http://view.trsretirementservices.com/?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662ccff41e3ed1a5e8e01d89ee6b1902f9750d081545f16251cdb9daae68d7
This report is generated from a file or URL submitted to this webservice on November 29th 2018 05:38:40 (UTC) and action script Default browser analysis
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.20 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 3 domains and 8 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "23.61.218.119": ...
File SHA256: 7eb7cbc2b31635cc99fe5cc2d33cee7f8cfb2192f6e75acb344244dae069ca5b (Date: 11/29/2018 03:27:07)
File SHA256: f0cf7b49a32b0963b404a40f1300fd391492b18409f24b4e04b316dae8ee5e7e (Date: 11/28/2018 23:30:16)
File SHA256: 87b145a841b366c5b50c98b9fcd7163fd62193ff6d43f70eb5592b78be5d2397 (Date: 11/28/2018 22:54:55)
File SHA256: 96af91ff1bd5f831eb71518fb40dd08c741126cab7a2da8d6f1a6ed91d9b3849 (Date: 11/28/2018 19:46:57)
File SHA256: 2a7bfaf00ea22607e1538dc0778454e5480e4e776b34c5df9bbe0b4d67cded1d (Date: 11/28/2018 19:34:17)
File SHA256: 2ff4d8abbe3268b698459846665170af3feab6a9c52302c216a2af3fa178ea22 (AV positives: 48/57 scanned on 10/21/2015 01:36:34)
Found malicious artifacts related to "93.184.220.29": ...
URL: http://93.184.220.29/CSC3-2004.crl (AV positives: 2/66 scanned on 11/28/2018 15:55:45)
URL: http://93.184.220.29/ss (AV positives: 1/67 scanned on 11/13/2018 21:12:46)
URL: http://93.184.220.29/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAtqs7A+san2xGCSaqjN/rM= (AV positives: 1/70 scanned on 11/13/2018 07:24:48)
URL: http://93.184.220.29/ (AV positives: 1/67 scanned on 11/06/2018 11:19:53)
URL: http://93.184.220.29/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAilokbNS1yMg9cCtLurU0k= (AV positives: 1/70 scanned on 10/31/2018 09:22:57)
File SHA256: b66223aa986ad3326aed943324a57eb3a57b3fd0625129838bb7433490254020 (AV positives: 55/69 scanned on 11/29/2018 04:41:57)
File SHA256: 83c6c60274e925fff3c11b0a54b6e71fc0f68fb309d2cf1f234a5b1e37a436f3 (AV positives: 51/70 scanned on 11/29/2018 03:41:48)
File SHA256: ae46efb5973a18f6fb79325290d04418239b59be7d1d0a5b81ae419e59ada8c2 (AV positives: 7/70 scanned on 11/29/2018 03:40:10)
File SHA256: 498e3ec65c1864b0dd809d8c6370031a10e349abb502e39cc103be11cc23f3db (AV positives: 59/69 scanned on 11/29/2018 02:01:33)
File SHA256: b0b1058757fa0912d8d5856e5cb5d07ab3feda3f3edd60014554f480dcf6e371 (AV positives: 1/70 scanned on 11/29/2018 01:10:54)
File SHA256: 8b719efa3c90df3b6f33b28ca7a6b888bdebb62868f22eeb880ec8d834732135 (Date: 11/29/2018 04:48:54)
File SHA256: e31e1e295d600d56a49767bea197234519ef0cac204be1ec77a1fd828ee89cb0 (Date: 11/29/2018 04:46:34)
File SHA256: e343128e752420dd52b64984ed5db045aeced4e6914abcf2cfcc9a8bb910bb91 (Date: 11/29/2018 04:44:09)
File SHA256: ab8e1a111cfd2493e3deafc866d195aae19dec039002dca1ac062e326437fcbc (Date: 11/29/2018 04:42:47)
File SHA256: a067f2f2ea2fa63a5336b2cbe18ae228684f9a325d1e59a018aa999f099050f4 (Date: 11/29/2018 04:42:44)
Found malicious artifacts related to "104.18.24.243": ...
