Analysis Report https://ciscomessagingportal.gq/authen?error=1#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.com%2fowa%2f

Overview

General Information

Sample URL:	https://ciscomessagingportal.gq/authen?error=1#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.com%2fowa%2f
Analysis ID:	412848
Infos:
Most interesting Screenshot:

Detection

HTMLPhisher

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Yara detected HtmlPhish10

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: https://ciscomessagingportal.gq/authen?error=1#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.com%2fowa%2f

SlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering

Antivirus detection for URL or domain

Source: https://ciscomessagingportal.gq/#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.com%2fowa%2f

SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

Yara detected HtmlPhish10

Source: Yara match

File source: 093954.pages.csv, type: HTML

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 162.0.237.234:443 -> 192.168.2.5:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.237.234:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.237.234:443 -> 192.168.2.5:49690 version: TLS 1.2

Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf4c5a426,0x01d747d0</date><accdate>0xf4c5a426,0x01d747d0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xf4c5a426,0x01d747d0</date><accdate>0xf4c5a426,0x01d747d0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf4c8066f,0x01d747d0</date><accdate>0xf4c8066f,0x01d747d0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xf4c8066f,0x01d747d0</date><accdate>0xf4c8066f,0x01d747d0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf4ca68d0,0x01d747d0</date><accdate>0xf4ca68d0,0x01d747d0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr	String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xf4ca68d0,0x01d747d0</date><accdate>0xf4ca68d0,0x01d747d0</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)

Source: unknown

DNS traffic detected: queries for: ciscomessagingportal.gq

Source: msapplication.xml.1.dr	String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr	String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr	String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr	String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr	String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr	String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.1.dr	String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr	String found in binary or memory: http://www.youtube.com/
Source: ~DFF7FAC163A929FC02.TMP.1.dr, {1E0C7D41-B3C4-11EB-90E5-ECF4BB570DC9}.dat.1.dr	String found in binary or memory: https://ciscomessagingportal.gq/#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover
Source: imagestore.dat.2.dr	String found in binary or memory: https://ciscomessagingportal.gq/images/favicon.ico
Source: imagestore.dat.2.dr	String found in binary or memory: https://ciscomessagingportal.gq/images/favicon.ico~

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49689
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49688
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49690
Source: unknown	Network traffic detected: HTTP traffic on port 49689 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49690 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49688 -> 443

Source: unknown	HTTPS traffic detected: 162.0.237.234:443 -> 192.168.2.5:49688 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.237.234:443 -> 192.168.2.5:49689 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.0.237.234:443 -> 192.168.2.5:49690 version: TLS 1.2

Source: classification engine

Classification label: mal64.phis.win@3/20@2/1

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E0C7D3F-B3C4-11EB-90E5-ECF4BB570DC9}.dat

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0DA9C130E8F06E70.TMP

Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: unknown	Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6088 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe	Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6088 CREDAT:17410 /prefetch:2	Jump to behavior

Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Confirm
Source: C:\Program Files\internet explorer\iexplore.exe	Automated click: Confirm

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.0.237.234	ciscomessagingportal.gq	Canada		22612	NAMECHEAP-NETUS	false

Contacted Domains

Name	IP	Active
ciscomessagingportal.gq	162.0.237.234	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://ciscomessagingportal.gq/#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.com%2fowa%2f	true	SlashNext: Fake Login Page type: Phishing & Social Engineering	unknown

