Analysis Report http://www.verizon.com/econtact/ecrm/includes/html/vzfwdNew.html?app_nm=MSGCTR&env=PROD&destination=%68%74%74%70%73%3A%2F%2%20Fnandorinha.fr/folder/ac4e-6b7a-4f8c-bd00-1aeb26abea7e%2FVerizon&txid=B20200331_1488798683&lid=18207&tid=121811&vno=5&ltid=0

Overview

General Information

Sample URL: http://www.verizon.com/econtact/ecrm/includes/html/vzfwdNew.html?app_nm=MSGCTR&env=PROD&destination=%68%74%74%70%73%3A%2F%2%20Fnandorinha.fr/folder/ac4e-6b7a-4f8c-bd00-1aeb26abea7e%2FVerizon&txid=B20200331_1488798683&lid=18207&tid=121811&vno=5&ltid=0
Analysis ID: 413042
Infos:

Most interesting Screenshot:

Detection

Score: 0
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

No high impact signatures.

Classification

There are no high impact signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 192.30.31.89:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.30.31.89:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Encoding: gzipAccept-Ranges: bytesCache-Control: privatecdn-requestid: 55289725447155335712380488908409440349Content-Type: text/html; charset=UTF-8Date: Thu, 13 May 2021 04:52:53 GMTLast-Modified: Wed, 09 Dec 2020 17:16:50 GMTntCoent-Length: 12288Server: ApacheSet-Cookie: AkaSTrackingID=f29f62b627245ddda5eced1de6ea4cb3; path=/; domain=verizon.com; Secure; HttpOnlySet-Cookie: NSC_xxx22_fdpoubdu_mcw=ffffffff8f64858c45525d5f4f58455e445a4a4229a2;path=/;httponlyx-ec-fail: no-zip-codex-ec-geoHdr: country_code=CH,region_code=ZH,city=Zurich,dma=-1,msa=-1,lat=47.4300,long=8.5718,zip=8152,continent=EU,timezone=Content-Length: 2328Data Raw: 1f 8b 08 00 00 00 00 00 00 03 ed 5a 7d 6f da 48 1a ff 9b 95 f6 3b 4c 5d 29 40 21 36 b4 bd db bd 12 5a e5 48 7a 8d 2e 94 a8 b8 db 9e 56 55 64 ec 21 b8 35 b6 77 3c 40 e8 6e bf fb 3d cf cc f8 0d db 24 a4 6d 5a 75 83 10 36 33 cf fb cb 6f 66 0c 07 f7 8e 46 03 f3 7f 67 c7 64 c6 e7 1e 39 7b fd ef d3 93 01 d1 f6 0d e3 cd a3 81 61 1c 99 47 e4 85 39 3c 25 8f f5 4e 97 98 cc f2 23 97 bb 81 6f 79 86 71 fc 52 23 da 8c f3 f0 89 61 ac 56 2b 7d f5 48 0f d8 85 61 be 32 50 d4 63 c3 0b 82 88 ea 0e 77 b4 a7 3f ff 74 80 63 e2 4a 2d 07 af 73 ca 2d d0 c9 c3 7d fa c7 c2 5d f6 b5 41 e0 73 ea f3 7d 73 1d 52 8d d8 f2 5b 5f e3 f4 92 0b 81 3d 62 cf 2c 16 51 de 7f 6d 3e df ff 55 08 e5 2e f7 e8 d3 3d 7f 12 85 bd 03 43 7e 83 e1 c8 66 6e c8 09 07 49 4a c0 7b 6b 69 c9 51 8d 44 cc ee 6b ba 6e bc 8f 8c 15 9d f0 20 f0 3e b8 5c 5f 30 4f 7f 1f 69 4f 0f 0c 49 77 a5 1c 20 f8 f9 a7 da d2 62 64 78 f8 f6 fc cd e1 89 79 6e 9e 0c 8f cf 87 63 d2 27 8f 3a 9d 4e 4f 10 18 0f c8 61 b4 f6 ed 19 0b fc 60 11 79 6b 62 5b 9e 17 91 b3 97 67 c4 0a 43 12 51 b6 a4 8c 9c ba fe 07 8c af fd c1 f5 2f c8 18 06 3d ca c9 03 03 24 48 21 cb 8f d3 95 a3 8b 24 c5 a3 d3 85 6f 63 32 84 c4 c3 30 44 2e ca 1a 7f 2c 28 5b 37 c9 9f a8 1e a8 84 89 97 73 0f 63 0d 26 d5 6a ee 94 34 56 ae ef 04 2b fd ed f0 f4 05 0c bf 82 14 d0 88 37 71 f6 4f 62 18 10 7d 87 92 69 c0 c8 c9 f1 2f ad 36 79 ee 32 3a 0d 2e db 64 00 5e cc 69 9b 8c 42 ca ac 36 19 5b 53 8b b9 c8 45 62 0d 7d 9f ae 48 5e 6c a3 29 d4 7e 22 d4 8b 28 d9 94 ff cf 36 7c fc a3 28 e3 10 5c 5b d2 b7 a3 c9 7b 6a f3 86 36 