analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

hunt-showdown-download

Full analysis: https://app.any.run/tasks/2e99da61-21ed-4759-9185-d45bfd66d659
Verdict: Malicious activity
Analysis date: November 29, 2020, 11:47:27
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines
MD5:

BBD86C491A1D7BEE111AD1BC89B2492E

SHA1:

DE716FBA7E9B90C4753B03ACB4B8A74862DB72AD

SHA256:

233DA82CE3F1A3E1FB282FB25C723633C3F4E5BA6A282852D6E874AF47B3C779

SSDEEP:

3072:l+IfMhvHFbOQIFl+28ljjn6V0voa7yAJ3nQJtQ5WVEHzvSJ:l+IfT+28eAJ3nQJtQ5WVwqJ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • GRU7_SETUP.exe (PID: 1704)
      • SearchProtocolHost.exe (PID: 2364)
      • explorer.exe (PID: 292)
      • GRU7_SETUP.exe (PID: 2256)
      • SearchProtocolHost.exe (PID: 3924)

    • Application was dropped or rewritten from another process

      • GRU7_SETUP.exe (PID: 1704)
      • GRU7_SETUP.exe (PID: 2256)

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2076)

    • Uses RUNDLL32.EXE to load library

      • explorer.exe (PID: 292)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2248)
      • WinRAR.exe (PID: 3784)

    • Creates files in the user directory

      • explorer.exe (PID: 292)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 2248)
      • WinRAR.exe (PID: 3784)

  • INFO

    • Reads settings of System Certificates

      • chrome.exe (PID: 3552)

    • Manual execution by user

      • chrome.exe (PID: 2076)
      • GRU7_SETUP.exe (PID: 2256)
      • GRU7_SETUP.exe (PID: 1704)

    • Reads the hosts file

      • chrome.exe (PID: 3552)
      • chrome.exe (PID: 2076)

    • Application launched itself

      • chrome.exe (PID: 2076)

    • Changes settings of System certificates

      • chrome.exe (PID: 3552)

    • Creates files in the user directory

      • chrome.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.aiml | Artificial Intelligence Markup Language (82.8)
.html | HyperText Markup Language (17.1)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
104
Monitored processes
62
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start rundll32.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe searchprotocolhost.exe no specs gru7_setup.exe no specs gru7_setup.exe explorer.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2312"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\AppData\Local\Temp\hunt-showdown-download.aimlC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2076"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2140"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6cc4a9d0,0x6cc4a9e0,0x6cc4a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1780"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=1628 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3032"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=996,50450932101038393,13457148727975518885,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=2689461807827169537 --mojo-platform-channel-handle=1008 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3552"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,50450932101038393,13457148727975518885,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11596923807330149226 --mojo-platform-channel-handle=1604 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,50450932101038393,13457148727975518885,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8021236769121008510 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2252 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
1840"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,50450932101038393,13457148727975518885,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5871662669751068042 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2880"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=996,50450932101038393,13457148727975518885,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=9412753938430022128 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2468 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3456"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=996,50450932101038393,13457148727975518885,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=1526102729656666951 --mojo-platform-channel-handle=2832 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
5 543
Read events
5 180
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
189
Text files
333
Unknown types
19

Dropped files

PID
Process
Filename
Type
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5FC38A68-81C.pma
MD5:
SHA256:
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\3c9614ec-5917-4d3a-9e98-61678d0a73f7.tmp
MD5:
SHA256:
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000048.dbtmp
MD5:
SHA256:
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old
MD5:
SHA256:
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Feature Engagement Tracker\AvailabilityDB\LOG.old~RF128f57.TMP
MD5:
SHA256:
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.oldtext
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE
SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.oldtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\BudgetDatabase\LOG.old~RF128e1f.TMPtext
MD5:67F45CAA18C889645F50CD6216C81E65
SHA256:33ED82CDDDFFD55A5059C147C6CD20F66C6712314F890A39576D3C10914D0029
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Last Tabsbinary
MD5:E815400F953EA8DB8A98D52737C9A50D
SHA256:E9F064927A191500B7365F51C9CD0763A6A8E68A8B866ACED39AA0E72C3EAD85
2076chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old~RF128dd1.TMPtext
MD5:C2DDBA63E4A2BD2E39A8B6C2C6384AAE
SHA256:6D5C1C78341C6F84911055D970ADDB0EC3499F8BF7FADE062122A22209CE67D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
88
DNS requests
66
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3552
chrome.exe
GET
302
104.28.20.155:80
http://game01-com.ru/?load=Patch
US
shared
3552
chrome.exe
GET
302
104.27.130.174:80
http://game03-com.ru/?load=Setup-Game-Install
US
suspicious
3552
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRJ9L2KGL92BpjF3kAtaDtxauTmhgQUPdNQpdagre7zSmAKZdMh1Pj41g8CEAin4%2FbvIHa7uGRi8LVPooE%3D
US
der
471 b
whitelisted
3552
chrome.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfqhLjKLEJQZPin0KCzkdAQpVYowQUsT7DaQP4v0cB1JgmGggC72NkK8MCEAx5qUSwjBGVIJJhX%2BJrHYM%3D
US
der
471 b
whitelisted
3552
chrome.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODORSADomainValidationSecureServerCA.crt
GB
der
1.51 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3552
chrome.exe
172.217.16.196:443
www.google.com
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.16.174:443
ogs.google.com.ua
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.21.195:443
fonts.gstatic.com
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.18.173:443
accounts.google.com
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.18.110:443
apis.google.com
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.18.3:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.21.227:443
www.gstatic.com
Google Inc.
US
whitelisted
3552
chrome.exe
172.217.23.174:443
clients2.google.com
Google Inc.
US
whitelisted
3552
chrome.exe
216.58.212.131:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3552
chrome.exe
216.58.207.65:443
clients2.googleusercontent.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 216.58.212.131
whitelisted
accounts.google.com
  • 172.217.18.173
shared
www.google.com.ua
  • 216.58.207.67
whitelisted
fonts.googleapis.com
  • 172.217.23.170
whitelisted
www.gstatic.com
  • 172.217.21.227
whitelisted
fonts.gstatic.com
  • 172.217.21.195
whitelisted
apis.google.com
  • 172.217.18.110
whitelisted
ogs.google.com.ua
  • 172.217.16.174
whitelisted
clients2.google.com
  • 172.217.23.174
whitelisted
www.google.com
  • 172.217.16.196
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
hunt-showdown-download