URL: http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0/v9GUvNUu1EP06Tu7+ChyAQUkZ47RGw9V5xCdyo010/RzEqXLNoCEyAAAih83BPAPtKSp0MAAAACKHw= (AV positives: 1/70 scanned on 11/14/2018 18:04:10)
URL: http://ocsp.msocsp.com/mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7/hijo5ox/+n0ce3saakcqozxebynrxe4aaaaaoko3d (AV positives: 1/67 scanned on 05/09/2018 08:30:59)
File SHA256: 7eb7cbc2b31635cc99fe5cc2d33cee7f8cfb2192f6e75acb344244dae069ca5b (Date: 11/29/2018 03:27:07)
File SHA256: 8816559346e6107ab9ae932a4dbaba9aa8673b47975a48638120834d7b829b1a (Date: 11/28/2018 13:00:08)
File SHA256: 3b7ff513c0ba409acc8f64ac59ceec9bd88a84b11817388cccb83a80fd7b3859 (Date: 11/25/2018 19:33:23)
File SHA256: b1a5f65d44bfc3b2b632e94bc9b8f82448babe70f79a04f54afdd70b83ead87a (Date: 11/25/2018 04:41:24)
File SHA256: 446911900204b9c8b2227fa924249863588f1dabc4a7bbeb5b71e9cd824cbf2c (Date: 11/25/2018 04:40:34)
File SHA256: 65960db23240f5e0c4b2ac1cf2979e6e90c6ee15e2f1455f6a4d90a9bee1038c (AV positives: 48/68 scanned on 11/20/2018 11:16:56)
File SHA256: 29a5cb7b0f1a062c273d40959210c14330718eccea253717c2cf9a62c0210619 (AV positives: 49/69 scanned on 11/20/2018 10:40:29)
File SHA256: 897c67dec9bbe7fca2936e1fc69f23f18c46c0bab2c2167b5790714c59fa44d8 (AV positives: 49/68 scanned on 11/20/2018 11:36:48)
File SHA256: 070f6f96c079abed6869d5d9498d531d4c65a1aef84de6ceba45780beb772d4e (AV positives: 48/68 scanned on 11/10/2018 10:22:21)
File SHA256: a9fb6ba7cd1a29cc33aa52614d45932eeee01b67fc2616c0447c5fd34b415fa5 (AV positives: 48/69 scanned on 11/08/2018 00:04:45)
Found malicious artifacts related to "152.199.19.160": ...
File SHA256: cbe20ed2681ce99739aebcd519a56315fdc60ac757a2427a2099488dff87f327 (Date: 11/28/2018 23:01:21)
File SHA256: 66e7e7cd7979d848596fb68be52d14fed50c6e3acae4ed96d24d23f53b2bb653 (Date: 11/28/2018 15:32:03)
File SHA256: d43a962da7bd4253988810188cce5163ab00aa2f14e1a75e16f435d6eac63ad4 (Date: 11/28/2018 04:29:39)
File SHA256: a42d0f470c8d6a8592fa1fa6134daeda8c8aaaf78763f41e34c2476e8ce766cf (Date: 11/28/2018 02:26:55)
File SHA256: 693439fe7dfa257f1647b52553e168b398a96802cafae233bffcdab5c1d1a9da (AV positives: 28/69 scanned on 11/27/2018 23:59:11)
File SHA256: 092490bb05cd4821295be014333e6d1afac757174754159bfb0b84a150e72f83 (Date: 11/27/2018 15:34:26)
File SHA256: 6ae3cabd889a02260cf2668d37300114e3245a40cac71f70378a77891a869186 (AV positives: 1/70 scanned on 11/24/2018 10:29:51)
File SHA256: 2dee0a04ca84d6b1013b85a378ae304bdc63e63134c8564339098d65cd96d178 (AV positives: 6/68 scanned on 11/24/2018 12:20:19)
File SHA256: c8e3b433a80bdfd3d9850bbd2a594f6d1a22e536dc18a421b6b0a11319ce2b60 (AV positives: 3/71 scanned on 11/23/2018 13:30:01)
File SHA256: 159f561782c75335342eb7c66809c6736117a2a37c6c17dc97ec6ef5b770595a (AV positives: 10/71 scanned on 11/23/2018 20:21:38) - source
- Network Traffic
- relevance
- 10/10
-
Multiple malicious artifacts seen in the context of different hosts
- details
-
Found malicious artifacts related to "23.61.218.119": ...
File SHA256: 7eb7cbc2b31635cc99fe5cc2d33cee7f8cfb2192f6e75acb344244dae069ca5b (Date: 11/29/2018 03:27:07)
File SHA256: f0cf7b49a32b0963b404a40f1300fd391492b18409f24b4e04b316dae8ee5e7e (Date: 11/28/2018 23:30:16)
File SHA256: 87b145a841b366c5b50c98b9fcd7163fd62193ff6d43f70eb5592b78be5d2397 (Date: 11/28/2018 22:54:55)
File SHA256: 96af91ff1bd5f831eb71518fb40dd08c741126cab7a2da8d6f1a6ed91d9b3849 (Date: 11/28/2018 19:46:57)
File SHA256: 2a7bfaf00ea22607e1538dc0778454e5480e4e776b34c5df9bbe0b4d67cded1d (Date: 11/28/2018 19:34:17)
File SHA256: 2ff4d8abbe3268b698459846665170af3feab6a9c52302c216a2af3fa178ea22 (AV positives: 48/57 scanned on 10/21/2015 01:36:34)
Found malicious artifacts related to "93.184.220.29": ...
