File name: | MnvVnV947tm.htm |
Full analysis: | https://app.any.run/tasks/9a74230a-2fef-4278-b39f-ec222c5e2c85 |
Verdict: | Malicious activity |
Analysis date: | January 22, 2019, 18:13:22 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | text/html |
File info: | HTML document, ISO-8859 text, with CRLF line terminators |
MD5: | AC2F144CA49F6B641C9897AF6C896E88 |
SHA1: | 6BFD972B47BA747E81AEB71C501CAA82EE064FCC |
SHA256: | D329AEBAB6CF9C5DDD66BA02EC0C723A071F9E0164AB430FB8B9D8072F6451AA |
SSDEEP: | 768:I8zA5s6knrdt8tsMNURpY9vvu1c1hMcyh:IV5Tkru0 |
.html | | | HyperText Markup Language (100) |
---|
ContentType: | text/html; charset=windows-1252 |
---|---|
ProgID: | Word.Document |
Generator: | Microsoft Word 15 |
Originator: | Microsoft Word 15 |
Author: | Arthur & Barbara |
Template: | Normal |
LastAuthor: | HP |
TotalEditTime: | 1 minute |
LastPrinted: | 2019:01:09 13:05:00Z |
CreateDate: | 2019:01:22 16:16:00Z |
ModifyDate: | 2019:01:22 16:16:00Z |
Pages: | 1 |
Words: | 62 |
Characters: | 357 |
Lines: | 2 |
Paragraphs: | 1 |
CharactersWithSpaces: | 418 |
RevisionNumber: | 16 |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2952 | "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\MnvVnV947tm.htm | C:\Program Files\Internet Explorer\iexplore.exe | explorer.exe | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3400 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:79873 | C:\Program Files\Internet Explorer\iexplore.exe | — | iexplore.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
2864 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:203009 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3988 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2952 CREDAT:203010 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | |
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Version: 8.00.7600.16385 (win7_rtm.090713-1255) | ||||
3208 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe |
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Version: 26,0,0,131 |
PID | Process | Filename | Type | |
---|---|---|---|---|
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Temp\~DF124E3CDB6F0C4F09.TMP | — | |
MD5:— | SHA256:— | |||
3988 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\jsll-4[1].js | text | |
MD5:298E99053435A010D516B0F2DCC47254 | SHA256:AB707F6D49AD796E97599151075E837FFD982758231ED889CCAE95151557284D | |||
3988 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\index.dat | dat | |
MD5:89F961553B051D5E128C9F2E7FD4B278 | SHA256:A6C7C8CF21A4488D4B29695F59BCB8D6F86E51AFDBE6CFB302EA21D66B354BD2 | |||
3988 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\Bootstrap[1].js | text | |
MD5:A4D0DEFA64FD2FBAB19024D4CEB71A67 | SHA256:99820C5D0E52F2B5D3DBA06A582FB0C0845C0F03192A9B5A65F43F7F6CEA88A1 | |||
2952 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{76770E88-1E71-11E9-BAD8-5254004A04AF}.dat | binary | |
MD5:95DE3CD4AA208A5250D8C6197185A20E | SHA256:9F5A994B31BE6763B7ED835BC531C83F8DFAFD0A4B483FFEC33D7DE57D52A007 | |||
3400 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019012220190123\index.dat | dat | |
MD5:7D41D7F5F0F70A59761224B870B3F5BA | SHA256:511CC2A714118054F71456425C4F1FC8F420AED50CC421420FA7FB1C836E71F0 | |||
2864 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\httpErrorPagesScripts[1] | text | |
MD5:E7CA76A3C9EE0564471671D500E3F0F3 | SHA256:58268CA71A28973B756A48BBD7C9DC2F6B87B62AE343E582CE067C725275B63C | |||
3988 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\home[1].js | text | |
MD5:10CC5320EAF37ABD9C7D2D856364CC22 | SHA256:669D4A1BD72957DF86E0B57281B4580C48B17B946DB75FFA02F16238BBAC7FC6 |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3988 | iexplore.exe | GET | 302 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/ | US | — | — | malicious |
2864 | iexplore.exe | GET | — | 184.168.131.241:80 | http://go2l.ink/1viC | US | — | — | shared |
3988 | iexplore.exe | GET | 302 | 184.168.131.241:80 | http://go2l.ink/1viC | US | — | — | shared |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/login.php?cmd=login_submit&id=60d1b319cdbbd3c0ddb2f74a41ddafe760d1b319cdbbd3c0ddb2f74a41ddafe7&session=60d1b319cdbbd3c0ddb2f74a41ddafe760d1b319cdbbd3c0ddb2f74a41ddafe7 | US | html | 485 Kb | malicious |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/97-b6864d.css | US | text | 125 Kb | malicious |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/jsll-4.js | US | text | 51.3 Kb | malicious |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/Bootstrap.js | US | text | 50.5 Kb | malicious |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/ms.js | US | text | 12.1 Kb | malicious |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/home.js | US | text | 42.0 Kb | malicious |
3988 | iexplore.exe | GET | 200 | 108.163.233.154:80 | http://soberano.co.ke/.well-known/rfe@e/office365/page/signin_files/2523150420.js | US | text | 209 Kb | malicious |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
2952 | iexplore.exe | 13.107.21.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
3988 | iexplore.exe | 184.168.131.241:80 | go2l.ink | GoDaddy.com, LLC | US | shared |
2864 | iexplore.exe | 184.168.131.241:80 | go2l.ink | GoDaddy.com, LLC | US | shared |
3988 | iexplore.exe | 108.163.233.154:80 | soberano.co.ke | SingleHop, Inc. | US | suspicious |
3988 | iexplore.exe | 18.136.134.72:80 | nexus.ensighten.com | — | US | suspicious |
3988 | iexplore.exe | 2.19.39.63:443 | assets.onestore.ms | Akamai International B.V. | — | whitelisted |
3988 | iexplore.exe | 50.17.206.124:443 | 2523150420.log.optimizely.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
www.bing.com |
| whitelisted |
go2l.ink |
| shared |
soberano.co.ke |
| malicious |
cs.microsoft.com |
| whitelisted |
nexus.ensighten.com |
| whitelisted |
assets.onestore.ms |
| whitelisted |
2523150420.log.optimizely.com |
| whitelisted |
c.microsoft.com |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3988 | iexplore.exe | A Network Trojan was detected | SC PHISHING PDF/Phishing - unknown malware |
3988 | iexplore.exe | A Network Trojan was detected | MALWARE [PTsecurity] Google Drive Phishing Landing |
3988 | iexplore.exe | Potentially Bad Traffic | ET CURRENT_EVENTS Generic Multi-Email Phishing Landing 2018-08-30 |
3988 | iexplore.exe | A Network Trojan was detected | SC PHISHING PDF/Phishing - unknown malware |
3988 | iexplore.exe | A Network Trojan was detected | ET INFO Possible Phish - Mirrored Website Comment Observed |
3988 | iexplore.exe | A Network Trojan was detected | ET INFO Possible Phish - Mirrored Website Comment Observed |
3988 | iexplore.exe | A Network Trojan was detected | ET INFO Possible Phish - Mirrored Website Comment Observed |