URL:

http://tyannmeans.info/excel_document_file/z

Full analysis: https://app.any.run/tasks/8cd8f0c6-5723-4518-8fe5-6df1e77bab1f
Verdict: Malicious activity
Analysis date: April 15, 2019, 08:48:38
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
phishing
Indicators:
MD5:

445FCA1CB822FC12CB916F3E96155E3F

SHA1:

0F469FC10E3AA574955EE85C2D53E68617637F6B

SHA256:

E36A88F3D313AE0D8A9B18F589234C9DB5410FA6998AA19E9630FC735422402D

SSDEEP:

3:N1KKciRiWLnK0nIuRnf:CK7BnzN

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 2684)

    • Application launched itself

      • iexplore.exe (PID: 2684)

    • Creates files in the user directory

      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 2684)

    • Reads internet explorer settings

      • iexplore.exe (PID: 2480)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2480)
      • iexplore.exe (PID: 2684)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2684)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2684)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2684)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
2480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2684 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2684"C:\Program Files\Internet Explorer\iexplore.exe" http://tyannmeans.info/excel_document_file/zC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
477
Read events
398
Write events
75
Delete events
4

Modification events

(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{4C5C7F49-5F5B-11E9-A370-5254004A04AF}
Value:
0
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2684) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307040001000F000800300037004101
Executable files
0
Suspicious files
0
Text files
55
Unknown types
9

Dropped files

PID
Process
Filename
Type
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CFGM1GYK\vwldmwnuwefvvxqof1rr7i46[1].php
MD5:
SHA256:
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2684iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XFKC6N24\byovw3qpj5426w0qrrh45nyj[1].php
MD5:
SHA256:
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\A5TLOCH7\vwldmwnuwefvvxqof1rr7i46[1].htmhtml
MD5:
SHA256:
2684iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019041520190416\index.datdat
MD5:
SHA256:
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:
SHA256:
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\CFGM1GYK\d60da137-271e-492a-b2f8-98d8de6bcc2b[1].pngimage
MD5:
SHA256:
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XFKC6N24\en-us[1].txt
MD5:
SHA256:
2480iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012019041520190416\index.datdat
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
18
TCP/UDP connections
35
DNS requests
17
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2480
iexplore.exe
GET
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/enc/enc.php?email=&.rand=13vqcr8bp0gud&lc=1033&id=64855&mkt=en-us&cbcxt=mai&snsc=1
IE
malicious
GET
302
52.142.114.176:80
http://g.live.com/9uxp9en-us/ep_bro1
IE
whitelisted
2480
iexplore.exe
GET
301
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z
IE
html
253 b
malicious
2480
iexplore.exe
GET
302
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/
IE
html
253 b
malicious
2480
iexplore.exe
GET
200
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/enc/ik/3.png
IE
image
13.7 Kb
malicious
2480
iexplore.exe
GET
200
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/ik/d60da137-271e-492a-b2f8-98d8de6bcc2b.png
IE
image
2.20 Kb
malicious
2480
iexplore.exe
POST
302
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/enc/zeus.php
IE
malicious
2480
iexplore.exe
GET
200
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/vwldmwnuwefvvxqof1rr7i46.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email=&.rand=13InboxLight.aspx?n=1774256418&fid=4
IE
html
1.11 Kb
malicious
2480
iexplore.exe
GET
301
13.107.42.13:80
http://onedrive.live.com/ayrt/en-us/
US
html
154 b
shared
2480
iexplore.exe
GET
200
34.245.92.45:80
http://tyannmeans.info/excel_document_file/z/enc/byovw3qpj5426w0qrrh45nyj.php?rand=13InboxLightaspxn.1774256418&fid.4.1252899642&fid=1&fav.1&rand.13InboxLight.aspxn.1774256418&fid.1252899642&fid.1&fav.1&email=&.rand=13InboxLight.aspx?n=1774256418&fid=4
IE
html
6.14 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2684
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2480
iexplore.exe
34.245.92.45:80
tyannmeans.info
Amazon.com, Inc.
IE
malicious
2684
iexplore.exe
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2.23.106.83:443
www.microsoft.com
Akamai International B.V.
whitelisted
2480
iexplore.exe
104.111.247.75:443
windows.microsoft.com
Akamai International B.V.
NL
whitelisted
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
2480
iexplore.exe
2.23.106.83:80
www.microsoft.com
Akamai International B.V.
whitelisted
13.107.42.13:80
onedrive.live.com
Microsoft Corporation
US
malicious
2480
iexplore.exe
2.16.186.25:443
spoprod-a.akamaihd.net
Akamai International B.V.
whitelisted
52.142.114.176:80
g.live.com
Microsoft Corporation
IE
whitelisted

DNS requests

Domain
IP
Reputation
tyannmeans.info
  • 34.245.92.45
malicious
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
spoprod-a.akamaihd.net
  • 2.16.186.25
  • 2.16.186.40
whitelisted
p.sfx.ms
  • 104.109.78.2
whitelisted
g.live.com
  • 52.142.114.176
whitelisted
c.live.com
  • 52.142.114.2
whitelisted
www.microsoft.com
  • 2.23.106.83
whitelisted
windows.microsoft.com
  • 104.111.247.75
whitelisted
support.microsoft.com
  • 2.18.233.31
malicious

Threats

PID
Process
Class
Message
2480
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adobe PDF Phishing Landing
2480
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Adobe PDF Phishing Landing
2480
iexplore.exe
A Network Trojan was detected
ET CURRENT_EVENTS Excel/Adobe Online Phishing Landing Nov 25 2015
2480
iexplore.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Possible Excel Online Phishing Landing - Title over non SSL
2480
iexplore.exe
A Network Trojan was detected
MALWARE [PTsecurity] Possible Successful Generic Phish
2480
iexplore.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
http://tyannmeans.info/excel_document_file/z