URL: http://93.184.220.29/CSC3-2004.crl (AV positives: 2/66 scanned on 11/28/2018 15:55:45)
URL: http://93.184.220.29/ss (AV positives: 1/67 scanned on 11/13/2018 21:12:46)
URL: http://93.184.220.29/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAtqs7A+san2xGCSaqjN/rM= (AV positives: 1/70 scanned on 11/13/2018 07:24:48)
URL: http://93.184.220.29/ (AV positives: 1/67 scanned on 11/06/2018 11:19:53)
URL: http://93.184.220.29/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh/sBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAilokbNS1yMg9cCtLurU0k= (AV positives: 1/70 scanned on 10/31/2018 09:22:57)
File SHA256: b66223aa986ad3326aed943324a57eb3a57b3fd0625129838bb7433490254020 (AV positives: 55/69 scanned on 11/29/2018 04:41:57)
File SHA256: 83c6c60274e925fff3c11b0a54b6e71fc0f68fb309d2cf1f234a5b1e37a436f3 (AV positives: 51/70 scanned on 11/29/2018 03:41:48)
File SHA256: ae46efb5973a18f6fb79325290d04418239b59be7d1d0a5b81ae419e59ada8c2 (AV positives: 7/70 scanned on 11/29/2018 03:40:10)
File SHA256: 498e3ec65c1864b0dd809d8c6370031a10e349abb502e39cc103be11cc23f3db (AV positives: 59/69 scanned on 11/29/2018 02:01:33)
File SHA256: b0b1058757fa0912d8d5856e5cb5d07ab3feda3f3edd60014554f480dcf6e371 (AV positives: 1/70 scanned on 11/29/2018 01:10:54)
File SHA256: 8b719efa3c90df3b6f33b28ca7a6b888bdebb62868f22eeb880ec8d834732135 (Date: 11/29/2018 04:48:54)
File SHA256: e31e1e295d600d56a49767bea197234519ef0cac204be1ec77a1fd828ee89cb0 (Date: 11/29/2018 04:46:34)
File SHA256: e343128e752420dd52b64984ed5db045aeced4e6914abcf2cfcc9a8bb910bb91 (Date: 11/29/2018 04:44:09)
File SHA256: ab8e1a111cfd2493e3deafc866d195aae19dec039002dca1ac062e326437fcbc (Date: 11/29/2018 04:42:47)
File SHA256: a067f2f2ea2fa63a5336b2cbe18ae228684f9a325d1e59a018aa999f099050f4 (Date: 11/29/2018 04:42:44)
Found malicious artifacts related to "104.18.24.243": ...
URL: http://ocsp.msocsp.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBSIGkp0/v9GUvNUu1EP06Tu7+ChyAQUkZ47RGw9V5xCdyo010/RzEqXLNoCEyAAAih83BPAPtKSp0MAAAACKHw= (AV positives: 1/70 scanned on 11/14/2018 18:04:10)
URL: http://ocsp.msocsp.com/mfqwujbqme4wtdajbgurdgmcgguabbrpc1vzt9qvn7bzy3iidtbhla4mkqquwiif1tycsck3fd7/hijo5ox/+n0ce3saakcqozxebynrxe4aaaaaoko3d (AV positives: 1/67 scanned on 05/09/2018 08:30:59)
File SHA256: 7eb7cbc2b31635cc99fe5cc2d33cee7f8cfb2192f6e75acb344244dae069ca5b (Date: 11/29/2018 03:27:07)
File SHA256: 8816559346e6107ab9ae932a4dbaba9aa8673b47975a48638120834d7b829b1a (Date: 11/28/2018 13:00:08)
File SHA256: 3b7ff513c0ba409acc8f64ac59ceec9bd88a84b11817388cccb83a80fd7b3859 (Date: 11/25/2018 19:33:23)
File SHA256: b1a5f65d44bfc3b2b632e94bc9b8f82448babe70f79a04f54afdd70b83ead87a (Date: 11/25/2018 04:41:24)
File SHA256: 446911900204b9c8b2227fa924249863588f1dabc4a7bbeb5b71e9cd824cbf2c (Date: 11/25/2018 04:40:34)
File SHA256: 65960db23240f5e0c4b2ac1cf2979e6e90c6ee15e2f1455f6a4d90a9bee1038c (AV positives: 48/68 scanned on 11/20/2018 11:16:56)
File SHA256: 29a5cb7b0f1a062c273d40959210c14330718eccea253717c2cf9a62c0210619 (AV positives: 49/69 scanned on 11/20/2018 10:40:29)
File SHA256: 897c67dec9bbe7fca2936e1fc69f23f18c46c0bab2c2167b5790714c59fa44d8 (AV positives: 49/68 scanned on 11/20/2018 11:36:48)
File SHA256: 070f6f96c079abed6869d5d9498d531d4c65a1aef84de6ceba45780beb772d4e (AV positives: 48/68 scanned on 11/10/2018 10:22:21)
File SHA256: a9fb6ba7cd1a29cc33aa52614d45932eeee01b67fc2616c0447c5fd34b415fa5 (AV positives: 48/69 scanned on 11/08/2018 00:04:45)
Found malicious artifacts related to "152.199.19.160": ...
