Remittance.html
This report is generated from a file or URL submitted to this webservice on April 24th 2019 03:38:11 (UTC) and action script Default browser analysis
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Network Behavior
- Contacts 1 domain and 1 host. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Suspicious Indicators 1
-
Network Related
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
- TCP traffic to 184.31.53.59 on port 443 is sent without HTTP header
- source
- Network Traffic
- relevance
- 5/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
-
Informative 14
-
External Systems
-
Detected Suricata Alert
- details
- Detected alert "SURICATA HTTP Host header invalid" (SID: 2221028, Rev: 1, Severity: 3) categorized as "Generic Protocol Command Decode"
- source
- Suricata Alerts
- relevance
- 10/10
-
Detected Suricata Alert
-
General
-
Contacts domains
- details
- "ocsp.pki.goog"
- source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
- "184.31.53.59:443"
- source
- Network Traffic
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\IsoScope_a60_IESQMMUTEX_0_519"
"{5312EE61-79E3-4A24-BFE1-132B85B23C3A}"
"Local\ZonesCacheCounterMutex"
"{66D0969A-1E86-44CF-B4EC-3806DDDA3B5D}"
"IsoScope_a60_IESQMMUTEX_0_331"
"IsoScope_a60_IESQMMUTEX_0_519"
"IsoScope_a60_IESQMMUTEX_0_303"
"Local\URLBLOCK_HASHFILESWITCH_MUTEX"
"Local\!BrowserEmulation!SharedMemory!Mutex"
"Local\URLBLOCK_DOWNLOAD_MUTEX"
"Local\ZonesLockedCacheCounterMutex"
"Local\URLBLOCK_FILEMAPSWITCH_MUTEX_2656"
"IsoScope_a60_IE_EarlyTabStart_0x56c_Mutex"
"UpdatingNewTabPageData"
"Local\VERMGMTBlockListFileMutex"
"IsoScope_a60_ConnHashTable<2656>_HashTable_Mutex"
"\Sessions\1\BaseNamedObjects\Local\!BrowserEmulation!SharedMemory!Mutex"
"\Sessions\1\BaseNamedObjects\Local\VERMGMTBlockListFileMutex"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_FILEMAPSWITCH_MUTEX_2656"
"\Sessions\1\BaseNamedObjects\Local\URLBLOCK_HASHFILESWITCH_MUTEX" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "urlblockindex_1_.bin" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Opened the service control manager
- details
-
"iexplore.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"iexplore.exe" called "OpenSCManager" requesting access rights "0XE0000000L" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
Scanning for window names
- details
-
"iexplore.exe" searching for class "ImmersiveWorkerWindowClass"
"iexplore.exe" searching for class "Shell_TrayWnd"
"iexplore.exe" searching for class "MS_AutodialMonitor"
"iexplore.exe" searching for class "MS_WebCheckMonitor" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "iexplore.exe" with commandline "SCODEF:2656 CREDAT:275457 /prefetch:2" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Spawns new processes that are not known child processes
- details
- Spawned process "iexplore.exe" with commandline "SCODEF:2656 CREDAT:275457 /prefetch:2" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Creates new processes
- details
- "iexplore.exe" is creating a new process (Name: "%PROGRAMFILES%\Internet Explorer\iexplore.exe", Handle: 896)
- source
- API Call
- relevance
- 8/10
-
Dropped files
- details
-
"urlblockindex_1_.bin" has type "data"
"~DF61FC2F6940A0C0F1.TMP" has type "data"
"V9CWZYV8.txt" has type "ASCII text"
"6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04" has type "data"
"_C7864C2E-6631-11E9-ACF9-0A0027823012_.dat" has type "Composite Document File V2 Document Cannot read section info"
"suggestions_1_.en-US" has type "data"
"F5F320A94D4D2B4465D8F17E2BB2D351_23770A8477AD60C6BDADDAADD4D1101F" has type "data"
"50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B" has type "data"
"favicon_2_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"search__0633EE93-D776-472f-A0FF-E1416B8B2E3A_.ico" has type "PNG image data 16 x 16 4-bit colormap non-interlaced"
"KPC7EN0N.txt" has type "ASCII text"
"dberr.txt" has type "ASCII text with CRLF line terminators"
"~DF854A3E6488FC9735.TMP" has type "data"
"RecoveryStore._88B090C0-D917-11E7-B67B-080027A49DD6_.dat" has type "Composite Document File V2 Document Cannot read section info"
"MJK9PN9V.txt" has type "ASCII text"
"RecoveryStore._BE9CA1BD-6631-11E9-ACF9-0A0027823012_.dat" has type "Composite Document File V2 Document Cannot read section info"
"6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F" has type "data"
"JavaDeployReg.log" has type "ASCII text with CRLF line terminators"
"search_1_.json" has type "ASCII text with no line terminators"
"~DFF5152B54E9B13D8B.TMP" has type "data" - source
