon.ico | US | image | 237 b | whitelisted |
1520 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D | US | der | 727 b | whitelisted |
1520 | iexplore.exe | GET | 200 | 151.139.128.14:80 | http://crl.usertrust.com/AddTrustExternalCARoot.crl | US | der | 673 b | whitelisted |
3312 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
3312 | iexplore.exe | GET | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D | US | der | 1.47 Kb | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
1520 | iexplore.exe | 109.70.240.114:80 | ocsp06.actalis.it | Aruba S.p.A. | IT | unknown |
3312 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
1520 | iexplore.exe | 31.11.34.38:443 | greenwattsrl.it | Aruba S.p.A. | IT | suspicious |
1520 | iexplore.exe | 198.187.29.41:443 | mitramiss.digital | Namecheap, Inc. | US | suspicious |
1520 | iexplore.exe | 151.139.128.14:80 | ocsp.usertrust.com | Highwinds Network Group, Inc. | US | suspicious |
1520 | iexplore.exe | 109.70.240.130:80 | ocsp05.actalis.it | Aruba S.p.A. | IT | suspicious |
3312 | iexplore.exe | 198.187.29.41:443 | mitramiss.digital | Namecheap, Inc. | US | suspicious |
3312 | iexplore.exe | 204.79.197.200:443 | www.bing.com | Microsoft Corporation | US | whitelisted |
3312 | iexplore.exe | 152.199.19.161:443 | iecvlist.microsoft.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3312 | iexplore.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
Domain | IP | Reputation |
---|---|---|
greenwattsrl.it |
| suspicious |
api.bing.com |
| whitelisted |
www.bing.com |
| whitelisted |
ocsp05.actalis.it |
| whitelisted |
ocsp06.actalis.it |
| whitelisted |
www.greenwattsrl.it |
| suspicious |
mitramiss.digital |
| suspicious |
ocsp.usertrust.com |
| whitelisted |
ocsp.sectigo.com |
| whitelisted |
crl.usertrust.com |
| whitelisted |