analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://onedrive.live.com/download?cid=B6B0DC1F0D7C34C4&resid=B6B0DC1F0D7C34C4!116&authkey=AP47FoJJC14g_3Q

Full analysis: https://app.any.run/tasks/799f13a8-e67e-4b87-8321-71207b6f4427
Verdict: Malicious activity
Analysis date: March 14, 2019, 12:33:37
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

066372FAD5ACB347307FFC9CD8940CD2

SHA1:

EC5D9FD290CEDB29CD86B42D0194B20CDF2BE18F

SHA256:

08593081966FFBED841516A450A2022767CE472D377A691675954F74A3934A3A

SSDEEP:

3:N8Ck3CTwKblKBhm6mHynVhm6mHtDEkOAp8a0FJ:2CkST/ZKXm6DLm6yDEkvp8Z

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • INV 20190314 DOC.exe (PID: 3256)
      • INV 20190314 DOC.exe (PID: 3936)
      • INV 20190314 DOC.exe (PID: 3600)
    • Loads the Task Scheduler COM API

      • rundll32.exe (PID: 3724)
  • SUSPICIOUS

    • Uses RUNDLL32.EXE to load library

      • msdt.exe (PID: 2276)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3856)
      • msdt.exe (PID: 2276)
      • csc.exe (PID: 3084)
    • Starts CMD.EXE for commands execution

      • services.exe (PID: 3344)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2628)
      • firefox.exe (PID: 2988)
      • firefox.exe (PID: 1324)
      • firefox.exe (PID: 3508)
      • firefox.exe (PID: 3920)
      • firefox.exe (PID: 3708)
      • firefox.exe (PID: 2144)
      • firefox.exe (PID: 3244)
    • Application launched itself

      • firefox.exe (PID: 2988)
      • chrome.exe (PID: 2984)
      • firefox.exe (PID: 3920)
    • Creates files in the user directory

      • firefox.exe (PID: 2988)
      • firefox.exe (PID: 3920)
    • Reads settings of System Certificates

      • chrome.exe (PID: 2984)
    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3920)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
88
Monitored processes
40
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe firefox.exe firefox.exe winrar.exe pingsender.exe inv 20190314 doc.exe pcwrun.exe no specs msdt.exe sdiagnhost.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs rundll32.exe no specs inv 20190314 doc.exe no specs sdiagnhost.exe no specs csc.exe cvtres.exe no specs inv 20190314 doc.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs services.exe no specs chrome.exe no specs chrome.exe no specs cmd.exe no specs firefox.exe firefox.exe chrome.exe no specs firefox.exe firefox.exe pingsender.exe pingsender.exe

Process information

PID
CMD
Path
Indicators
Parent process
2988"C:\Program Files\Mozilla Firefox\firefox.exe" https://onedrive.live.com/download?cid=B6B0DC1F0D7C34C4&resid=B6B0DC1F0D7C34C4!116&authkey=AP47FoJJC14g_3QC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
61.0.2
2628"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.0.225485574\371004064" -childID 1 -isForBrowser -prefsHandle 780 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 1476 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
1324"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.6.717442892\315336976" -childID 2 -isForBrowser -prefsHandle 2284 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 2412 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
3508"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2988.12.764734604\698285912" -childID 3 -isForBrowser -prefsHandle 2920 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2988 "\\.\pipe\gecko-crash-server-pipe.2988" 2940 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
61.0.2
3856"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Downloads\INV 20190314 DOC.ace"C:\Program Files\WinRAR\WinRAR.exe
firefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2780"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/telemetry/c307bb24-d8bd-406a-995d-80b3b91856d9/main/Firefox/61.0.2/release/20180807170231?v=4 C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\saved-telemetry-pings\c307bb24-d8bd-406a-995d-80b3b91856d9C:\Program Files\Mozilla Firefox\pingsender.exe
firefox.exe
User:
admin
Company:
Mozilla Foundation
Integrity Level:
MEDIUM
Exit code:
1
Version:
61.0.2
3600"C:\Users\admin\Desktop\Extract\INV 20190314 DOC.exe" C:\Users\admin\Desktop\Extract\INV 20190314 DOC.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
4040C:\Windows\system32\pcwrun.exe "C:\Users\admin\Desktop\Extract\INV 20190314 DOC.exe"C:\Windows\system32\pcwrun.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Program Compatibility Troubleshooter Invoker
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2276C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\admin\AppData\Local\Temp\PCW2CB9.xml /skip TRUEC:\Windows\System32\msdt.exe
pcwrun.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Diagnostics Troubleshooting Wizard
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3568C:\Windows\System32\sdiagnhost.exe -EmbeddingC:\Windows\System32\sdiagnhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Scripted Diagnostics Native Host
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 837
Read events
1 668
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
132
Text files
131
Unknown types
68

Dropped files

PID
Process
Filename
Type
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.dbsqlite
MD5:B72F4FA75FF6AA84E11086C48F8D58BC
SHA256:7DC734A947E45F8CA4EC76CE982E43D5D02DBC37B157A1D83554ED45DF68C446
2988firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:68660C0E2F7F62B6A97F083BB808E7E8
SHA256:F97EEAFDB801696C27DA9FE9ECF90D93AB31642A924E4D6381F734414A8883C3
2988firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:707C12070C52E55C2A996AC15E219B95
SHA256:6C5410C655C8EFC48D123ABE708C8940A4218072C0DAF85E03AB45DA6D2CE6B9
2988firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\google4\goog-downloadwhite-proto.metadata
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
7
TCP/UDP connections
36
DNS requests
79
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2988
firefox.exe
POST
200
172.217.22.99:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2988
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3920
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3920
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
3920
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2988
firefox.exe
GET
200
2.16.186.112:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
2988
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2988
firefox.exe
2.16.186.112:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2988
firefox.exe
13.107.42.12:443
eijzza.sn.files.1drv.com
Microsoft Corporation
US
suspicious
2988
firefox.exe
216.58.206.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2988
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2988
firefox.exe
172.217.22.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2988
firefox.exe
34.216.156.21:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2988
firefox.exe
52.34.90.23:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown
2988
firefox.exe
52.88.150.81:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2988
firefox.exe
13.107.42.13:443
onedrive.live.com
Microsoft Corporation
US
malicious
2984
chrome.exe
216.58.206.10:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.112
  • 2.16.186.50
whitelisted
onedrive.live.com
  • 13.107.42.13
shared
l-0004.l-msedge.net
  • 13.107.42.13
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.50
  • 2.16.186.112
whitelisted
search.services.mozilla.com
  • 52.88.150.81
  • 34.213.175.109
  • 35.166.112.39
whitelisted
search.r53-2.services.mozilla.com
  • 35.166.112.39
  • 34.213.175.109
  • 52.88.150.81
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 34.216.156.21
  • 35.165.22.140
  • 35.164.197.9
  • 34.218.217.119
  • 35.160.41.125
  • 35.164.130.113
  • 34.208.7.98
  • 34.214.20.242
  • 54.149.115.79
whitelisted
tiles.r53-2.services.mozilla.com
  • 34.214.20.242
  • 34.208.7.98
  • 35.164.130.113
  • 35.160.41.125
  • 34.218.217.119
  • 35.164.197.9
  • 35.165.22.140
  • 34.216.156.21
  • 54.149.115.79
whitelisted

Threats

No threats detected
Process
Message
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR originated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\copyout.cpp, line 1302
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144
csc.exe
*** HR propagated: -2147024774 *** Source File: d:\iso_whid\x86fre\base\isolation\com\enumidentityattribute.cpp, line 144