analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://teksint.ru/includes/Pages/bsjzQNJVlReGtbwvpFM/

Full analysis: https://app.any.run/tasks/947f966d-4437-4192-9094-06780b4b80bc
Verdict: Malicious activity
Analysis date: May 15, 2019, 11:31:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

D2DF65FEB8914D3438A3C400DD75A7BA

SHA1:

E5FE4E0ED1AE7B58982C0A77F75965BF30B79A10

SHA256:

4BDD133AB416A5200EC8ECDBB9281AA2AE7275C9F74D729584FF6923625C580C

SSDEEP:

3:N1KKAcrIAnU8ParJ3xAmK:CK+AnU8Par5xvK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 880)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 880)
    • Application launched itself

      • firefox.exe (PID: 880)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • firefox.exe (PID: 2524)
    • Creates files in the user directory

      • firefox.exe (PID: 880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
880"C:\Program Files\Mozilla Firefox\firefox.exe" http://teksint.ru/includes/Pages/bsjzQNJVlReGtbwvpFM/C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
852"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.0.480228716\920549496" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 880 "\\.\pipe\gecko-crash-server-pipe.880" 1108 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2524"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.6.2007454497\78801253" -childID 1 -isForBrowser -prefsHandle 1764 -prefMapHandle 1784 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 880 "\\.\pipe\gecko-crash-server-pipe.880" 1612 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2156"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.13.890965623\721353489" -childID 2 -isForBrowser -prefsHandle 2624 -prefMapHandle 2628 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 880 "\\.\pipe\gecko-crash-server-pipe.880" 2640 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3488"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="880.20.925141501\194060414" -childID 3 -isForBrowser -prefsHandle 3188 -prefMapHandle 3316 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 880 "\\.\pipe\gecko-crash-server-pipe.880" 3256 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
373
Read events
371
Write events
2
Delete events
0

Modification events

(PID) Process:(880) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(880) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
Executable files
0
Suspicious files
99
Text files
36
Unknown types
54

Dropped files

PID
Process
Filename
Type
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.pset
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flash-digest256.sbstore
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.pset
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\block-flashsubdoc-digest256.sbstore
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.pset
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.sbstore
MD5:
SHA256:
880firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flashallow-digest256.pset
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
69
TCP/UDP connections
44
DNS requests
102
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
880
firefox.exe
GET
302
92.53.96.131:80
http://teksint.ru/favicon.ico
RU
html
211 b
suspicious
880
firefox.exe
GET
95.110.232.65:80
http://globalbestoutlet.su/
IT
suspicious
880
firefox.exe
GET
95.110.232.65:80
http://globalbestoutlet.su/
IT
suspicious
880
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
880
firefox.exe
GET
200
92.53.96.131:80
http://teksint.ru/
RU
html
6.97 Kb
suspicious
880
firefox.exe
GET
200
92.53.96.131:80
http://teksint.ru/templates/masterbootstrap/css/tachyons.min.css
RU
text
15.8 Kb
suspicious
880
firefox.exe
GET
200
92.53.96.131:80
http://teksint.ru/plugins/system/jcemediabox/css/jcemediabox.css?1d12bb5a40100bbd1841bfc0e498ce7b
RU
text
1.22 Kb
suspicious
880
firefox.exe
GET
200
92.53.96.131:80
http://teksint.ru/components/com_k2/css/k2.css?v=2.9.0
RU
text
8.59 Kb
suspicious
880
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
880
firefox.exe
GET
200
92.53.96.131:80
http://teksint.ru/templates/masterbootstrap/css/icons.css
RU
text
2.21 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
880
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
880
firefox.exe
92.53.96.131:80
teksint.ru
TimeWeb Ltd.
RU
suspicious
880
firefox.exe
52.27.144.31:443
balrog-aus5.r53-2.services.mozilla.com
Amazon.com, Inc.
US
unknown
880
firefox.exe
52.27.173.161:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
880
firefox.exe
35.165.22.140:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
880
firefox.exe
2.20.189.162:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
880
firefox.exe
172.217.16.138:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
880
firefox.exe
172.217.22.10:80
fonts.googleapis.com
Google Inc.
US
whitelisted
880
firefox.exe
172.217.23.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
880
firefox.exe
151.139.128.14:80
ocsp.comodoca4.com
Highwinds Network Group, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
teksint.ru
  • 92.53.96.131
suspicious
detectportal.firefox.com
  • 2.20.189.162
  • 2.20.189.145
whitelisted
aus5.mozilla.org
  • 81.4.102.164
whitelisted
balrog-aus5.r53-2.services.mozilla.com
  • 35.164.82.230
  • 52.40.226.98
  • 52.32.77.100
  • 34.214.241.105
  • 52.43.79.30
  • 34.218.159.169
  • 34.216.134.104
  • 52.27.144.31
whitelisted
a1089.dscd.akamai.net
  • 2.20.189.145
  • 2.20.189.162
whitelisted
search.services.mozilla.com
  • 52.27.173.161
  • 52.88.179.171
  • 52.10.97.252
whitelisted
search.r53-2.services.mozilla.com
  • 52.10.97.252
  • 52.88.179.171
  • 52.27.173.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 35.165.22.140
  • 35.164.130.113
  • 52.34.132.219
  • 52.27.87.181
  • 52.26.166.58
  • 52.26.103.165
  • 52.25.71.236
  • 35.164.218.3
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
880
firefox.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
880
firefox.exe
Generic Protocol Command Decode
SURICATA STREAM CLOSEWAIT FIN out of window
880
firefox.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
Potentially Bad Traffic
ET INFO DNS Query for Suspicious .ml Domain
880
firefox.exe
Potentially Bad Traffic
ET INFO Suspicious Domain (*.ml) in TLS SNI
No debug info