# Analysis Report http://www.hacienda.gobierno.pr/publicaciones/boletin-informativo-de-rentas-internas-num-18-21-bi-ri-18-21

## Overview

### Detection

StrategyScoreRangeReportingDetection
Threshold00 - 100Report FP / FN

### Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false

 Sample HTTP request are all non existing, likely the sample will exhibit less behavior

### Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Remote ManagementWinlogon Helper DLLPort MonitorsFile System Logical OffsetsCredential DumpingSystem Service DiscoveryApplication Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol5
Replication Through Removable MediaService ExecutionPort MonitorsAccessibility FeaturesBinary PaddingNetwork SniffingApplication Window DiscoveryRemote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol5

### Signature Overview

#### Networking:

 Found strings which match to known social media urls Show sources
 Source: contactenos[1].htm.2.dr String found in binary or memory:
• equals www.twitter.com (Twitter) Source: contactenos[1].htm.2.dr String found in binary or memory:
 Performs DNS lookups Show sources
 Source: unknown DNS traffic detected: queries for: www.hacienda.gobierno.pr
 Posts data to webserver Show sources
 Source: unknown HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-cache, must-revalidate, post-check=0, pre-check=0Content-Type: text/html; charset=utf-8Content-Language: esExpires: Sun, 19 Nov 1978 05:00:00 GMTServer: Microsoft-IIS/8.0X-Powered-By: PHP/5.4.24X-Drupal-Cache: MISSX-Content-Type-Options: nosniffX-Powered-By: ASP.NETDate: Thu, 06 Dec 2018 23:43:59 GMTContent-Length: 336Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 2b 52 44 46 61 20 31 2e 30 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 4d 61 72 6b 55 70 2f 44 54 44 2f 78 68 74 6d 6c 2d 72 64 66 61 2d 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3
 Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundCache-Control: no-cache, must-revalidate, post-check=0, pre-check=0Content-Type: text/html; charset=utf-8Content-Language: esExpires: Sun, 19 Nov 1978 05:00:00 GMTServer: Microsoft-IIS/8.0X-Powered-By: PHP/5.4.24X-Drupal-Cache: MISSX-Content-Type-Options: nosniffX-Powered-By: ASP.NETDate: Thu, 06 Dec 2018 23:43:59 GMTContent-Length: 336Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 58 48 54 4d 4c 2b 52 44 46 61 20 31 2e 30 2f 2f 45 4e 22 20 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 4d 61 72 6b 55 70 2f 44 54 44 2f 78 68 74 6d 6c 2d 72 64 66 61 2d 31 2e 64 74 64 22 3e 3c 68 74 6d 6c 20 78 6d 6c 6e 73 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 31 39 39 39 2f 78 68 74 6d 6c 22 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3
 Urls found in memory or binary data Show sources

#### System Summary:

 Classification label Show sources
 Source: classification engine Classification label: clean0.win@3/168@5/2
 Creates files inside the user directory Show sources
 Creates temporary files Show sources
 Spawns processes Show sources
 Source: unknown Process created: C:\Program Files\internet explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding Source: unknown Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3824 CREDAT:17410 /prefetch:2 Source: C:\Program Files\internet explorer\iexplore.exe Process created: C:\Program Files (x86)\Internet Explorer\iexplore.exe 'C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE' SCODEF:3824 CREDAT:17410 /prefetch:2 Jump to behavior
 Found graphical window changes (likely an installer) Show sources
 Source: Window Recorder Window detected: More than 3 window changes detected
 Uses new MSVCR Dlls Show sources
 Source: C:\Program Files (x86)\Internet Explorer\iexplore.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dll Jump to behavior
Hide Legend

Legend:

• Process
• Signature
• Created File
• DNS/IP Info
• Is Dropped
• Is Windows Process
• Number of created Registry Values
• Number of created Files
• Visual Basic
• Delphi
• Java
• .Net C# or VB.NET
• C, C++ or other language
• Is malicious
No simulations
http://www.hacienda.gobierno.pr/publicaciones/boletin-informativo-de-rentas-internas-num-18-21-bi-ri-18-210%virustotalBrowse
No Antivirus matches
No Antivirus matches
No Antivirus matches
http://www.gdb-pur.com/0%virustotalBrowse
http://www.gdb-pur.com/0%Avira URL Cloudsafe