File SHA256: cbe20ed2681ce99739aebcd519a56315fdc60ac757a2427a2099488dff87f327 (Date: 11/28/2018 23:01:21)
File SHA256: 66e7e7cd7979d848596fb68be52d14fed50c6e3acae4ed96d24d23f53b2bb653 (Date: 11/28/2018 15:32:03)
File SHA256: d43a962da7bd4253988810188cce5163ab00aa2f14e1a75e16f435d6eac63ad4 (Date: 11/28/2018 04:29:39)
File SHA256: a42d0f470c8d6a8592fa1fa6134daeda8c8aaaf78763f41e34c2476e8ce766cf (Date: 11/28/2018 02:26:55)
File SHA256: 693439fe7dfa257f1647b52553e168b398a96802cafae233bffcdab5c1d1a9da (AV positives: 28/69 scanned on 11/27/2018 23:59:11)
File SHA256: 092490bb05cd4821295be014333e6d1afac757174754159bfb0b84a150e72f83 (Date: 11/27/2018 15:34:26)
File SHA256: 6ae3cabd889a02260cf2668d37300114e3245a40cac71f70378a77891a869186 (AV positives: 1/70 scanned on 11/24/2018 10:29:51)
File SHA256: 2dee0a04ca84d6b1013b85a378ae304bdc63e63134c8564339098d65cd96d178 (AV positives: 6/68 scanned on 11/24/2018 12:20:19)
File SHA256: c8e3b433a80bdfd3d9850bbd2a594f6d1a22e536dc18a421b6b0a11319ce2b60 (AV positives: 3/71 scanned on 11/23/2018 13:30:01)
File SHA256: 159f561782c75335342eb7c66809c6736117a2a37c6c17dc97ec6ef5b770595a (AV positives: 10/71 scanned on 11/23/2018 20:21:38) - source
- Network Traffic
- relevance
- 10/10
-
Malicious artifacts seen in the context of a contacted host
-
Suspicious Indicators 3
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 66.231.91.48 on port 80 is sent without HTTP header
TCP traffic to 2.21.97.64 on port 80 is sent without HTTP header
TCP traffic to 66.231.91.47 on port 80 is sent without HTTP header
TCP traffic to 23.61.218.119 on port 443 is sent without HTTP header
TCP traffic to 93.184.220.29 on port 80 is sent without HTTP header
TCP traffic to 104.18.24.243 on port 80 is sent without HTTP header
TCP traffic to 152.199.19.160 on port 80 is sent without HTTP header
TCP traffic to 2.21.97.41 on port 80 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Unusual Characteristics
-
Contacts Mail Related Domain Names
- details
- "image.trsretire-email.com" is probably a mail server
- source
- Network Traffic
- relevance
- 10/10
-
Contacts Mail Related Domain Names
-
Informative 14
-
Anti-Reverse Engineering
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "iexplore.exe" is protecting 8192 bytes with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/69 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Contacts domains
- details
-
"view.trsretirementservices.com"
"image.trsretire-email.com"
"click.trsretirementservices.com" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"66.231.91.48:80"
"2.21.97.64:80"
"66.231.91.47:80"
"23.61.218.119:443"
"93.184.220.29:80"
"104.18.24.243:80"
"152.199.19.160:80"
"2.21.97.41:80" - source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IESQMMUTEX_0_208"
"\Sessions\1\BaseNamedObjects\Local\WininetStartupMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetConnectionMutex"
"\Sessions\1\BaseNamedObjects\Local\WininetProxyRegistryMutex"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\RasPbFile"
"\Sessions\1\BaseNamedObjects\ConnHashTable<2752>_HashTable_Mutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\RSS Eventing Connection Database Mutex 00000ac0"
"\Sessions\1\BaseNamedObjects\Local\Feed Eventing Shared Memory Mutex S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\Feed Arbitration Shared Memory Mutex [ User : S-1-5-21-4162757579-3804539371-4239455898-1000 ]"
"\Sessions\1\BaseNamedObjects\Local\Feeds Store Mutex S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Local\c:!users!%OSUSER%!appdata!local!microsoft!feeds cache!" - source
- Created Mutant
- relevance
- 3/10
-
Opened the service control manager
- details
-
"iexplore.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"iexplore.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
-
Spawned process "iexplore.exe" with commandline "-nohome" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:2752 CREDAT:79873" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
-
Spawned process "iexplore.exe" with commandline "-nohome" (Show Process)
Spawned process "iexplore.exe" with commandline "SCODEF:2752 CREDAT:79873" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Creates new processes
- details
- "iexplore.exe" is creating a new process (Name: "%PROGRAMFILES%\Internet Explorer\iexplore.exe", Handle: 756)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"RacMetaData.dat" has type "data"
"view_trsretirementservices_com_1_.htm" has type "HTML document ASCII text with very long lines with CRLF line terminators"
"known_providers_download_v1_1_.xml" has type "XML 1.0 document ASCII text with CRLF line terminators"
