Analysis Report https://www.kilpatrick-executive.com/xfile1/

Overview

General Information

Sample URL: https://www.kilpatrick-executive.com/xfile1/
Analysis ID: 339279

Most interesting Screenshot:

Detection

HTMLPhisher
Score: 68
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Phishing site detected (based on shot template match)
Yara detected HtmlPhish_10
Yara detected HtmlPhish_7
Phishing site detected (based on various OCR indicators)
HTML body contains low number of good links
HTML title does not match URL

Classification

Phishing:

barindex
Phishing site detected (based on shot template match)
Source: https://www.kilpatrick-executive.com/xfile1/ Matcher: Template: office matched
Yara detected HtmlPhish_10
Source: Yara match File source: 927537.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm, type: DROPPED
Yara detected HtmlPhish_7
Source: Yara match File source: 927537.pages.csv, type: HTML
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\xfile1[1].htm, type: DROPPED
Phishing site detected (based on various OCR indicators)
Source: Screenshots OCR Text: )- Adobe Document Cloud To read the document, please enter with the valid email credentials that this file was sent to. Sign in with Outlook Sign in with Office365 OO Sign in with Other Mail Select your email provider to view Document CopyRight 2020 Adobe.
HTML body contains low number of good links
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: Number of links: 0
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: Number of links: 0
HTML title does not match URL
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: Title: Share Point Online does not match URL
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: No <meta name="author".. found
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: No <meta name="author".. found
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: No <meta name="copyright".. found
Source: https://www.kilpatrick-executive.com/xfile1/ HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: unknown DNS traffic detected: queries for: www.kilpatrick-executive.com
Source: hover[1].css.3.dr String found in binary or memory: http://ianlunn.co.uk/
Source: hover[1].css.3.dr String found in binary or memory: http://ianlunn.github.io/Hover/)
Source: popper.min[1].js.3.dr String found in binary or memory: http://opensource.org/licenses/MIT).
Source: xfile1[1].htm.3.dr String found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: xfile1[1].htm.3.dr String found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: xfile1[1].htm.3.dr String found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: xfile1[1].htm.3.dr String found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: xfile1[1].htm.3.dr String found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: free.min[1].css.3.dr String found in binary or memory: https://fontawesome.com
Source: free.min[1].css.3.dr String found in binary or memory: https://fontawesome.com/license/free
Source: xfile1[1].htm.3.dr String found in binary or memory: https://fonts.googleapis.com/css?family=Yellowtail&display=swap
Source: css[1].css.3.dr String found in binary or memory: https://fonts.gstatic.com/s/yellowtail/v11/OZpGg_pnoDtINPfRIlLohlvHxw.woff)
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr String found in binary or memory: https://getbootstrap.com)
Source: hover[1].css.3.dr String found in binary or memory: https://github.com/IanLunn/Hover
Source: bootstrap.min[1].css.3.dr, bootstrap.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.3.dr String found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: 585b051251[1].js.3.dr String found in binary or memory: https://ka-f.fontawesome.com
Source: 585b051251[1].js.3.dr String found in binary or memory: https://kit.fontawesome.com
Source: xfile1[1].htm.3.dr String found in binary or memory: https://kit.fontawesome.com/585b051251.js
Source: xfile1[1].htm.3.dr String found in binary or memory: https://login.microsoftonline.com/common/login
Source: xfile1[1].htm.3.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: xfile1[1].htm.3.dr String found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: imagestore.dat.3.dr String found in binary or memory: https://www.kilpatrick-executive.com/favicon.ico
Source: ~DF88F6808F3CD3FE9E.TMP.1.dr String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/
Source: ~DF88F6808F3CD3FE9E.TMP.1.dr String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/$Share
Source: {9EC321F3-561A-11EB-90E5-ECF4BB570DC9}.dat.1.dr String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/Root
Source: ~DF88F6808F3CD3FE9E.TMP.1.dr String found in binary or memory: https://www.kilpatrick-executive.com/xfile1/z
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49727 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49716 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49716
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49727
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49717 version: TLS 1.2
Source: unknown HTTPS traffic detected: 91.213.11.127:443 -> 192.168.2.5:49716 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49734 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.5:49733 version: TLS 1.2
Source: classification engine Classification label: mal68.phis.win@3/26@7/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9EC321F1-561A-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF242C40FDCA1BED89.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5220 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:5220 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 339279 URL: https://www.kilpatrick-exec... Startdate: 13/01/2021 Architecture: WINDOWS Score: 68 15 favicon.ico 2->15 23 Phishing site detected (based on shot template match) 2->23 25 Yara detected HtmlPhish_10 2->25 27 Yara detected HtmlPhish_7 2->27 29 Phishing site detected (based on various OCR indicators) 2->29 7 iexplore.exe 1 51 2->7         started        signatures3 process4 process5 9 iexplore.exe 2 56 7->9         started        dnsIp6 17 kilpatrick-executive.com 91.213.11.127, 443, 49716, 49717 MAG-BROSS-ASRO Romania 9->17 19 cdnjs.cloudflare.com 104.16.19.94, 443, 49733, 49734 CLOUDFLARENETUS United States 9->19 21 5 other IPs or domains 9->21 13 C:\Users\user\AppData\Local\...\xfile1[1].htm, HTML 9->13 dropped file7
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
91.213.11.127
 unknown Romania
49468 MAG-BROSS-ASRO false
104.16.19.94
 unknown United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
cdnjs.cloudflare.com 104.16.19.94 true
kilpatrick-executive.com 91.213.11.127 true
ka-f.fontawesome.com unknown unknown
code.jquery.com unknown unknown
www.kilpatrick-executive.com unknown unknown
kit.fontawesome.com unknown unknown
maxcdn.bootstrapcdn.com unknown unknown
favicon.ico unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://www.kilpatrick-executive.com/xfile1/ true
    		unknown