Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

http://nellycoacht.nl/tj/Wp-images/?i=i&0=root@nowhere.com

URL

initial url

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\src[1].htm

HTML document, UTF-8 Unicode text, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\o79foe1v8q20hd8rcawv6gklro[1].htm

HTML document, ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{EA95E8DA-60DA-11EB-90EB-ECF4BBEA1588}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{EA95E8DC-60DA-11EB-90EB-ECF4BBEA1588}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{F1F168EC-60DA-11EB-90EB-ECF4BBEA1588}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\gee00pr\imagestore.dat

data

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\Technology-Bold[1].ttf

Tech

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\bg[1].jpg

JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1920x1200, frames 3

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\main[1].ico

gd-jpeg v1.0 (using IJG JPEG v62), quality = 90", progressive, precision 8, 400x400, frames 3

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\style2[1].css

ASCII text, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\wnb5nmuvvnokqnrkcr2amw74zt[1].htm

HTML document, ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\1Ptxg8zYS_SKggPN4iEgvnHyvveLxVvaorCIPrc[1].woff

Web Open Font Format, TrueType, length 25804, version 1.1

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\script[1].js

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\style[1].css

ASCII text, with CRLF line terminators

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\bgr[1].jpg

JPEG image data, JFIF standard 1.01, aspect ratio, density 1x1, segment length 16, baseline, precision 8, 1920x1152, frames 3

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\css[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\background_styles[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\styles[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\w-logo-blue-white-bg[1].png

PNG image data, 80 x 80, 8-bit/color RGBA, non-interlaced

downloaded

C:\Users\user\AppData\Local\Temp\~DF1924440C3F6B17B5.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF40FCB4373B29A935.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF44BCD26DB75BAA81.TMP

data

dropped

There are 13 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\internet explorer\iexplore.exe

'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	4804
Target ID:	1
Parent PID:	800
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files\internet explorer\iexplore.exe
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Size:	823560
MD5:	6465CB92B25A7BC1DF8E01D8AC5E7596
Time:	21:04:52
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x7ff7d4190000
Modulesize:	831488
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4804 CREDAT:17410 /prefetch:2

Details

Is windows:	true
Is dropped:	false
PID:	1852
Target ID:	2
Parent PID:	4804
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4804 CREDAT:17410 /prefetch:2
Size:	822536
MD5:	071277CC2E3DF41EEEA8013E2AB58D5A
Time:	21:04:53
Date:	27/01/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1330000
Modulesize:	827392
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary,	Process Injection

URLs

Name

Malicious

http://nellycoacht.nl/tj/Wp-images/cache/styles.css

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/?i=i&0=root@nowhere.com

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/cache/style.css

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/cache/Technology-Bold.ttf

185.104.29.72

http://www.nellycoacht.nl/wp-includes/images/w-logo-blue-white-bg.png

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/o79foe1v8q20hd8rcawv6gklro.php?0=cm9vdEBub3doZXJlLmNvbQ==&.verify

unknown

http://nellycoacht.nl/tj/Wp-images/cache/style2.css

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/cache/background_styles.css

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/src.php?0=cm9vdEBub3doZXJlLmNvbQ==&a=0

185.104.29.72

http://nellycoacht.nl/

unknown

http://nellycoacht.nl/tj/Wp-images/serv/mode/bg.jpg

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/cache/bgr.jpg

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/wnb5nmuvvnokqnrkcr2amw74zt.php?0=cm9vdEBub3doZXJlLmNvbQ==&.verify

unknown

http://nellycoacht.nl/tj/Wp-images/cache/script.js

185.104.29.72

http://nellycoacht.nl/tj/Wp-images/serv/main.ico

185.104.29.72

http://nellycoacht.nl/favicon.ico

185.104.29.72

https://www.coroflot.com/vladimirnikolichttps://www.coroflot.com/vladimirnikolicTechnology

unknown

https://www.coroflot.com/vladimirnikolichttps://www.coroflot.com/vladimirnikolic

unknown

http:///favicon.ico

unknown

There are 9 hidden URLs, click here to show them.

Domains

Name

Malicious

www.nellycoacht.nl

185.104.29.72

Details

Name:	www.nellycoacht.nl
IP:	185.104.29.72
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer

nellycoacht.nl

185.104.29.72

Details

Name:	nellycoacht.nl
IP:	185.104.29.72
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Active:	true

Signature Hits	Behavior Group	Mitre Attack
Downloads files from webservers via HTTP	Networking,	Application Layer Protocol Non-Application Layer Protocol Ingress Tool Transfer
Performs DNS lookups	Networking,	Application Layer Protocol Non-Application Layer Protocol
Urls found in memory or binary data	Networking,