- Binary File
- relevance
- 3/10
-
Found a string that may be used as part of an injection method
- details
- "Shell_TrayWnd" (Taskbar window class may be used to inject into explorer with the SetWindowLong method)
- source
- File/Memory
- relevance
- 4/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Creates new processes
-
Network Related
-
Found potential URL in binary/memory
- details
- Pattern match: "https://www.msn.com/spartan/ientpgbconfig?locale=en-us&market=us"
- source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"iexplore.exe" wrote bytes "a035046f" to virtual address "0x760DB0CC" (part of module "IERTUTIL.DLL")
"iexplore.exe" wrote bytes "60cd076f" to virtual address "0x76561E14" (part of module "SHELL32.DLL")
"iexplore.exe" wrote bytes "a035046f" to virtual address "0x77401144" (part of module "LPK.DLL")
"iexplore.exe" wrote bytes "b033046f" to virtual address "0x763911BC" (part of module "GDI32.DLL")
"iexplore.exe" wrote bytes "a035046f" to virtual address "0x771B131C" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "b033046f" to virtual address "0x77971210" (part of module "IMM32.DLL")
"iexplore.exe" wrote bytes "a035046f" to virtual address "0x76111298" (part of module "MSCTF.DLL")
"iexplore.exe" wrote bytes "70cc076f" to virtual address "0x771B1310" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "3030046f" to virtual address "0x699DFE90" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "b033046f" to virtual address "0x76111100" (part of module "MSCTF.DLL")
"iexplore.exe" wrote bytes "60cd076f" to virtual address "0x771B130C" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "60d2076f" to virtual address "0x699DFEC4" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "3030046f" to virtual address "0x771B1380" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "b033046f" to virtual address "0x77BC14E0" (part of module "USER32.DLL")
"iexplore.exe" wrote bytes "c03a046f" to virtual address "0x699DFE80" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "60cd076f" to virtual address "0x699DFEC0" (part of module "IEFRAME.DLL")
"iexplore.exe" wrote bytes "80322001703220010032200160322001503220014032200130322001000000002cc96676c021200100000000901720015023200100182001601f200120362001000000004036200100000000" to virtual address "0x01208000" (part of module "IEXPLORE.EXE")
"iexplore.exe" wrote bytes "b033046f" to virtual address "0x012070C0" (part of module "IEXPLORE.EXE")
"iexplore.exe" wrote bytes "b033046f" to virtual address "0x771B11B8" (part of module "SHLWAPI.DLL")
"iexplore.exe" wrote bytes "60d2076f" to virtual address "0x771B13B8" (part of module "SHLWAPI.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Remittance.html
- Filename
- Remittance.html
- Size
- 472KiB (482862 bytes)
- Type
- html
- Description
- HTML document, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 0aebb5a7e4438d3e56c671cb776f0e051077f9bfeaa541fa5392d7b1db1750e6
- MD5
- 5a7065fad10430e527d0278cde4d2fef
- SHA1
- 3ce21a7338da61fcc3029faea062489405e63179
- ssdeep
- 12288:jaPut2U/TgFlfkJkvG+CcmOtxyKP7ZiTP5Op6sRhlm8eyqoz:jaPut2U/TO5iKPE0k+m83N
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 2 processes in total.
-
iexplore.exe
C:\0aebb5a7e4438d3e56c671cb776f0e051077f9bfeaa541fa5392d7b1db1750e6.html
(PID: 2656)
- iexplore.exe SCODEF:2656 CREDAT:275457 /prefetch:2 (PID: 2600)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
ocsp.pki.goog
OSINT |
172.217.4.99
TTL: 293 |
- | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
184.31.53.59 |
443
TCP |
iexplore.exe PID: 2656 |
United States |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
172.217.4.99:80 (ocsp.pki.goog) | GET | ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D | GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjqTAc%2FHIGOD%2BaUx0%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog More Details |
172.217.4.99:80 (ocsp.pki.goog) | GET | ocsp.pki.goog/GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEFw%2FXgr4f%2BOD9RE%2BUSN... | GET /GTSGIAG3/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT27bBjYjKBmjX2jXWgnQJKEapsrQQUd8K4UJpndnaxLcKG0IOgfqZ%2BuksCEFw%2FXgr4f%2BOD9RE%2BUSNS7iY%3D HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.pki.goog More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> local:5357 (TCP) | Generic Protocol Command Decode | SURICATA HTTP Host header invalid | 2221028 |
Extracted Strings
Extracted Files
Displaying 21 extracted file(s). The remaining 17 file(s) are available in the full version and XML/JSON reports.
