Automated Malware Analysis IOC Report for

Files

File Path

Type

Category

Malicious

https://edulibsworg.ru/ertyhtbgrvfcdsetrbgv4refcd.php

URL

initial url

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\kujyhnbgfvdctyu[1].htm

HTML document, ASCII text, with CRLF line terminators

downloaded

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

Microsoft Cabinet archive data, 58596 bytes, 1 file

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E0F5C59F9FA661F6F4C50B87FEF3A15A

data

dropped

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BD31662F-7E18-11EB-ADCF-ECF4BBB5915B}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{BD316631-7E18-11EB-ADCF-ECF4BBB5915B}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{C450C440-7E18-11EB-ADCF-ECF4BBB5915B}.dat

Microsoft Word Document

dropped

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\css[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5JC0A1KN\weblogo[1].png

PNG image data, 300 x 300, 8-bit/color RGBA, non-interlaced

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\favicon[1].ico

MS Windows icon resource - 1 icon, 32x32, 32 bits/pixel

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\landing[1].css

ASCII text

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\popper.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\bootstrap.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\jquery-3.2.1.slim.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\jquery.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bootstrap.min[1].css

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\bootstrap.min[1].js

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\free-v4-shims.min[1].css

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\free.min[1].css

ASCII text, with very long lines

downloaded

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\urlblockindex[1].bin

data

downloaded

C:\Users\user\AppData\Local\Temp\CabB95F.tmp

Microsoft Cabinet archive data, 58596 bytes, 1 file

dropped

C:\Users\user\AppData\Local\Temp\CabB980.tmp

Microsoft Cabinet archive data, 58596 bytes, 1 file

dropped

C:\Users\user\AppData\Local\Temp\TarB960.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\TarB981.tmp

data

dropped

C:\Users\user\AppData\Local\Temp\~DF49C379F6CC9907A6.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF560C05FD321D069A.TMP

data

dropped

C:\Users\user\AppData\Local\Temp\~DF61C7615D0C13BE7F.TMP

data

dropped

There are 20 hidden files, click here to show them.

Processes

Path

Cmdline

Malicious

C:\Program Files\Internet Explorer\iexplore.exe

'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding

Details

Is windows:	true
Is dropped:	false
PID:	268
Target ID:	0
Parent PID:	584
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Size:	814288
MD5:	4EB098135821348270F27157F7A84E65
Time:	17:10:29
Date:	05/03/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x13f690000
Modulesize:	819200
Wow64:	false

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

C:\Program Files (x86)\Internet Explorer\iexplore.exe

'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:268 CREDAT:275457 /prefetch:2

Details

Is windows:	true
Is dropped:	false
PID:	2180
Target ID:	1
Parent PID:	268
Name:	iexplore.exe
Class:	iexplore
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:268 CREDAT:275457 /prefetch:2
Size:	815304
MD5:	8A590F790A98F3D77399BE457E01386A
Time:	17:10:29
Date:	05/03/2021
Reason:	newprocess
Reputation:	low
Is admin:	true
Is elevated:	true
Modulebase:	0x1340000
Modulesize:	819200
Wow64:	true

Signature Hits	Behavior Group	Mitre Attack
Spawns processes	System Summary	Process Injection

URLs

Name

Malicious

https://abogadosparatodoswnet.ru/ytrgfrtyhnbgfvdc25feb/next.php

unknown

https://fontawesome.com

unknown

https://github.com/twbs/bootstrap/graphs/contributors)

unknown

https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js

unknown

https://getbootstrap.com)

unknown

https://code.jquery.com/jquery-3.2.1.slim.min.js

unknown

https://github.com/twbs/bootstrap/blob/master/LICENSE)

unknown

https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js

unknown

https://logo.clearbit.com/

unknown

http://opensource.org/licenses/MIT).

unknown

https://kit.fontawesome.com/585b051251.js

unknown

https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js

unknown

https://getbootstrap.com/)

unknown

https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css

unknown

https://objectstorage.us-ashburn-1.oraclecloud.com/n/idx0jpmo1evz/b/ythgrffrtyujnhtbgvrfcd/o/kujyhnb

unknown

https://objectstorage.us-ashburn-1.oraclecloud.com/n/idx0jpmo1evz/b/ythgrffrtyujnhtbgvrfcd/o/kujyhnbgfvdctyu.html

https://fontawesome.com/license/free

unknown

There are 7 hidden URLs, click here to show them.

