Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.be

Overview

General Information

Sample URL:https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.be
Analysis ID:483926
Infos:

Most interesting Screenshot:

Detection

HTMLPhisher
Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Yara detected HtmlPhish10
Antivirus detection for URL or domain
URL contains potential PII (phishing indication)
Invalid 'forgot password' link found
HTML body contains low number of good links
HTML title does not match URL

Classification

Process Tree

  • System is w10x64
  • iexplore.exe (PID: 6840 cmdline: 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding MD5: 6465CB92B25A7BC1DF8E01D8AC5E7596)
    • iexplore.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6840 CREDAT:17410 /prefetch:2 MD5: 071277CC2E3DF41EEEA8013E2AB58D5A)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus / Scanner detection for submitted sampleShow sources
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beSlashNext: detection malicious, Label: Fake Login Page type: Phishing & Social Engineering
Antivirus detection for URL or domainShow sources
Source: https://ranko23.web.app/miajarantarankaran.html#SlashNext: Label: Fake Login Page type: Phishing & Social Engineering

Phishing:

barindex
Yara detected HtmlPhish10Show sources
Source: Yara matchFile source: 405464.pages.csv, type: HTML
Source: Yara matchFile source: 405464.0.links.csv, type: HTML
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beSample URL: PII: jdoe@mycity.be
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: Invalid link: Forgot Password?
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: Invalid link: Forgot Password?
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: Invalid link: Forgot Password?
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: Invalid link: Forgot Password?
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: Number of links: 0
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: Number of links: 0
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: Number of links: 0
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: Number of links: 0
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: Title: Mail does not match URL
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: Title: Mail does not match URL
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: Title: Mail does not match URL
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: Title: Mail does not match URL
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: No <meta name="author".. found
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: No <meta name="author".. found
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: No <meta name="author".. found
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: No <meta name="author".. found
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: No <meta name="copyright".. found
Source: https://ranko23.web.app/miajarantarankaran.html#jdoe@mycity.beHTTP Parser: No <meta name="copyright".. found
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: No <meta name="copyright".. found
Source: https://ranko23.web.app/miajarantarankaran.html#HTTP Parser: No <meta name="copyright".. found
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: unknownHTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknownHTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: unknownDNS traffic detected: queries for: ranko23.web.app
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49787
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49786
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49785
Source: unknownNetwork traffic detected: HTTP traffic on port 49789 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49787 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49785 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49769 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49770 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49791 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49775
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49770
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49792
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49791
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
Source: unknownNetwork traffic detected: HTTP traffic on port 49786 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49775 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49769
Source: unknownNetwork traffic detected: HTTP traffic on port 49792 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49789
Source: global trafficHTTP traffic detected: GET /miajarantarankaran.html HTTP/1.1Accept: text/html, application/xhtml+xml, image/jxr, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ranko23.web.appConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /css/hover.css HTTP/1.1Accept: text/css, */*Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ranko23.web.appConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/4.0.0/js/bootstrap.min.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoOrigin: https://ranko23.web.appAccept-Encoding: gzip, deflateHost: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/4.0.0/css/bootstrap.min.css HTTP/1.1Accept: text/css, */*Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: maxcdn.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/1.png HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: ranko23.web.appConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ajax/libs/popper.js/1.12.9/umd/popper.min.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoOrigin: https://ranko23.web.appAccept-Encoding: gzip, deflateHost: cdnjs.cloudflare.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /bootstrap/4.1.3/js/bootstrap.min.js HTTP/1.1Accept: application/javascript, */*;q=0.8Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: stackpath.bootstrapcdn.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /s2/favicons?domain=mycity.be HTTP/1.1Accept: image/png, image/svg+xml, image/jxr, image/*;q=0.8, */*;q=0.5Referer: https://ranko23.web.app/miajarantarankaran.htmlAccept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: www.google.comConnection: Keep-AliveCookie: CONSENT=YES+GB.en-GB+V9+BX; ANID=AHWqTUlSr3088pwoykfOo43D99cbT1sB7DrGAvl1SaoiUj9-jegdSaaNEmuC6sED
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: ranko23.web.appConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /favicon.ico HTTP/1.1User-Agent: AutoItHost: ranko23.web.app
Source: font-awesome.min[1].css.2.drString found in binary or memory: http://fontawesome.io
Source: font-awesome.min[1].css.2.drString found in binary or memory: http://fontawesome.io/license
Source: bootstrap.min[1].css0.2.drString found in binary or memory: http://getbootstrap.com)
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: http://jquery.org/license
Source: popper.min[1].js.2.drString found in binary or memory: http://opensource.org/licenses/MIT).
Source: 1[1].htm.2.drString found in binary or memory: https://ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=378607
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=449857
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=470258