"~DFCED26ECCCABDA98F.TMP" has type "data"
"sql4F16.tmp" has type "data"
"7D3BD78A30B98D17C317EDD4FFE850A0" has type "data"
"94308059B57B3142E455B38A6EB92015" has type "data"
"desktop.ini" has type "empty"
"TarD5D1.tmp" has type "data"
"CabD5D0.tmp" has type "Microsoft Cabinet archive data 55153 bytes 1 file"
"CabF6F4.tmp" has type "Microsoft Cabinet archive data 55153 bytes 1 file"
"ad_header_connections3c_1_.jpg" has type "JPEG image data Exif standard: [TIFF image data little-endian direntries=12 height=149 bps=158 PhotometricIntepretation=RGB orientation=upper-left width=532] baseline precision 8 625x122 frames 3"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
"search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"RecoveryStore._8E69F740-F421-11E8-924D-0A00272306F4_.dat" has type "Composite Document File V2 Document Cannot read section info"
"TarF728.tmp" has type "data"
"ad_footer_red2_1_.jpg" has type "JPEG image data Exif standard: [TIFF image data little-endian direntries=12 height=14 bps=158 PhotometricIntepretation=RGB orientation=upper-left width=532] baseline precision 8 625x14 frames 3"
"sql51CA.tmp" has type "data" - source
- Binary File
- relevance
- 3/10
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://view.trsretirementservices.com/?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662ccff41e3ed1a5e8e01d89ee6b1902f9750d081545f16251cdb9daae68d7"
Pattern match: "http://view.trsretirementservices.com"
Heuristic match: "view.trsretirementservices.com"
Heuristic match: "image.trsretire-email.com"
Heuristic match: "click.trsretirementservices.com"
Pattern match: "https://ieonline.microsoft.com/ie/known_providers_download_v1.xml"
Pattern match: "https://ieonline.microsoft.com/#ieslice"
Pattern match: "http://go.microsoft.com/fwlink/?LinkId=121315"
Pattern match: "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight"
Pattern match: "http://www.bing.com/favicon.ico"
Pattern match: "http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC" - source
- File/Memory
- relevance
- 10/10
-
HTTP request contains Base64 encoded artifacts
- details
-
"s9qs[=]^mm4yzo}zk7snVw^uk{M]}gynuqu{"
"}Gw6my~^}N]z}uMu}N^}]wqx" - source
- Network Traffic
- relevance
- 7/10
- ATT&CK ID
- T1132 (Show technique in the MITRE ATT&CK™ matrix)
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Drops cabinet archive files
- details
-
"CabD5D0.tmp" has type "Microsoft Cabinet archive data 55153 bytes 1 file"
"CabF6F4.tmp" has type "Microsoft Cabinet archive data 55153 bytes 1 file" - source
- Binary File
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"iexplore.exe" wrote bytes "48123f75" to virtual address "0x754083C0" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "e954a1d0f8" to virtual address "0x76BC3B7F" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "f8113f75" to virtual address "0x754083C4" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "e9b34bbff8" to virtual address "0x76B9EC7C" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "b8b015a273ffe0" to virtual address "0x753F11F8" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "48123f75" to virtual address "0x75408348" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "e9c20acff8" to virtual address "0x76BDD274" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "f8113f75" to virtual address "0x7540834C" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "e9efb94afb" to virtual address "0x7442388E" (part of module "COMCTL32.DLL")
"iexplore.exe" wrote bytes "68130000" to virtual address "0x77501680" (part of module "WS2_32.DLL")
"iexplore.exe" wrote bytes "e9e9f0cdf8" to virtual address "0x76BEE9ED" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "e99cf3cdf8" to virtual address "0x76BEE869" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "48123f75" to virtual address "0x754083DC" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "e937f2cdf8" to virtual address "0x76BEE963" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "f8113f75" to virtual address "0x754083E0" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "e9b943b1f8" to virtual address "0x76BB3B9B" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "e99ac3d8f9" to virtual address "0x75B42694" (part of module "COMDLG32.DLL")
"iexplore.exe" wrote bytes "48120000" to virtual address "0x753F139C" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "48120000" to virtual address "0x753F12DC" (part of module "SSPICLI.DLL")
"iexplore.exe" wrote bytes "48123f75" to virtual address "0x75408364" (part of module "SSPICLI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops cabinet archive files
Session Details
No relevant data available.