-
Clean 1
-
-
urlblockindex_1_.bin
- Size
- 16B (16 bytes)
- Type
- data
- AV Scan Result
- 0/78
- MD5
- fa518e3dfae8ca3a0e495460fd60c791
- SHA1
- e4f30e49120657d37267c0162fd4a08934800c69
- SHA256
- 775853600060162c4b4e5f883f9fd5a278e61c471b3ee1826396b6d129499aa7
-
-
Informative Selection 1
-
-
en-US.2
- Size
- 18KiB (18176 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 5a34cb996293fde2cb7a4ac89587393a
- SHA1
- 3c96c993500690d1a77873cd62bc639b3a10653f
- SHA256
- c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
-
-
Informative 19
-
-
4WK6FPC7.txt
- Size
- 156B (156 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 4dcd8b00a78b967e7ee04fc4de00c3cb
- SHA1
- e9be95790953d71d71a1b869be403f8ad93656ee
- SHA256
- a819fac414d60eb0930c188733dd1d34c686f54ce0c440170cd8242befb890ee
-
70I6SYQM.txt
- Size
- 437B (437 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 480d9e58e0277b802a2d6c2bc446ba09
- SHA1
- c48003da20aba3b125896a85b27ef23e31f48a55
- SHA256
- 29fc1551bdd233c1c8b4c6641ef3b38fa67a59c2d7dd12da12af7870d1eca5a9
-
DT64K191.txt
- Size
- 282B (282 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- ae4b02ad3a126d0f37a4a043be64dc54
- SHA1
- 68e8ae5cb8e08258f6261b3e4d5f7dc5ff1f4d14
- SHA256
- c7c845d9e26b6cb606323a36c7eced3c509a8bcd36a4ccbdbdd644f8a32678dd
-
F5HHB8KD.txt
- Size
- 282B (282 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- ae4b02ad3a126d0f37a4a043be64dc54
- SHA1
- 68e8ae5cb8e08258f6261b3e4d5f7dc5ff1f4d14
- SHA256
- c7c845d9e26b6cb606323a36c7eced3c509a8bcd36a4ccbdbdd644f8a32678dd
-
KPC7EN0N.txt
- Size
- 78B (78 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- e556c156314d2db58e5d9f30ebabcdb2
- SHA1
- dd34a161e0ae1a80abf6abaff562af2e61057deb
- SHA256
- 2f59e706b79447d5f68e098410a1ea65a5a4abe3fbc7b5c3f1c33714df1ad159
-
MJK9PN9V.txt
- Size
- 199B (199 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 16070dbcbf31b4d9836e21fc185505c2
- SHA1
- 2f0ad60cd667090384de95d00ad9b45e28edf273
- SHA256
- 99aea06f6bada4b215f339205ef4c79bba09e5a1b7921e80a6c2b9e54024dcfd
-
S7009OI1.txt
- Size
- 64B (64 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 0b9b32b8448cef2086a03a95b3a851e8
- SHA1
- 98bdff5be1c38418742925dcc048e5414e9ee480
- SHA256
- 82ad8d5931734f6d0b4de92eaffb4f9aff65b6810122928654db1a7b10ea5f10
-
V9CWZYV8.txt
- Size
- 97B (97 bytes)
- Type
- text
- Description
- ASCII text
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 264a26829f20cca78b289c5ee5678f53
- SHA1
- 56c888b65b6235b33f585856011dd0d9f6236e40
- SHA256
- eb35ca442e9ffa3cb27afbf8e1241293ef1505bb5774a30c794f41a158bf0a45
-
ver276D.tmp
- Size
- 15KiB (15845 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 095c72688de7d90e6526dc0d8878f3f6
- SHA1
- a1cae182fb7e86c74fb5467c0014b2a27472be37
- SHA256
- 8684403da59628039e9b4b0d245c5b7e1fac1242a087ded44eaf3b792e4a231e
-
ver279C.tmp
- Size
- 15KiB (15845 bytes)
- Runtime Process
- iexplore.exe (PID: 2600)
- MD5
- 095c72688de7d90e6526dc0d8878f3f6
- SHA1
- a1cae182fb7e86c74fb5467c0014b2a27472be37