IPs

Domain

Country

Active

Malicious

185.104.29.72

unknown

Netherlands

unknown

Details

IP:	185.104.29.72
TargetID:	2
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	Netherlands
Countrycode:	NLD
ASN number:	206281
ASN name:	AS-ZXCSNL
Private:	false

Registry

Path

Value

Malicious

C:\Program Files\internet explorer\iexplore.exe

{EA95E8DA-60DA-11EB-90EB-ECF4BBEA1588}

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

DecayDateQueue

C:\Program Files\internet explorer\iexplore.exe

LastProcessed

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

Blocked

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

Count

C:\Program Files\internet explorer\iexplore.exe

Time

C:\Program Files\internet explorer\iexplore.exe

LoadTimeArray

C:\Program Files\internet explorer\iexplore.exe

CVListPingLastYMD

C:\Program Files (x86)\Internet Explorer\iexplore.exe

@C:\Windows\System32\ieframe.dll,-912

C:\Program Files (x86)\Internet Explorer\iexplore.exe

@C:\Windows\System32\ieframe.dll,-903

There are 14 hidden registries, click here to show them.

Memdumps

Base Address

Regiontype

Protect

Malicious

7FF5871A0000

unkown

page readonly

1F6AFA6E000

heap default

page read and write

7FF587132000

unkown

page readonly

1F6AFB30000

unkown

page readonly

7FF5871F4000

unkown

page readonly

1F6B1690000

heap private

page read and write

9AAB7FF000

unkown

page read and write

7FF58719E000

unkown

page readonly

1F6AFA3B000

heap default

page read and write

7FF587291000

unkown

page readonly

1F6B1490000

unkown

page readonly

1F6AFF90000

unkown

page readonly

7FF587208000

unkown

page readonly

1F6B1460000

heap private

page read and write

1F6AF940000

unkown

page readonly

7FF5871CC000

unkown

page readonly

1F6AF9F0000

unkown

page readonly

1F6AFA10000

heap private

page read and write

9AAB29C000

unkown

page read and write

9AAB31E000

unkown

page read and write

7FF5871B7000

unkown

page readonly

7FF58721D000

unkown

page readonly

7FF58718A000

unkown

page readonly

7FF58713C000

unkown

page readonly

7FF587216000

unkown

page readonly

7FF587233000

unkown

page readonly

7FF5871EA000

unkown

page readonly

1F6AFA30000

heap default

page read and write

1F6AF9C0000

unkown

page read and write

1F6B14E0000

heap private

page read and write

1F6B1630000

heap private

page read and write

9AAB67D000

unkown

page read and write

7FF587219000

unkown

page readonly

1F6B13A0000

unkown

page readonly

9AAB77E000

unkown

page read and write

7FF5871A5000

unkown

page readonly

7FF587136000

unkown

page readonly

1F6B15DF000

heap private

page read and write

1F6AF9E0000

unkown

page readonly

7FF587292000

unkown

page readonly

1F6B1480000

unkown

page readonly

1F6AFA15000

heap private

page read and write

7FF5871E4000

unkown

page readonly

7FF58718C000

unkown

page readonly

1F6B14A0000

unkown

page readonly

7FF58728A000

unkown

page readonly

7FF5871D8000

unkown

page readonly

7FF586F95000

unkown

page readonly

7FF586E7A000

unkown

page readonly

9AAB6FC000

unkown

page read and write

1F6AFC00000

unkown

page readonly

1F6AF9A0000

unkown

page read and write

7FF586E7D000

unkown

page readonly

7FF58720E000

unkown

page readonly

7FF5871AB000

unkown

page readonly

7FF587284000

unkown

page readonly

7FF5871FE000

unkown

page readonly

9AAB39E000

unkown

page read and write

There are 48 hidden memdumps, click here to show them.

DOM / HTML

URL

Malicious

http://nellycoacht.nl/tj/Wp-images/o79foe1v8q20hd8rcawv6gklro.php?0=cm9vdEBub3doZXJlLmNvbQ==&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_

Details

Filename:	414408.pages.html.dom
Url:	http://nellycoacht.nl/tj/Wp-images/o79foe1v8q20hd8rcawv6gklro.php?0=cm9vdEBub3doZXJlLmNvbQ==&.verify??guce_referrer=aHR0cHM6Ly9sb2dpbi55YWhvby5jb20v&guce_referrer_sig=AQAAABA99NmGR9iNQOyU5mI3ASjQfYjcPATD_A8modgjxpNXYNmo8n5zxdi8EZV7GFYPzoSc_RpMz0hYfdCk0OLmxnMB6tpfZnd5ENcxTcI3e56K0Vz3pSL6PoIoDveE6VV6vAiBzqdjcYAbAHdiaf7gx2w9XRGmCh4orbe2VcZO9aN_
Target ID:	2
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4804 CREDAT:17410 /prefetch:2

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish_10	Phishing,

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

Memdumps

DOM / HTML