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 3 processes in total.
-
rundll32.exe
"%WINDIR%\System32\ieframe.dll",OpenURL C:\d5b70a4186dc09ab3c6c517826c0d4c3b65cd6e24f483ef3338f4bb0c86b2af2.url
(PID: 3672)
-
iexplore.exe
-nohome
(PID: 2752)
- iexplore.exe SCODEF:2752 CREDAT:79873 (PID: 2264)
-
iexplore.exe
-nohome
(PID: 2752)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
click.trsretirementservices.com | 66.231.91.47 | - | United States |
image.trsretire-email.com | 2.21.97.64 | - | European Union |
view.trsretirementservices.com | 66.231.91.48 | - | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
66.231.91.48 |
80
TCP |
iexplore.exe PID: 2264 |
United States |
2.21.97.64 |
80
TCP |
iexplore.exe PID: 2264 |
European Union |
66.231.91.47 |
80
TCP |
iexplore.exe PID: 2264 |
United States |
23.61.218.119 |
443
TCP |
iexplore.exe PID: 2752 |
United States |
93.184.220.29 |
80
TCP |
iexplore.exe PID: 2752 |
European Union |
104.18.24.243 |
80
TCP |
iexplore.exe PID: 2752 |
United States |
152.199.19.160 |
80
TCP |
iexplore.exe PID: 2752 |
United States |
2.21.97.41 |
80
TCP |
svchost.exe PID: 1120 iexplore.exe PID: 2752 |
European Union |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
66.231.91.48:80 (view.trsretirementservices.com) | GET | view.trsretirementservices.com/?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662cc... | GET /?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662ccff41e3ed1a5e8e01d89ee6b1902f9750d081545f16251cdb9daae68d7 HTTP/1.1
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gzip, deflate
Host: view.trsretirementservices.com
Connection: Keep-Alive More Details |
2.21.97.64:80 (image.trsretire-email.com) | GET | image.trsretire-email.com/lib/fe5d1570716c027d721c/m/1/ad_header_connections3c.jpg | GET /lib/fe5d1570716c027d721c/m/1/ad_header_connections3c.jpg HTTP/1.1
Accept: */*
Referer: http://view.trsretirementservices.com/?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662ccff41e3ed1a5e8e01d89ee6b1902f9750d081545f16251cdb9daae68d7
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Enc... More Details |
2.21.97.64:80 (image.trsretire-email.com) | GET | image.trsretire-email.com/lib/fe5d1570716c027d721c/m/1/ad_footer_red2.jpg | GET /lib/fe5d1570716c027d721c/m/1/ad_footer_red2.jpg HTTP/1.1
Accept: */*
Referer: http://view.trsretirementservices.com/?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662ccff41e3ed1a5e8e01d89ee6b1902f9750d081545f16251cdb9daae68d7
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Accept-Encoding: gz... More Details |
66.231.91.47:80 (click.trsretirementservices.com) | GET | click.trsretirementservices.com/open.aspx?ffcb10-fe561379776702797217-fdba1573736d0d7e741174766d-fe7315707564007c7116-fe5117797c61077a7011... | GET /open.aspx?ffcb10-fe561379776702797217-fdba1573736d0d7e741174766d-fe7315707564007c7116-fe5117797c61077a7011-fe28107671650679731d73-ffcf14 HTTP/1.1
Accept: */*
Referer: http://view.trsretirementservices.com/?qs=c785cbfe47a3c69b08093da0311ebdb2bcb668c066159d16b519f9d6a92805038af2c46062797f76988c71afd63b9d3f39662ccff41e3ed1a5e8e01d89ee6b1902f9750d081545f16251cdb9daae68d7
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.... More Details |
66.231.91.48:80 (view.trsretirementservices.com) | GET | view.trsretirementservices.com/favicon.ico | GET /favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
Host: view.trsretirementservices.com
Connection: Keep-Alive More Details |
Extracted Strings
Extracted Files
Displaying 25 extracted file(s). The remaining 9 file(s) are available in the full version and XML/JSON reports.