74 6d 16 44 c1 94 0b 9b 4d f3 4c 53 52 b3 5e 06 0b 6e 83 7d 10 ff fa e8 bf 75 31 af 44 ea 41 48 fd 86 76 36 1a 9b 5a 5b 56 6d a4 ca 16 42 e6 7e 0c 7c 1d 38 0d 8a 65 67 d9 1c 6e d8 dc f0 20 27 1c 53 62 60 76 e2 e4 a8 dc e8 98 b8 67 1a 69 11 11 ef 36 e1 6c 41 a5 4d 89 4e 9f 41 b1 af 23 6e 71 0a b5 eb 5f a0 65 71 d2 1a 22 43 24 79 61 56 e2 00 e8 82 6f 8c 7c a4 df 27 8f c9 de 5e 32 85 d2 16 11 0e 3f ec 74 48 93 64 a5 40 08 d3 10 a4 b2 a2 30 f0 23 6a 42 Data Ascii: Z}oH;L])@!6ZHz.VUd!5w<@n=$mZu63ofFgd9{aG9<%N#oyqR#aV+}Ha2Pcw?tcJ-s-}]As}sR[_=b,Qm>U.=C~fnIJ{kiQDkn >\_0OiOIw bdxync':NOa`ykb[
Source: global traffic HTTP traffic detected: GET /econtact/ecrm/includes/html/vzfwdNew.html?app_nm=MSGCTR&env=PROD&destination=%68%74%74%70%73%3A%2F%2%20Fnandorinha.fr/folder/ac4e-6b7a-4f8c-bd00-1aeb26abea7e%2FVerizon&txid=B20200331_1488798683&lid=18207&tid=121811&vno=5&ltid=0 HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0Accept-Encoding: gzip, deflateHost: www.verizon.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /econtact/ecrm/includes/js/webtoolkit.url.js HTTP/1.1Accept: application/javascript, */*;q=0.8Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0Accept-Encoding: gzip, deflateHost: www.verizon.comConnection: Keep-AliveCookie: NSC_xxx22_fdpoubdu_mcw=ffffffff8f64858c45525d5f4f58455e445a4a4229a2
Source: global traffic HTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko/20100101 Firefox/12.0Host: www.verizon.comConnection: Keep-AliveCookie: NSC_xxx22_fdpoubdu_mcw=ffffffff8f64858c45525d5f4f58455e445a4a4229a2
Source: global traffic HTTP traffic detected: GET /econtact/ecrm/includes/html/favicon.ico HTTP/1.1User-Agent: AutoItHost: www.verizon.com
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x571eaad6,0x01d747ff</date><accdate>0x571eaad6,0x01d747ff</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0x571eaad6,0x01d747ff</date><accdate>0x571eaad6,0x01d747ff</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x57236f9c,0x01d747ff</date><accdate>0x57236f9c,0x01d747ff</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0x57236f9c,0x01d747ff</date><accdate>0x57236f9c,0x01d747ff</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5725d1e1,0x01d747ff</date><accdate>0x5725d1e1,0x01d747ff</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.1.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0x5725d1e1,0x01d747ff</date><accdate>0x5725d1e1,0x01d747ff</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: www.verizon.com
Source: msapplication.xml.1.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.1.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.1.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.1.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.1.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.1.dr String found in binary or memory: http://www.twitter.com/
Source: vzfwdNew[1].htm.2.dr String found in binary or memory: http://www.verizon.com
Source: {816E8D6D-B3F2-11EB-90E5-ECF4BB570DC9}.dat.1.dr, ~DF6D75612F67477265.TMP.1.dr String found in binary or memory: http://www.verizon.com/econtact/ecrm/includes/html/vzfwdNew.html?app_nm=MSGCTR&env=PROD&destination=
