Analysis Report NCA Approval Letter.html

Overview

General Information

Sample Name:	NCA Approval Letter.html
Analysis ID:	384811
MD5:	2afd53761ef2429d41a21b16067b27c0
SHA1:	608645dc128a0986dbf4b9779fa3c9dee89eff6e
SHA256:	6b432f5c38d2deb98fb938341cf8a9732555b4992c310a7edd010594fa723b13
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	56
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Phishing site detected (based on shot template match)

Yara detected HtmlPhish7

HTML body contains low number of good links

HTML title does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Classification

Signatures

Phishing:

Phishing site detected (based on shot template match)

Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html

Matcher: Template: outlook matched

Yara detected HtmlPhish7

Source: Yara match	File source: NCA Approval Letter.html, type: SAMPLE
Source: Yara match	File source: 960781.pages.csv, type: HTML

HTML body contains low number of good links

Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: Number of links: 0
Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: Number of links: 0

HTML title does not match URL

Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: Title: Box does not match URL
Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: Title: Box does not match URL

None HTTPS page querying sensitive user data (password, username or email)

Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: Has password / email / username input fields
Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: Has password / email / username input fields

Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: No <meta name="author".. found
Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: No <meta name="author".. found

Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: No <meta name="copyright".. found
Source: file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	HTTP Parser: No <meta name="copyright".. found

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x66359dde,0x01d72d76</date><accdate>0x66359dde,0x01d72d76</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x66359dde,0x01d72d76</date><accdate>0x66359dde,0x01d72d76</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x663a6282,0x01d72d76</date><accdate>0x663a6282,0x01d72d76</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x663a6282,0x01d72d76</date><accdate>0x663a6282,0x01d72d76</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x663cc4bd,0x01d72d76</date><accdate>0x663cc4bd,0x01d72d76</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x663cc4bd,0x01d72d76</date><accdate>0x663cc4bd,0x01d72d76</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: NCA Approval Letter.html	String found in binary or memory: http://ajax.googleapis.com/ajax/libs/jquery/3.4.1/jquery.min.js
Source: NCA Approval Letter.html	String found in binary or memory: http://fonts.googleapis.com/css?family=Roboto:100
Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOkCnqEu92Fr1MmgVxIIzQ.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmEU9fBBc-.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmSU5fBBc-.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmWUlfBBc-.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOlCnqEu92Fr1MmYUtfBBc-.woff)
Source: css[1].css.2.dr	String found in binary or memory: https://fonts.gstatic.com/s/roboto/v27/KFOmCnqEu92Fr1Mu4mxM.woff)
Source: NCA Approval Letter.html	String found in binary or memory: https://islandweddingsofhawaii.com/bin/ds/

Source: classification engine

Classification label: mal56.phis.winHTML@3/23@0/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{90D684E2-9969-11EB-90EB-ECF4BBEA1588}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD54D0D56F24D12CD.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6552 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6552 CREDAT:17410 /prefetch:2	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious

Private

IP
192.168.2.1

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
file:///C:/Users/user/Desktop/NCA%20Approval%20Letter.html	true		low

ID:	384811
Product:	CloudBasic
Start time:	21:26:22
Start date:	09.04.2021
Sample:	NCA Approval Letter.html
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	2afd53761ef2429d41a21b16067b27c0
SHA1:	608645dc128a0986dbf4b9779fa3c9dee89eff6e
SHA256:	6b432f5c38d2deb98fb938341cf8a9732555b4992c310a7edd010594fa723b13

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{90D684E2-9969-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	4111EB66CF0E8D65EB6CA4CD91460198	37E53E46483F9ED02CE8A766519F5F8DD0075A4D	6163F996DC2CA0ED3422F87ED00268A08B8705A06550E945978409CEF2898F49
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{90D684E4-9969-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	F76C830751B0019C0E22D4BFF69C183A	E7902A5E52224A29F44AF1A4A3B50FFE833722AA	4F4CF69975AB8C5E79C1F894AC275CE02D84142BD8840AA51D547274828C0D5F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{90D684E5-9969-11EB-90EB-ECF4BBEA1588}.dat	Microsoft Word Document	4957A999DBC0C10DA9E5E59DFF150F4F	A6FABC3814FBABA723E5EC0BFA723FCFEEA834DF	8F46CA36714F87F11C171B68C6F824F2B71CFAD175FB84011C35AC9AC22D1791
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	94D83CB84E5E5345C37EB264458C1C56	CEB0C347145E3633867B9F08764A2E911E53A547	FC93E4DC179BCEB8E64FC586CF9B5351DB7AFC64CA1C1E626EA62BE951130F10
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2EE5EB4FDC959E6BD35969188D0AAB20	01B09CDE07D48756B6AF8287432D1A7875498238	3A47FA04C6D35477078FDB0356CAC7445C0929FA9D9D71017CDB048ADDEF380F
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D12BB716ADD36AC5B868831A7CB280CE	A313AD83A3D464B589D7A3D73BE8F8E279D64EBE	3F6403599A2D78165CEB43FC6A799769C2E2AB7738199E3642B5BCFECEBB4163
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	C939C90576104BD4F144CD796EDFE26C	CBEF433DB22A0A8ABC785F231A9DFC41E14D7ABB	F499ED953039A5E6737F25B0DB23CAA84AE2D6EF7A8EB9864DD4AD98D02F17AE
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8F35828019AC14C4B56DB21E48D4F8EC	C7597C47AA5BA802C7922254CC5B45E21F60336A	B76A509976AFF4E30B05C60B2BA56BF236EF6AF452ED78DB389206FB4063B3E1
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	6B8E38320F8D466A719FAD67262070E1	8B1B81C41B8DD8020D0EB18D533F259EBDB4585E	4C8B9FC797F8A6CCC7088D9596E859FEA43A3FE4005BE3850CD960278EDB507A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	ACA5C72D0DCF62FCCB218EE20EC09DCD	9400C61E835A38D9EC16F0DDEE7937B14F5C7CA0	952FB47AEE8863FBF1555F3A6B4FAB58A73805F0DC4D23EAF91138820832CC5C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	04F42D5CCBF7B58A7B277FBC97978372	890186FC586AC5556A5E15965F8801314AB0D657	6997D2A430D33EEEF3BB5B5D0AA87CBFD17A695E7585D69AC3611FF671A3396A
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	37CFC681BA4129146B9053628963BE51	07EDAE7C0D92EECB88C60D687B1DEFDB351FF960	0DBFF7B7AFA666D1885C9C0BBF76592148DF06493CEEC087419F299F2F2054A0
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOlCnqEu92Fr1MmEU9fBBc-[1].woff	Web Open Font Format, TrueType, length 20532, version 1.1	DA2721C68B4BC80DB8D4C404F76B118C	3A32E8B7EFBC9DFB52F024D657B8C8C0A80E5804	BD811625271ACCA47F7DAC48B460F13E08EE947B2A8E17E278C4D5CCB5D9323C
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\KFOmCnqEu92Fr1Mu4mxM[1].woff	Web Open Font Format, TrueType, length 20332, version 1.1	DC3E086FC0C5ADDC09702E111D2ADB42	B1138B84FF19EAC5F43C4202297529D389BD09B7	EA50AC7FDDB61A5CE248A7F8B3A31A98FE16285E076B16E6DA6B4E10910724BB
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9026IKNJ\css[1].css	ASCII text	46B23D5DA766A6942E67152A54C8E8AF	FE14DD484957BE4959CD054111529A0CAB7B4328	8F3BA63CDC337593307BD2C831E8D69605E1C3890FC4A7E7D096450982EE9060
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\KFOkCnqEu92Fr1MmgVxIIzQ[1].woff	Web Open Font Format, TrueType, length 20424, version 1.1	04B7FD97F88B82DCCCE5EC446CCC29E6	9A3C1CE2EAB659A91AF7016570287428CC82C458	A38AD0B609E4D2039D18B0F9DC89E9060F2E2E05F2F42764A6A93354346A6C37
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\CS6IXJW6\KFOlCnqEu92Fr1MmSU5fBBc-[1].woff	Web Open Font Format, TrueType, length 20404, version 1.1	BF0F407102FAF3A0B521D3B545F547A5	CA357CD0DE5DD0242E8EFACFB8D24AB60FDC86AB	855A06974032BB69157D469ABA6F63440E8BE47C421F45C3F396F4E0B87B6DE8
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\KFOlCnqEu92Fr1MmWUlfBBc-[1].woff	Web Open Font Format, TrueType, length 20396, version 1.1	68D6DABFE54E245E7D5D5C16C3C4B1A9	7FDAB895EAEBECEDB3FB5473EAB94A1B292CEF19	A01A632E56731A854F35701AA8C3A6A19A113290D9032FF9048F8064C45383BD
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\KFOlCnqEu92Fr1MmYUtfBBc-[1].woff	Web Open Font Format, TrueType, length 20412, version 1.1	64BBA9C4E8156C152050C657E9D24BF1	90ECF87091FAABE7BC0FF54A43828FA4DD483278	D33864E01E5103EBE439732BB606E694C73B6851F24DA25D41901EB17CB5D98E
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\OR0WKIO1\jquery.min[1].js	ASCII text, with very long lines	220AFD743D9E9643852E31A135A9F3AE	88523924351BAC0B5D560FE0C5781E2556E7693D	0925E8AD7BD971391A8B1E98BE8E87A6971919EB5B60C196485941C3C1DF089A
C:\Users\user\AppData\Local\Temp\~DF7FB1374DB7F2A750.TMP	data	5475D1F2385E329DFC26CCA1400AF599	916315E738AC1BA062922F77EB7B38642DE8AC22	FABAD26B7C951933E2BAE0BCAB74044753D49B0639DF0CD27D453A5EB45033B0
C:\Users\user\AppData\Local\Temp\~DFD164B0FD8321DF14.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DFD54D0D56F24D12CD.TMP	data	70DFAE05CF68E68E2EBB1465580895A9	92772860E02632EF297FB81A9FABEF9ABED29FB2	B38F372AB5A18F67DA11B4CA3DD2CEF176F80A5AA97E24ECB1E6C84AA9211A74

Analysis Report NCA Approval Letter.html

Overview

General Information

Detection

Signatures

Classification

Signatures

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted URLs