ID:	412848
Product:	CloudBasic
Start time:	01:20:01
Start date:	13.05.2021
Cookbook:	browseurl.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{1E0C7D3F-B3C4-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	FBF4C309903ECA841BF6E3975D408A0A	AF70D28FCE6851BB84109D69C69F8E6E95D03E77	74F548A56041BAB810AA2D5BF969F15CFE00F5BA16EBF0B7122C69AABA07CD2C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1E0C7D41-B3C4-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	5069FA8E4FCB0A2085959DB8888B3584	AC9B9FBFF8A377C42F4A410FA6A29947C3A7E466	25232D4065B793923886ACDA5D4000B2F5725DC2C0071EF74B785649B23FD3B6
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\{1E0C7D42-B3C4-11EB-90E5-ECF4BB570DC9}.dat	Microsoft Word Document	66C0887139DD2EF9E312A5ADE209C783	158DD15F8A3DB50EBAAEA2EAFB89828BA9E56FA4	CAE7532B2CC5313EDEC9843440A0A6B997120FDEDEFEBD36EDF1E61FBF883E16
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-17529550060\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	587D9A2943FA45CA627EC4B2AB07F1CB	A4366D903EE1FAD7B63DEE6BD04053878613FFB0	ADEFB78CDCF89E92C9F75E1F0A02F2DA4DE909387E0F3E3F0F5F14EE6FEBD3C3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-18270793970\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	D1DBD5AA48B1BDB3F3B7D41F2B6011A4	3A7F1E45B07D8B73FF4161442A5C5F8F71166200	CDC3D73FD14D2A44ED6EC90C2904015E841422CCA97F52856C99E2B0339D046D
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-21706820\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	7BBBCE30F856BC5BF2C47CFEB8C93E44	C558ECA02703839FE451359BF6C527078CD04674	5EA1AA65E627819CF814BA0DDF4ADA9677C49B03D2968B09BACDAA5767012572
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-4759708130\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	E2A8A3714081CC1FA5AC4076B249BC44	D4A7C6887965ED1E1C887E430D16848BF647395E	72F209C41181BC1A3FAE57080A9B8B839B89783787B488453742F349B064431C
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-6757900\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	22B53FFAFD648424527DF54A4733DC40	E2B3BDC59066E2A3AFD443CE1C27E9379889062B	1DA5A413C899E2B2B7A33A09F5FA3155CC9134750210ECFE3650D2CD8E482D67
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-8760897390\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	8A8E727C7A92F0A6534A66C7740A3DBD	71AB469C0E8886E182311D1C4EE1A6F268DDD1C8	1C5334A6AC6974CD5A8AF1A22B8509D17C427867DC593A5C149FCC13F960E00E
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20259167780\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	972A7DF2E5254161059D908B8C767454	98E92F1EE82FDD55CD4FB9D9FE371B0024F4BD40	980FE86A06AC575ED529732A17E4A8C27C27CEA3CE85C7A7653EF34B5371F953
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin20332743330\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	A9E8FBD36C868A722FC1ABDF71706002	5A2D7D4D18AA91FE3F966064B4CE7D87D89603BB	1E70562901C0715AE7FBE7D0477C8948FE612A3969A7E0622828E84079505DBC
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Tiles\pin8215062560\msapplication.xml	XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators	2145B6DFC991DAA987E9643D63F2453F	6B8BD80E39C5ABD56BC5118B718D21147C9F95BC	694E0A7F771DFB141F06F9A304E26EB19CD19AE63E0A58CE504F653F2F54B1B3
C:\Users\user\AppData\Local\Microsoft\Internet Explorer\imagestore\dikxvqf\imagestore.dat	data	481CDC9C0D6D078F8B2FE376E0F7B9AA	B83142869D12B9584DEE559B05C8D05D188D38B4	A60D7EF83F39AAF25772CDF7B353A1C96FB00B5D81DA04BF69CB1D4CDBFC3722
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\4PB7FJMT\2134651[1].png	PNG image data, 355 x 142, 8-bit/color RGBA, non-interlaced	9A2AE3B67B7001B6BB4BF3E1903B59F2	DB0A1994B15E971FCF943D731D5D1BDEE9AC7D52	FF2294F85AD59D6D537BA92D2C8054C8F824736F946714688C1F51A6A6577BD3
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\HXBTAIX6.htm	HTML document, ASCII text, with CRLF line terminators	C974D480C952F8B46D4A2E2B1735CD6A	535D38C41CD9D9FD0045EC577E58FBE0E203DB72	64D95DD0058B02B2BA12F890111F0970818C47C8C771FDBA38C098163ECA0C20
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\B87Z87FM\captcha[1].js	ASCII text, with very long lines, with no line terminators	61A1D827694190E20912D77413C59AC2	6CB409C67EEF9846CC2F412018CA58157AE81840	E1678E66939660787D297768B442CC31EE07265FCACB6384E3603CFAAED7C39F
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PEJLKQA8\favicon[1].ico	MS Windows icon resource - 3 icons, 32x32, 32 bits/pixel, 24x24, 32 bits/pixel	AC16FA7FC862073B02ACD1187FC6DEF4	F2B9A6255F6293000F30EEE272ABDD372A14E9D3	E35D94B76894D6ECA96FF5B1A12D94DFE73485EF3C52CB5B4395BE8FFAC1CB45
C:\Users\user\AppData\Local\Temp\~DF0DA9C130E8F06E70.TMP	data	FE05C607B87BB675B2C28943317098BC	36A14B9C05B16B7109B81A51E6C6BEF7C6E42CC1	4412AAC9608FFF860DEF2833D78DFB9204C7A1CEC3CF8BA1FCBCCE96C1C753D2
C:\Users\user\AppData\Local\Temp\~DFAC0AF7A12B20718B.TMP	data	AB889A32AB9ACD33E816C2422337C69A	1190C6B34DED2D295827C2A88310D10A8B90B59B	4D6EC54B8D244E63B0F04FBE2B97402A3DF722560AD12F218665BA440F4CEFDA
C:\Users\user\AppData\Local\Temp\~DFF7FAC163A929FC02.TMP	data	720575E0C9160FE34CBA0C36E8B74BAE	94375E7BF7371422692DAF36C3531841E970D6C2	C6954CDD8B1EC9280B602494B301DE83F8776AF9608950FEA9512FD4B3EECD32

Analysis Report https://ciscomessagingportal.gq/authen?error=1#owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2fautodiscover.com%2fowa%2f

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Phishing:

Compliance:

Networking:

System Summary:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs