download:

index.html

Full analysis: https://app.any.run/tasks/aa047d14-ecfd-4bf8-a928-4be31d9d6c2e
Verdict: Malicious activity
Analysis date: June 16, 2019, 16:11:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5:

2BF76B246C41EB9182E40EA8D56CF2FB

SHA1:

4CE9DF6DE46E042853B17111112337D569C48945

SHA256:

F72889FD3B83C59A604A466CE92FB131D13791960A118020D74D3CD69C3FF8C0

SSDEEP:

192:l7POv2BnjVDKBMJaFTCOrZisXKuMpag/dNvE1hmku5SsGpu2EWtt1c2I:lKynMOJakO1is6Lpag/d2cJSJpunWtte

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    No suspicious indicators.

  • INFO

    • Changes settings of System certificates

      • iexplore.exe (PID: 3044)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3372)
      • iexplore.exe (PID: 3044)

    • Changes internet zones settings

      • iexplore.exe (PID: 3372)

    • Application launched itself

      • iexplore.exe (PID: 3372)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3044)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3044)

    • Creates files in the user directory

      • iexplore.exe (PID: 3044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)

EXIF

HTML

Title: -
Keywords: Oakley 2019 Oakley 2018 Oakley 2016 Oakley 2017
Description: : - Oakley 2019 Oakley 2018 Oakley 2016 Oakley 2017
HTTPEquivXUACompatible: IE=edge,chrome=1
viewport: width=device-width,initial-scale=1.0
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
34
Monitored processes
2
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3044"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3372 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3372"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
389
Read events
305
Write events
80
Delete events
4

Modification events

(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{657FF0AB-9051-11E9-A09E-5254004A04AF}
Value:
0
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(3372) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E30706000000100010000B001D00E302
Executable files
0
Suspicious files
0
Text files
39
Unknown types
2

Dropped files

PID
Process
Filename
Type
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3372iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JGRR2OYX\common[1].csstext
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\main[1].jstext
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\stylesheet_list_attributes[1].csstext
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\main.min[1].csstext
MD5:
SHA256:
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\css[1].txttext
MD5:
SHA256:
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Feeds Cache\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3372iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].pngimage
MD5:9FB559A691078558E77D6848202F6541
SHA256:6D8A01DC7647BC218D003B58FE04049E24A9359900B7E0CEBAE76EDF85B8B914
3044iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\okhs0018[1].jpgimage
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
10
DNS requests
4
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3044
iexplore.exe
GET
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/images/iconset.svg
FR
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/js/main.js
FR
text
58.1 Kb
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/css/main.min.css
FR
text
24.7 Kb
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/css/common.css
FR
text
2.52 Kb
suspicious
3044
iexplore.exe
GET
406
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/font/zippo-custom-icons.eot)%20format(%22embedded-opentype%22),%20url(../font/zippo-custom-icons.woff)%20format(%22woff%22),%20url(../font/zippo-custom-icons.ttf)%20format(%22truetype%22),%20url(../font/zippo-custom-icons.svg)%20format(%22svg%22
FR
compressed
2.52 Kb
suspicious
3044
iexplore.exe
GET
406
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/font/icomoon.eot)%20format(%22embedded-opentype%22),%20url(../font/icomoon.ttf)%20format(%22truetype%22),%20url(../font/icomoon.woff)%20format(%22woff%22),%20url(../font/icomoon.svg)%20format(%22svg%22
FR
compressed
24.7 Kb
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/includes/templates/zz/css/stylesheet_list_attributes.css
FR
text
803 b
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/images/oa_banner1.png
FR
image
722 Kb
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/images/mz.jpg
FR
image
18.7 Kb
suspicious
3044
iexplore.exe
GET
200
51.15.157.189:80
http://www.rctufsd.cf/images/newoakley/okhs0007.jpg
FR
image
40.7 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3044
iexplore.exe
51.15.157.189:80
www.rctufsd.cf
Online S.a.s.
FR
suspicious
3044
iexplore.exe
216.58.208.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted
3044
iexplore.exe
172.217.16.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
fonts.googleapis.com
  • 216.58.208.42
whitelisted
www.rctufsd.cf
  • 51.15.157.189
suspicious
fonts.gstatic.com
  • 172.217.16.163
whitelisted

Threats

PID
Process
Class
Message
1056
svchost.exe
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .cf Domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html