Analysis Report https://protect-au.mimecast.com/s/8ti1C71ZgjCjGK56cWI7kq?domain=pr.ssm.echoworx.net

Overview

General Information

Sample URL: https://protect-au.mimecast.com/s/8ti1C71ZgjCjGK56cWI7kq?domain=pr.ssm.echoworx.net
Analysis ID: 433025
Infos:

Most interesting Screenshot:

Detection

Score: 0
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

No high impact signatures.

Classification

There are no high impact signatures.

Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: msapplication.xml0.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd8897d1,0x01d75ec8</date><accdate>0xbd8897d1,0x01d75ec8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml0.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.facebook.com/"/><date>0xbd8897d1,0x01d75ec8</date><accdate>0xbd92213a,0x01d75ec8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Facebook.url"/></tile></msapplication></browserconfig> equals www.facebook.com (Facebook)
Source: msapplication.xml5.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd92213a,0x01d75ec8</date><accdate>0xbd92213a,0x01d75ec8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml5.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.twitter.com/"/><date>0xbd92213a,0x01d75ec8</date><accdate>0xbd92213a,0x01d75ec8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Twitter.url"/></tile></msapplication></browserconfig> equals www.twitter.com (Twitter)
Source: msapplication.xml7.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd92213a,0x01d75ec8</date><accdate>0xbd92213a,0x01d75ec8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: msapplication.xml7.2.dr String found in binary or memory: <browserconfig><msapplication><config><site src="http://www.youtube.com/"/><date>0xbd92213a,0x01d75ec8</date><accdate>0xbd92213a,0x01d75ec8</accdate></config><tile><wide310x150logo/><square310x310logo/><square70x70logo/><favorite src="C:\Users\user\Favorites\Youtube.url"/></tile></msapplication></browserconfig> equals www.youtube.com (Youtube)
Source: unknown DNS traffic detected: queries for: protect-au.mimecast.com
Source: msapplication.xml.2.dr String found in binary or memory: http://www.amazon.com/
Source: msapplication.xml1.2.dr String found in binary or memory: http://www.google.com/
Source: msapplication.xml2.2.dr String found in binary or memory: http://www.live.com/
Source: msapplication.xml3.2.dr String found in binary or memory: http://www.nytimes.com/
Source: msapplication.xml4.2.dr String found in binary or memory: http://www.reddit.com/
Source: msapplication.xml5.2.dr String found in binary or memory: http://www.twitter.com/
Source: msapplication.xml6.2.dr String found in binary or memory: http://www.wikipedia.com/
Source: msapplication.xml7.2.dr String found in binary or memory: http://www.youtube.com/
Source: brand[1].htm.3.dr String found in binary or memory: https://pr.ssm.echoworx.net//brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=/emx/he
Source: ~DFAC8FE0F9274D997D.TMP.2.dr, {E431D7E0-CABB-11EB-90E5-ECF4BB2D2496}.dat.2.dr String found in binary or memory: https://pr.ssm.echoworx.net/brand?act=download&entp=citi&locale=en_US&cat=Resource_Center&f=emx/help
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.6:49715 version: TLS 1.2
Source: unknown HTTPS traffic detected: 124.47.150.19:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.6:49720 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.6:49721 version: TLS 1.2
Source: unknown HTTPS traffic detected: 3.17.15.199:443 -> 192.168.2.6:49726 version: TLS 1.2
Source: classification engine Classification label: clean0.win@3/18@3/2
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E431D7DE-CABB-11EB-90E5-ECF4BB2D2496}.dat Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File created: C:\Users\user\AppData\Local\Temp\~DF105B1BD805E1ACCB.TMP Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe File read: C:\Users\desktop.ini Jump to behavior
Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4984 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:4984 CREDAT:17410 /prefetch:2 Jump to behavior
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: agree
Source: C:\Program Files\internet explorer\iexplore.exe Automated click: agree
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 433025 URL: https://protect-au.mimecast... Startdate: 11/06/2021 Architecture: WINDOWS Score: 0 11 pr.ssm.echoworx.net 2->11 13 alb-echoworx-v00-907380543.us-east-2.elb.amazonaws.com 2->13 6 iexplore.exe 1 76 2->6         started        process3 process4 8 iexplore.exe 36 6->8         started        dnsIp5 15 protect-au.mimecast.com 124.47.150.19, 443, 49714, 49715 MCT-SYDNEYMacquarieTelecomAU Australia 8->15 17 alb-echoworx-v00-907380543.us-east-2.elb.amazonaws.com 3.17.15.199, 443, 49720, 49721 AMAZON-02US United States 8->17 19 pr.ssm.echoworx.net 8->19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
124.47.150.19
 protect-au.mimecast.com Australia
17477 MCT-SYDNEYMacquarieTelecomAU false
3.17.15.199
 alb-echoworx-v00-907380543.us-east-2.elb.amazonaws.com United States
16509 AMAZON-02US false

Contacted Domains

Name IP Active
alb-echoworx-v00-907380543.us-east-2.elb.amazonaws.com 3.17.15.199 true
protect-au.mimecast.com 124.47.150.19 true
pr.ssm.echoworx.net unknown unknown