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.chromium.org/p/chromium/issues/detail?id=589347
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.jquery.com/ticket/12359
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.jquery.com/ticket/13378
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=136851
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=137337
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugs.webkit.org/show_bug.cgi?id=29084
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=687787
Source: 1[1].htm.2.drString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/popper.js/1.12.9/umd/popper.min.js
Source: 1[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.1.1.min.js
Source: 1[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.2.1.slim.min.js
Source: 1[1].htm.2.drString found in binary or memory: https://code.jquery.com/jquery-3.3.1.js
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://developer.mozilla.org/en-US/docs/CSS/display
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://drafts.csswg.org/cssom/#common-serializing-idioms
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://drafts.csswg.org/cssom/#resolved-values
Source: 1[1].htm.2.drString found in binary or memory: https://firebasestorage.googleapis.com/v0/b/dellcssfile.appspot.com/o/bootstrap.min.css?alt=media&to
Source: 1[1].htm.2.drString found in binary or memory: https://firebasestorage.googleapis.com/v0/b/dellcssfile.appspot.com/o/font-awesome.min.css?alt=media
Source: fa-regular-400[1].eot.2.dr, all[1].css.2.drString found in binary or memory: https://fontawesome.com
Source: all[1].css.2.drString found in binary or memory: https://fontawesome.com/license/free
Source: fa-regular-400[1].eot.2.dr, fa-solid-900[1].eot.2.drString found in binary or memory: https://fontawesome.comhttps://fontawesome.comFont
Source: 1[1].htm.2.drString found in binary or memory: https://fonts.googleapis.com/css?family=Archivo
Source: css[2].css.2.drString found in binary or memory: https://fonts.gstatic.com/s/archivonarrow/v12/tss0ApVBdCYD5Q7hcxTE1ArZ0bbwiXo.woff)
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.drString found in binary or memory: https://getbootstrap.com)
Source: bootstrap.min[1].js0.2.drString found in binary or memory: https://getbootstrap.com/)
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://github.com/eslint/eslint/issues/3229
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://github.com/eslint/eslint/issues/6125
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://github.com/jquery/jquery/pull/557)
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://github.com/jquery/sizzle/pull/225
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon
Source: bootstrap.min[1].js.2.dr, bootstrap.min[1].css.2.drString found in binary or memory: https://github.com/twbs/bootstrap/blob/master/LICENSE)
Source: bootstrap.min[1].js.2.drString found in binary or memory: https://github.com/twbs/bootstrap/graphs/contributors)
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/#strip-and-collapse-whitespace
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#category-listed
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://html.spec.whatwg.org/multipage/syntax.html#attributes-2
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://jquery.com/
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://jquery.org/license
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://jsperf.com/getall-vs-sizzle/2
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://jsperf.com/thor-indexof-vs-for/5
Source: 1[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/css/bootstrap.min.css
Source: 1[1].htm.2.drString found in binary or memory: https://maxcdn.bootstrapcdn.com/bootstrap/4.0.0/js/bootstrap.min.js
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-48
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-54
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-57
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-59
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-61
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-64
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://promisesaplus.com/#point-75
Source: {20DCD1A3-1631-11EC-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://ranko23.wRoot
Source: {20DCD1A3-1631-11EC-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://ranko23.web.ap
Source: {20DCD1A3-1631-11EC-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://ranko23.web.app/miajarantarankaran.html
Source: {20DCD1A3-1631-11EC-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://ranko23.web.app/miajarantarankaran.html#jdoe
Source: ~DF73A79B2C118C91ED.TMP.1.drString found in binary or memory: https://ranko23.web.app/miajarantarankaran.html#oe
Source: {20DCD1A3-1631-11EC-90EB-ECF4BBEA1588}.dat.1.drString found in binary or memory: https://ranko23.wp/miajarantarankaran.html#oe
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://sizzlejs.com/
Source: 1[1].htm.2.drString found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.1.3/js/bootstrap.min.js
Source: 1[1].htm.2.drString found in binary or memory: https://use.fontawesome.com/releases/v5.7.0/css/all.css
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/
Source: jquery-3.3.1[1].js.2.drString found in binary or memory: https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-a
Source: unknownHTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.4:49770 version: TLS 1.2
Source: unknownHTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.4:49769 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49776 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49775 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.4:49786 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.16.19.94:443 -> 192.168.2.4:49785 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49787 version: TLS 1.2
Source: unknownHTTPS traffic detected: 104.18.10.207:443 -> 192.168.2.4:49788 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.4:49789 version: TLS 1.2
Source: unknownHTTPS traffic detected: 172.217.168.36:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknownHTTPS traffic detected: 199.36.158.100:443 -> 192.168.2.4:49794 version: TLS 1.2
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Temp\~DF4A5B42F49DAEA5B5.TMPJump to behavior
Source: classification engineClassification label: mal64.phis.win@3/25@8/4
Source: unknownProcess created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6840 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeProcess created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:6840 CREDAT:17410 /prefetch:2
Source: C:\Program Files\internet explorer\iexplore.exeFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Program Files\internet explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{20DCD1A1-1631-11EC-90EB-ECF4BBEA1588}.datJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Internet Explorer\iexplore.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Masquerading1OS Credential DumpingFile and Directory Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryApplication Window DiscoveryRemote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferIngress Tool Transfer1SIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.