- SHA256
- 8684403da59628039e9b4b0d245c5b7e1fac1242a087ded44eaf3b792e4a231e
-
50D6B15D9F2DCE1EDBB0C098625FBE47_281AC807DE0FEF15F2CA9911FE760A9B
- Size
- 486B (486 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 9237bdb7b4bb8e76338af8fceb3f3146
- SHA1
- 173de934332786bbe8c9540453438783ba57ed15
- SHA256
- 7ea56f76bee7c0db75052e57200287f1eb43e11e9cb0623609be818f5e0b728c
-
6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04
- Size
- 434B (434 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 63bf45baa317f393a04f0b2daca6be9e
- SHA1
- dc712cd65a8fbf1a3ad0ba1413e837ae2cc54551
- SHA256
- 3d821533fbc1bad8a71f2843c8a830cfab51a8a22d1721ae850c08cf10de8c62
-
6BADA8974A10C4BD62CC921D13E43B18_C9FB72B5AE80778A08024D8B0FDECC6F
- Size
- 442B (442 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 1f78b2aa9e664e8d3c7b7dd7d7bb50e8
- SHA1
- 0fda357f4014d2755111f0b874ad33e3f3e08ef6
- SHA256
- acd2e42deaca62647c5fd5894fee6f978230756ea682245c01fdbd7ad6149108
-
6BADA8974A10C4BD62CC921D13E43B18_D9817BD5013875AD517DA73475345203
- Size
- 1.4KiB (1469 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 14a2b94b72bdf661b78b7de2ddbbd2dd
- SHA1
- c70bd0bf07e570d35d95bfd6882977bdc95b3135
- SHA256
- e5e7db8d3603181fcfafbe11b457e1cf8789ac1d52039b3257529dbdf1b5fde8
-
CFE86DBBE02D859DC92F1E17E0574EE8_FDB452422670E72EDD3FB3D65568F821
- Size
- 468B (468 bytes)
- Runtime Process
- iexplore.exe (PID: 2600)
- MD5
- 5be872b3fe0bb6f31385f91f811e9586
- SHA1
- 1192231bcb9ee73e9f619d433cdb66dddd9ae7f7
- SHA256
- db0ad6191770bff9043482b68acf62a4e25d4390a03274cfbe413675dd8c9cf5
-
F5F320A94D4D2B4465D8F17E2BB2D351_23770A8477AD60C6BDADDAADD4D1101F
- Size
- 471B (471 bytes)
- Runtime Process
- iexplore.exe (PID: 2600)
- MD5
- 59a7cd310e574eb27eafb4ae12ce81a1
- SHA1
- 76c4eb1f9295d4b794de761b610b20db3c11419a
- SHA256
- d989a2de2899a58b8b3a0790c0770ccdb5ef97b6669882c5b1fdab78c9caa4b3
-
JavaDeployReg.log
- Size
- 38KiB (38952 bytes)
- Type
- text
- Description
- ASCII text, with CRLF line terminators
- Runtime Process
- iexplore.exe (PID: 2600)
- MD5
- 3ef13ea1bb587381de0c659e4d9a0226
- SHA1
- dc814703a5d6696bdaf44381fd9221cad5dcbc8e
- SHA256
- 8026c69b1cba72f80ec1cc3ebfa381afadad7e006e1d3e9120fe175a2189e306
-
~DF39B163A45BE9F7AB.TMP
- Size
- 16KiB (16384 bytes)
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- ee87e7fbedc6507a840267514c08777b
- SHA1
- 7d037b4f3963bc6849dd060558c6083c23fd22b9
- SHA256
- d508dc0e9c6ca6b3cb4f12c65c3cd3309456d907e16f3d24312d589c4fb3f095
-
~DF61FC2F6940A0C0F1.TMP
- Size
- 16KiB (16384 bytes)
- Type
- data
- Runtime Process
- iexplore.exe (PID: 2656)
- MD5
- 0904f0de4ce1d12fd8443047b43d4ac6
- SHA1
- b6cf5302e4d55efa04b6484651b6bd1e19dd1f4f
- SHA256
- aaa1781f6ad2c0c581cc54848a0805b107205f8117135fae3a4c8f026e0e0cb2
-
Notifications
-
Runtime
- Network whitenoise filtering was applied
- Not all sources for indicator ID "binary-0" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Some low-level data is hidden, as this is only a slim report