-
Informative Selection 2
-
-
CabF6F4.tmp
- Size
- 54KiB (55153 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 55153 bytes, 1 file
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- c80707feaa56b9f5f9f299a70a89a675
- SHA1
- 2dd4aa8eb8e0ad265afa6fdef00fcc1625ca959c
- SHA256
- 8573c2b9348fd9364d6df901d44c5bd80e33278d4d4ad705d22c9757fa2b52b3
-
desktop.ini
- Size
- Unknown (0 bytes)
- Type
- empty
- Runtime Process
- iexplore.exe (PID: 2752)
-
-
Informative 23
-
-
6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
- Size
- 471B (471 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- 7603e11192665f0cf176aa48e7aa52cc
- SHA1
- 34f4c34a21440006d23481a558c52917242b4229
- SHA256
- de99d586f0d4c4baf1a089eb6b39d64e11f132a9f6b730bcef2be34699cb67a5
-
7D3BD78A30B98D17C317EDD4FFE850A0
- Size
- 159KiB (162347 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- f2ea9ac87e699ab8b424d03d8412e41b
- SHA1
- a1680db6152c169d06fbce37b9734761d815c714
- SHA256
- ca5faec260412f1273fafaccdf6a000ad332d9b2ca07b0a46008db96aa07da4a
-
8FE2C641C99CFA6687FA8D31B7D528A1
- Size
- 268B (268 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- 28dd62341d8ddd7c7a7b283eb2c28c17
- SHA1
- ee242f2dbe6e8d34d93062aaf27fc0b069a571e6
- SHA256
- 053938241cc23d98fb9107ded51bef4d7136cc8a9f0dca7a5f6bcc6ebfe3997a
-
94308059B57B3142E455B38A6EB92015
- Size
- 342B (342 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- aa88a518776a3699d55e36329d30e61d
- SHA1
- dca37c33dfc216370eb2dbfc0da4047fa967685d
- SHA256
- 2a9f75b12ac317b188b69d9af065fb6884a27d3f28bf62b0f3af66df13c19a52
-
50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B
- Size
- 486B (486 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- 59c14b5cfe6afc87e989d98078d7f4c1
- SHA1
- 88b0bb5aca091b2af4ab0b6fa6fe8e469b5f8295
- SHA256
- b7cd1046304327d6c2b5945e86b50c0e12fc1678c8ec73922eb36f8a8b0b3c8a
-
CabD5D0.tmp
- Size
- 54KiB (55153 bytes)
- Type
- data
- Description
- Microsoft Cabinet archive data, 55153 bytes, 1 file
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- c80707feaa56b9f5f9f299a70a89a675
- SHA1
- 2dd4aa8eb8e0ad265afa6fdef00fcc1625ca959c
- SHA256
- 8573c2b9348fd9364d6df901d44c5bd80e33278d4d4ad705d22c9757fa2b52b3
-
KnoB814.tmp
- Size
- 88KiB (90518 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- 002d5646771d31d1e7c57990cc020150
- SHA1
- a28ec731f9106c252f313cca349a68ef94ee3de9
- SHA256
- 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
-
TarD5D1.tmp
- Size
- 130KiB (133284 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- cd81f6a51aec72583e68bf8219904438
- SHA1
- 724924a6c906d3953e7b92bd5cc12dae27c772e3
- SHA256
- 540cb7459d0fd892b5c540f293e04aa3a049e65c0fb17f3b2e6245b37530c1d0
-
TarF728.tmp
- Size
- 130KiB (133284 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- cd81f6a51aec72583e68bf8219904438
- SHA1
- 724924a6c906d3953e7b92bd5cc12dae27c772e3
- SHA256
- 540cb7459d0fd892b5c540f293e04aa3a049e65c0fb17f3b2e6245b37530c1d0
-
~DFCDEBDF66189478A4.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- f71f3c201cf7870f52dc302913a6abbd
- SHA1
- 9d9cfb5669f6714453f99bea1f655374e04e3e38
- SHA256
- 0b23e17fd2199d1269c73075d2340b77fb8bd835b1b69ee1d11cace5dccf6bc5
-
~DFCED26ECCCABDA98F.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2752)
- MD5
- 7ce540556b7ecd1294567abe35362ccb
- SHA1
- 9babd98697ea2116b7353b26be4232823ad4ab6f
- SHA256
- 07e6dd1f0b72c1b08ddb1cd44ec79e03e224e895409fce9a7fc4d234ec0a33e1
-
RacMetaData.dat
- Size
- 8B (8 bytes)
- Type
- data
- MD5
- 896dd6374259bc9338e1665164458347
- SHA1
- 19e89499b3c82ba0d87cf09cc3f03cdf1965a854
- SHA256
- 3465c2b485a4bf81275339119be1a79c7313fc900d2e29ff93cde1bdffc64404
-
view_trsretirementservices_com_1_.htm
- Size
- 6KiB (6165 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- MD5