Source: imagestore.dat.2.dr String found in binary or memory: http://www.verizon.com/favicon.ico6
Source: webtoolkit.url[1].js.2.dr String found in binary or memory: http://www.webtoolkit.info/
Source: msapplication.xml6.1.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.1.dr String found in binary or memory: http://www.youtube.com/
Source: vzfwdNew[1].htm.2.dr String found in binary or memory: http://www98.verizon.com/econtact/ecrm/linktrack/LinkTrackingServlet.serv?
Source: vzfwdNew[1].htm.2.dr String found in binary or memory: https://dcrmsitaws.ebiz.verizon.com/ecrm/linktrack/LinkTrackingServlet.serv?
Source: vzfwdNew[1].htm.2.dr String found in binary or memory: https://www.verizon.com/econtact/ecrm/linktrack/LinkTrackingServlet.serv?
Source: vzfwdNew[1].htm.2.dr String found in binary or memory: https://www.verizon.com/econtact/survey/ecrm/linktrack/LinkTrackingServlet.serv?
Source: unknown Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown HTTPS traffic detected: 192.30.31.89:443 -> 192.168.2.5:49713 version: TLS 1.2
Source: unknown HTTPS traffic detected: 192.30.31.89:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: classification engine Classification label: clean0.win@3/19@2/1
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{816E8D6B-B3F2-11EB-90E5-ECF4BB570DC9}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF208DEF91A3497C58.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2924 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:2924 CREDAT:17410 /prefetch:2 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 413042 URL: http://www.verizon.com/econ... Startdate: 13/05/2021 Architecture: WINDOWS Score: 0 11 www.verizon.com 2->11 13 cs87.can.transactcdn.com 2->13 6 iexplore.exe 1 74 2->6         started        process3 process4 8 iexplore.exe 2 36 6->8         started        dnsIp5 15 cs87.can.transactcdn.com 192.30.31.89, 443, 49710, 49711 EDGECAST-IRUS United States 8->15 17 www.verizon.com 8->17
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
192.30.31.89
 cs87.can.transactcdn.com United States
14153 EDGECAST-IRUS false

Contacted Domains

Name IP Active
cs87.can.transactcdn.com 192.30.31.89 true
www.verizon.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://www.verizon.com/econtact/ecrm/includes/html/vzfwdNew.html?app_nm=MSGCTR&env=PROD&destination=%68%74%74%70%73%3A%2F%2%20Fnandorinha.fr/folder/ac4e-6b7a-4f8c-bd00-1aeb26abea7e%2FVerizon&txid=B20200331_1488798683&lid=18207&tid=121811&vno=5&ltid=0 false
    		high
    http://www.verizon.com/econtact/ecrm/includes/html/favicon.ico false
      		high
      http://www.verizon.com/econtact/ecrm/includes/html/vzfwdNew.html?app_nm=MSGCTR&env=PROD&destination=%68%74%74%70%73%3A%2F%2%20Fnandorinha.fr/folder/ac4e-6b7a-4f8c-bd00-1aeb26abea7e%2FVerizon&txid=B20200331_1488798683&lid=18207&tid=121811&vno=5&ltid=0 false
        		high
        http://www.verizon.com/econtact/ecrm/includes/js/webtoolkit.url.js false
          		high
          http://www.verizon.com/favicon.ico false
            		high