analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

secure.myacc.docs.biz

Full analysis: https://app.any.run/tasks/4d5268c8-2778-4763-a66b-90f9b8e782f8
Verdict: Malicious activity
Analysis date: February 18, 2019, 09:57:46
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: text/html
File info: HTML document, ASCII text
MD5:

A9BCCDDF683B534C157367ADC57363DA

SHA1:

33D1824D6E6913DEFFEA68F52B4044E8725765E4

SHA256:

EF19A21B975DDCFB55AD431FE535A71067F0EE050A32F58A75F980603DE61835

SSDEEP:

24:Wlux2erLednxXGMWZyoft9el9xXGLxEEJ9xXGAagbVILKnc9xXGAaQbwLKnap5UP:qS2XGMWQolGXGLxEEBXGAa/LKnoXGAaY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Starts Internet Explorer

      • rundll32.exe (PID: 2960)
  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3064)
    • Changes internet zones settings

      • iexplore.exe (PID: 408)
    • Creates files in the user directory

      • iexplore.exe (PID: 3064)
      • iexplore.exe (PID: 408)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 408)
      • iexplore.exe (PID: 3064)
    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 3064)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 408)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 408)
    • Changes settings of System certificates

      • iexplore.exe (PID: 408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

Title: Index of /secure.myacc.docs.biz
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs iexplore.exe iexplore.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2960"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\secure.myacc.docs.bizC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
408"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3064"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:408 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2716"C:\Windows\system32\notepad.exe" C:\Windows\system32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
550
Read events
458
Write events
88
Delete events
4

Modification events

(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{B78D9461-3363-11E9-91D7-5254004A04AF}
Value:
0
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
3
(PID) Process:(408) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30702000100120009003A0013009B03
Executable files
0
Suspicious files
0
Text files
32
Unknown types
4

Dropped files

PID
Process
Filename
Type
408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
408iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@bing[2].txt
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\search[1].txt
MD5:
SHA256:
408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0UU90R59\favicon[1].ico
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\Passport[1].aspx
MD5:
SHA256:
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\40e1b425[1].jstext
MD5:8AA44A43984D65FFC6DF173E6E7B5AA7
SHA256:6B7EDFBFCD5F21A9DB2A481D0FC00059DC4125A57B835F6987953F065B6B7BDB
408iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019021820190219\index.datdat
MD5:EF2DBAE08F82EEFA88777001AB3D9138
SHA256:EA2ADD1917D4BA1DC442073D4BC6F329A82987916CB80102088476AA17B5A835
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\f8c6dd44[1].jstext
MD5:0FD0568E7B5068E209AC15210AE56FF2
SHA256:B87A66DF064550755C00F605C7463007675490E64346A26DD60246D00E8A09DE
3064iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\hpc26[1].png
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
18
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
408
iexplore.exe
GET
500
210.65.11.162:80
http://cngda.tw/favicon.ico
TW
malicious
3064
iexplore.exe
GET
302
23.51.118.23:80
http://go.microsoft.com/fwlink/?LinkId=57426&Ext=biz
NL
whitelisted
3064
iexplore.exe
GET
301
2.16.186.24:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=biz
unknown
whitelisted
3064
iexplore.exe
GET
200
210.65.11.162:80
http://cngda.tw/secure.myacc.docs.biz/
TW
html
493 b
malicious
408
iexplore.exe
GET
500
210.65.11.162:80
http://cngda.tw/favicon.ico
TW
malicious
3064
iexplore.exe
GET
200
210.65.11.162:80
http://cngda.tw/secure.myacc.docs.biz/index.php.suspected
TW
text
478 Kb
malicious
3064
iexplore.exe
GET
200
210.65.11.162:80
http://cngda.tw/icons/back.gif
TW
image
216 b
malicious
3064
iexplore.exe
GET
200
210.65.11.162:80
http://cngda.tw/secure.myacc.docs.biz/web.config
TW
xml
289 b
malicious
408
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3064
iexplore.exe
GET
200
210.65.11.162:80
http://cngda.tw/icons/unknown.gif
TW
image
245 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
408
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3064
iexplore.exe
2.16.186.24:80
shell.windows.com
Akamai International B.V.
whitelisted
408
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3064
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3064
iexplore.exe
23.51.118.23:80
go.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
3064
iexplore.exe
210.65.11.162:80
cngda.tw
Data Communication Business Group
TW
malicious
3064
iexplore.exe
157.55.134.142:443
login.live.com
Microsoft Corporation
US
whitelisted
408
iexplore.exe
210.65.11.162:80
cngda.tw
Data Communication Business Group
TW
malicious

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 23.51.118.23
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
shell.windows.com
  • 2.16.186.24
  • 2.16.186.27
whitelisted
login.live.com
  • 157.55.134.142
  • 157.55.134.136
  • 157.55.135.134
whitelisted
cngda.tw
  • 210.65.11.162
malicious

Threats

No threats detected
No debug info