- a91eb40dadde14436e2e138d3872708b
- SHA1
- 4d80726b94735652287ade12103817d6d6c2340c
- SHA256
- 466a819a462e3cdc676d541a8471fbc4c4b48853703865b5d2ada55f624b5b3a
-
known_providers_download_v1_1_.xml
- Size
- 88KiB (90518 bytes)
- Type
- text
- Description
- XML 1.0 document, ASCII text, with CRLF line terminators
- MD5
- 002d5646771d31d1e7c57990cc020150
- SHA1
- a28ec731f9106c252f313cca349a68ef94ee3de9
- SHA256
- 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
-
sql4F16.tmp
- Size
- 20KiB (20480 bytes)
- Type
- data
- MD5
- 70e340524e7d7dfafa2cabd0ac06f783
- SHA1
- 15875aa2996d9eadf9300eeebb395e0fdc5911d8
- SHA256
- 9d4c203c05fd76dc5b4b84bc467a806d165eb37b639bdd3ad6a8caa08cde894b
-
ad_header_connections3c_1_.jpg
- Size
- 35KiB (35843 bytes)
- Type
- img image
- Description
- JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=12, height=149, bps=158, PhotometricIntepretation=RGB, orientation=upper-left, width=532], baseline, precision 8, 625x122, frames 3
- MD5
- 4bcbea6a5196f8c4bf5451dad3cff29f
- SHA1
- fffcefad4ea27e573e6bf997068cde7945028ddb
- SHA256
- afcc37a09ac6f7f85ea1bdf438b798b6b5bec6adc867601c923f8f6e8163fddb
-
search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico
- Size
- 237B (237 bytes)
- Type
- img image
- Description
- PNG image data, 16 x 16, 4-bit colormap, non-interlaced
- MD5
- 9fb559a691078558e77d6848202f6541
- SHA1
- ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
- SHA256
- 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
-
RecoveryStore._8E69F740-F421-11E8-924D-0A00272306F4_.dat
- Size
- 4.5KiB (4608 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- MD5
- d91bcf2e6ad9a2f938933b4d91784407
- SHA1
- 995b6800cca2c3bca06f23be5772a5f07977a5c1
- SHA256
- 6f4457fb2c0f059661127164cdfba25f701949508837967318181d10a798828e
-
ad_footer_red2_1_.jpg
- Size
- 14KiB (13995 bytes)
- Type
- img image
- Description
- JPEG image data, Exif standard: [TIFF image data, little-endian, direntries=12, height=14, bps=158, PhotometricIntepretation=RGB, orientation=upper-left, width=532], baseline, precision 8, 625x14, frames 3
- MD5
- c848626545984bfa6da66b8e47f6371c
- SHA1
- 5c7eaee04a375bacc593145357dff23cdef94b3d
- SHA256
- 0692e80aed0bd99af9485c175523ce3e4b903adab736720526883cfaba002cd0
-
sql51CA.tmp
- Size
- 20KiB (20480 bytes)
- Type
- data
- MD5
- 70e340524e7d7dfafa2cabd0ac06f783
- SHA1
- 15875aa2996d9eadf9300eeebb395e0fdc5911d8
- SHA256
- 9d4c203c05fd76dc5b4b84bc467a806d165eb37b639bdd3ad6a8caa08cde894b
-
favicon_2_.ico
- Size
- 237B (237 bytes)
- Type
- img image
- Description
- PNG image data, 16 x 16, 4-bit colormap, non-interlaced
- MD5
- 9fb559a691078558e77d6848202f6541
- SHA1
- ea13848d33c2c7f4f4baa39348aeb1dbfad3df31
- SHA256
- 6d8a01dc7647bc218d003b58fe04049e24a9359900b7e0cebae76edf85b8b914
-
view_trsretirementservices_com_1_.txt
- Size
- 4KiB (4096 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- MD5
- 3476d15dad83456b6d0dcf38aafaab17
- SHA1
- 60e464955d896d3822c6fcef60f5d27262073430
- SHA256
- 101f3ce1c84c669e4c00bee7c7e4f3b2f9fe519d7b23bf491f4bb5edbe5f2ccb
-
_8E69F741-F421-11E8-924D-0A00272306F4_.dat
- Size
- 8KiB (8192 bytes)
- Type
- text
- Description
- Composite Document File V2 Document, Cannot read section info
- MD5
- 22455f6eea929022c0bf066236716c9b
- SHA1
- 7a020b29d631c95cf92bf5c56b4c826e602a4cf0
- SHA256
- b041d2ec41f5a481ec590de407d8aef18c3ccd01dea6e8da37624e0dd1f9886a
-
Notifications
-
Runtime
- Not all created files are visible for iexplore.exe (PID: 2752)
- Not all file accesses are visible for iexplore.exe (PID: 2264)
- Not all file accesses are visible for iexplore.exe (PID: 2752)
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Some low-level data is hidden, as this is only a slim report
- This URL analysis has missing honeyclient data