Domains

Name

Malicious

stackpath.bootstrapcdn.com

104.18.10.207

cdnjs.cloudflare.com

104.16.18.94

maxcdn.bootstrapcdn.com

104.18.10.207

edulibsworg.ru

103.153.182.185

objectstorage.us-ashburn-1.oci.oraclecloud.com

134.70.24.1

ka-f.fontawesome.com

unknown

code.jquery.com

unknown

kit.fontawesome.com

unknown

objectstorage.us-ashburn-1.oraclecloud.com

unknown

favicon.ico

unknown

IPs

Domain

Country

Active

Malicious

104.18.10.207

stackpath.bootstrapcdn.com

United States

unknown

Details

IP:	104.18.10.207
TargetID:	1
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	stackpath.bootstrapcdn.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

103.153.182.185

edulibsworg.ru

unknown

Details

IP:	103.153.182.185
TargetID:	1
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
ASN number:	134687
ASN name:	TWIDC-AS-APTWIDCLimitedHK
Private:	false
Domain:	edulibsworg.ru

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

104.16.18.94

cdnjs.cloudflare.com

United States

unknown

Details

IP:	104.16.18.94
TargetID:	1
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	13335
ASN name:	CLOUDFLARENETUS
Private:	false
Domain:	cdnjs.cloudflare.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

134.70.24.1

objectstorage.us-ashburn-1.oci.oraclecloud.com

United States

unknown

Details

IP:	134.70.24.1
TargetID:	1
Current Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Country:	United States
Countrycode:	USA
ASN number:	31898
ASN name:	ORACLE-BMC-31898US
Private:	false
Domain:	objectstorage.us-ashburn-1.oci.oraclecloud.com

Signature Hits	Behavior Group	Mitre Attack
Uses secure TLS version for HTTPS connections	Compliance, Networking

Registry

Path

Value

Malicious

C:\Program Files\Internet Explorer\iexplore.exe

{BD31662F-7E18-11EB-ADCF-ECF4BBB5915B}

C:\Program Files\Internet Explorer\iexplore.exe

ChangeNotice

C:\Program Files\Internet Explorer\iexplore.exe

FaviconPath

C:\Program Files\Internet Explorer\iexplore.exe

@%SystemRoot%\system32\qagentrt.dll,-10

C:\Program Files\Internet Explorer\iexplore.exe

@%SystemRoot%\System32\fveui.dll,-843

C:\Program Files\Internet Explorer\iexplore.exe

@%SystemRoot%\System32\fveui.dll,-844

C:\Program Files\Internet Explorer\iexplore.exe

@%SystemRoot%\System32\wuaueng.dll,-400

C:\Program Files\Internet Explorer\iexplore.exe

NextCheckForUpdateLowDateTime

C:\Program Files\Internet Explorer\iexplore.exe

NextCheckForUpdateHighDateTime

C:\Program Files\Internet Explorer\iexplore.exe

SavedLegacySettings

C:\Program Files\Internet Explorer\iexplore.exe

Count

C:\Program Files\Internet Explorer\iexplore.exe

Time

C:\Program Files\Internet Explorer\iexplore.exe

LoadTimeArray

C:\Program Files\Internet Explorer\iexplore.exe

88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977

C:\Program Files\Internet Explorer\iexplore.exe

2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81

C:\Program Files\Internet Explorer\iexplore.exe

88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977

C:\Program Files\Internet Explorer\iexplore.exe

2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81

C:\Program Files\Internet Explorer\iexplore.exe

Count

C:\Program Files\Internet Explorer\iexplore.exe

Time

C:\Program Files\Internet Explorer\iexplore.exe

LoadTimeArray

C:\Program Files\Internet Explorer\iexplore.exe

DecayDateQueue

C:\Program Files\Internet Explorer\iexplore.exe

LastProcessed

C:\Program Files\Internet Explorer\iexplore.exe

NextCheckForUpdateLowDateTime

C:\Program Files\Internet Explorer\iexplore.exe

NextCheckForUpdateHighDateTime

C:\Program Files (x86)\Internet Explorer\iexplore.exe

@C:\Windows\System32\ieframe.dll,-912

C:\Program Files (x86)\Internet Explorer\iexplore.exe

@C:\Windows\System32\ieframe.dll,-904

C:\Program Files (x86)\Internet Explorer\iexplore.exe

SavedLegacySettings

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

C:\Program Files (x86)\Internet Explorer\iexplore.exe

Blob

There are 27 hidden registries, click here to show them.

DOM / HTML

URL

Malicious

https://objectstorage.us-ashburn-1.oraclecloud.com/n/idx0jpmo1evz/b/ythgrffrtyujnhtbgvrfcd/o/kujyhnbgfvdctyu.html

Details

Filename:	585948.pages.html.dom
Url:	https://objectstorage.us-ashburn-1.oraclecloud.com/n/idx0jpmo1evz/b/ythgrffrtyujnhtbgvrfcd/o/kujyhnbgfvdctyu.html
Target ID:	1
Path:	C:\Program Files (x86)\Internet Explorer\iexplore.exe
Commandline:	'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:268 CREDAT:275457 /prefetch:2

Signature Hits	Behavior Group	Mitre Attack
Yara detected HtmlPhish_10	Phishing

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

IOCReport

Files

Processes

URLs

Domains

IPs

Registry

DOM / HTML