analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

MnvVnV947tm.htm

Full analysis: https://app.any.run/tasks/9a74230a-2fef-4278-b39f-ec222c5e2c85
Verdict: Malicious activity
Analysis date: January 22, 2019, 18:13:22
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
phish-onedrive
Indicators:
MIME: text/html
File info: HTML document, ISO-8859 text, with CRLF line terminators
MD5:

AC2F144CA49F6B641C9897AF6C896E88

SHA1:

6BFD972B47BA747E81AEB71C501CAA82EE064FCC

SHA256:

D329AEBAB6CF9C5DDD66BA02EC0C723A071F9E0164AB430FB8B9D8072F6451AA

SSDEEP:

768:I8zA5s6knrdt8tsMNURpY9vvu1c1hMcyh:IV5Tkru0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2864)
      • iexplore.exe (PID: 3400)
      • iexplore.exe (PID: 3988)
    • Application launched itself

      • iexplore.exe (PID: 2952)
    • Reads internet explorer settings

      • iexplore.exe (PID: 3400)
      • iexplore.exe (PID: 3988)
      • iexplore.exe (PID: 2864)
    • Changes internet zones settings

      • iexplore.exe (PID: 2952)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3988)
    • Creates files in the user directory

      • iexplore.exe (PID: 2952)
      • iexplore.exe (PID: 3988)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3208)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

ContentType: text/html; charset=windows-1252
ProgID: Word.Document
Generator: Microsoft Word 15
Originator: Microsoft Word 15
Author: Arthur & Barbara
Template: Normal
LastAuthor: HP
TotalEditTime: 1 minute
LastPrinted: 2019:01:09 13:05:00Z
CreateDate: 2019:01:22 16:16:00Z
ModifyDate: 2019:01:22 16:16:00Z
Pages: 1
Words: 62
Characters: 357
Lines: 2
Paragraphs: 1
CharactersWithSpaces: 418
RevisionNumber: 16
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2952"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\MnvVnV947tm.htmC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3400"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2864"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3988"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:203010C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3208C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
748
Read events
658
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
1
Text files
57
Unknown types
3

Dropped files

PID
Process
Filename
Type
2952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2952iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF124E3CDB6F0C4F09.TMP
MD5:
SHA256:
3988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jsll-4[1].jstext
MD5:298E99053435A010D516B0F2DCC47254
SHA256:AB707F6D49AD796E97599151075E837FFD982758231ED889CCAE95151557284D
3988iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.datdat
MD5:89F961553B051D5E128C9F2E7FD4B278
SHA256:A6C7C8CF21A4488D4B29695F59BCB8D6F86E51AFDBE6CFB302EA21D66B354BD2
3988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Bootstrap[1].jstext
MD5:A4D0DEFA64FD2FBAB19024D4CEB71A67
SHA256:99820C5D0E52F2B5D3DBA06A582FB0C0845C0F03192A9B5A65F43F7F6CEA88A1
2952iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{76770E88-1E71-11E9-BAD8-5254004A04AF}.datbinary
MD5:95DE3CD4AA208A5250D8C6197185A20E
SHA256:9F5A994B31BE6763B7ED835BC531C83F8DFAFD0A4B483FFEC33D7DE57D52A007
3400iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.datdat
MD5:7D41D7F5F0F70A59761224B870B3F5BA
SHA256:511CC2A714118054F71456425C4F1FC8F420AED50CC421420FA7FB1C836E71F0
2864iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\httpErrorPagesScripts[1]text
MD5:E7CA76A3C9EE0564471671D500E3F0F3
SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C
3988iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\home[1].jstext
MD5:10CC5320EAF37ABD9C7D2D856364CC22
SHA256:669D4A1BD72957DF86E0B57281B4580C48B17B946DB75FFA02F16238BBAC7FC6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
42
TCP/UDP connections
20
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3988
iexplore.exe
GET
302
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/
US
malicious
2864
iexplore.exe
GET
184.168.131.241:80
http://go2l.ink/1viC
US
shared
3988
iexplore.exe
GET
302
184.168.131.241:80
http://go2l.ink/1viC
US
shared
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/login.php?cmd=login_submit&id=60d1b319cdbbd3c0ddb2f74a41ddafe760d1b319cdbbd3c0ddb2f74a41ddafe7&session=60d1b319cdbbd3c0ddb2f74a41ddafe760d1b319cdbbd3c0ddb2f74a41ddafe7
US
html
485 Kb
malicious
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/97-b6864d.css
US
text
125 Kb
malicious
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/jsll-4.js
US
text
51.3 Kb
malicious
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/Bootstrap.js
US
text
50.5 Kb
malicious
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/ms.js
US
text
12.1 Kb
malicious
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/home.js
US
text
42.0 Kb
malicious
3988
iexplore.exe
GET
200
108.163.233.154:80
http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/2523150420.js
US
text
209 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2952
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3988
iexplore.exe
184.168.131.241:80
go2l.ink
GoDaddy.com, LLC
US
shared
2864
iexplore.exe
184.168.131.241:80
go2l.ink
GoDaddy.com, LLC
US
shared
3988
iexplore.exe
108.163.233.154:80
soberano.co.ke
SingleHop, Inc.
US
suspicious
3988
iexplore.exe
18.136.134.72:80
nexus.ensighten.com
US
suspicious
3988
iexplore.exe
2.19.39.63:443
assets.onestore.ms
Akamai International B.V.
whitelisted
3988
iexplore.exe
50.17.206.124:443
2523150420.log.optimizely.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
go2l.ink
  • 184.168.131.241
shared
soberano.co.ke
  • 108.163.233.154
malicious
cs.microsoft.com
whitelisted
nexus.ensighten.com
  • 18.136.134.72
  • 13.228.86.212
whitelisted
assets.onestore.ms
  • 2.19.39.63
whitelisted
2523150420.log.optimizely.com
  • 50.17.206.124
  • 50.17.210.99
  • 50.19.125.36
  • 50.16.236.183
  • 50.19.237.90
  • 50.19.121.114
  • 23.23.91.53
  • 50.19.119.226
whitelisted
c.microsoft.com
whitelisted

Threats

PID
Process
Class
Message
3988
iexplore.exe
A Network Trojan was detected
SC PHISHING PDF/Phishing - unknown malware
3988
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Google Drive Phishing Landing
3988
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Generic Multi-Email Phishing Landing 2018-08-30
3988
iexplore.exe
A Network Trojan was detected
SC PHISHING PDF/Phishing - unknown malware
3988
iexplore.exe
A Network Trojan was detected
ET INFO Possible Phish - Mirrored Website Comment Observed
3988
iexplore.exe
A Network Trojan was detected
ET INFO Possible Phish - Mirrored Website Comment Observed
3988
iexplore.exe
A Network Trojan was detected
ET INFO Possible Phish - Mirrored Website Comment Observed
No debug info