analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://polarityweb.weebly.com/download.html

Full analysis: https://app.any.run/tasks/9d2271b7-8788-43ee-9157-e0e34bd46f65
Verdict: Malicious activity
Analysis date: April 14, 2019, 22:03:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

EA1C5BB6C94F01E640107ACD01E73BF3

SHA1:

F915521E9E4507B34BCA24DF01DF346EA2B76DB9

SHA256:

55723AF68A5F9985EE51E790FBFC5CA756F0F2D673F8B97EB4F32BCAF91CA1AB

SSDEEP:

3:N8OArLsyLdMKQ:2OArLsyZMKQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Polarity Installer.exe (PID: 3880)
      • Polarity Installer.exe (PID: 3144)
      • polarity.exe (PID: 3020)
      • PolarityAddonHelper.exe (PID: 3276)
      • PolarityInstance.exe (PID: 2244)

    • Changes settings of System certificates

      • Polarity Installer.exe (PID: 3144)
      • polarity.exe (PID: 3020)

    • Loads dropped or rewritten executable

      • polarity.exe (PID: 3020)
      • PolarityInstance.exe (PID: 2244)

  • SUSPICIOUS

    • Adds / modifies Windows certificates

      • Polarity Installer.exe (PID: 3144)
      • polarity.exe (PID: 3020)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2968)

    • Executable content was dropped or overwritten

      • chrome.exe (PID: 1948)
      • chrome.exe (PID: 2968)
      • Polarity Installer.exe (PID: 3144)

    • Creates files in the program directory

      • Polarity Installer.exe (PID: 3144)

    • Changes IE settings (feature browser emulation)

      • Polarity Installer.exe (PID: 3144)

    • Reads Environment values

      • polarity.exe (PID: 3020)

    • Creates a software uninstall entry

      • Polarity Installer.exe (PID: 3144)

    • Creates files in the user directory

      • polarity.exe (PID: 3020)

  • INFO

    • Dropped object may contain Bitcoin addresses

      • chrome.exe (PID: 1948)
      • Polarity Installer.exe (PID: 3144)

    • Changes settings of System certificates

      • chrome.exe (PID: 1948)

    • Application launched itself

      • chrome.exe (PID: 2968)

    • Reads settings of System Certificates

      • polarity.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
23
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs polarity installer.exe no specs polarity installer.exe polarity.exe polarityaddonhelper.exe no specs polarityinstance.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2968"C:\Program Files\Google\Chrome\Application\chrome.exe" https://polarityweb.weebly.com/download.htmlC:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
73.0.3683.75
3592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ebb0f18,0x6ebb0f28,0x6ebb0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2720"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2972 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3808"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=7914549449034700665 --mojo-platform-channel-handle=956 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1948"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=12260655920339028539 --mojo-platform-channel-handle=1520 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2580"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --service-pipe-token=8224781245461163953 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=8224781245461163953 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2040 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3068"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --service-pipe-token=6468193339503402722 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6468193339503402722 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3308"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --service-pipe-token=2909597758284394243 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2909597758284394243 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2080 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3200"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=13393225808328376222 --mojo-platform-channel-handle=3100 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
2244"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=968,16223523501231843240,1896361858351148309,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=utility --service-request-channel-token=18179149644818833761 --mojo-platform-channel-handle=3268 --ignored=" --type=renderer " /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
Total events
959
Read events
786
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
199
Text files
252
Unknown types
24

Dropped files

PID
Process
Filename
Type
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\a3ac0e52-6889-4fc1-b59d-8235ce1b745d.tmp
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
2968chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
192
DNS requests
101
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3020
polarity.exe
GET
301
104.16.140.31:80
http://polarityweb.webs.com/Polarity%20Version.txt
US
malicious
3020
polarity.exe
GET
200
199.34.228.54:80
http://polarityweb.weebly.com/uploads/2/1/4/7/21476634/4032559.png?116
US
image
6.27 Kb
suspicious
1948
chrome.exe
GET
200
194.9.24.113:80
http://r6---sn-5uh5o-f5fd.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=212.7.217.54&mm=28&mn=sn-5uh5o-f5fd&ms=nvh&mt=1555278442&mv=u&pl=21&shardbypass=yes
PL
crx
842 Kb
whitelisted
1948
chrome.exe
GET
200
13.107.4.50:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
1948
chrome.exe
GET
302
172.217.16.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvMjJlQUFXRC12Ny1ldUFnMXF3SDlXZDlFZw/7319.128.0.1_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
507 b
whitelisted
3020
polarity.exe
GET
200
54.187.27.208:80
http://api.mywot.com/0.4/public_query2?target=polarityweb.weebly.com
US
xml
233 b
unknown
1948
chrome.exe
GET
200
199.34.228.54:80
http://polarityweb.weebly.com/uploads/2/1/4/7/21476634/4032559.png?116
US
image
6.27 Kb
suspicious
3020
polarity.exe
GET
301
199.34.228.54:80
http://polarityweb.weebly.com/new.html
US
html
400 b
suspicious
3020
polarity.exe
GET
200
216.58.205.228:80
http://www.google.com/s2/favicons?domain=polarityweb.weebly.com
US
image
521 b
whitelisted
3020
polarity.exe
GET
200
54.187.27.208:80
http://api.mywot.com/0.4/public_query2?target=www.ecosia.org
US
xml
221 b
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1948
chrome.exe
172.217.23.163:443
fonts.gstatic.com
Google Inc.
US
whitelisted
1948
chrome.exe
172.217.16.206:443
translate.google.com
Google Inc.
US
whitelisted
1948
chrome.exe
172.217.23.138:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1948
chrome.exe
199.34.228.54:443
polarityweb.weebly.com
Weebly, Inc.
US
suspicious
1948
chrome.exe
172.217.18.106:443
ajax.googleapis.com
Google Inc.
US
whitelisted
1948
chrome.exe
199.34.228.54:80
polarityweb.weebly.com
Weebly, Inc.
US
suspicious
1948
chrome.exe
172.217.22.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
1948
chrome.exe
172.217.23.170:443
ajax.googleapis.com
Google Inc.
US
whitelisted
1948
chrome.exe
104.16.221.29:443
static.getclicky.com
Cloudflare Inc
US
shared
1948
chrome.exe
151.139.242.29:443
images.dmca.com
netDNA
US
unknown

DNS requests

Domain
IP
Reputation
clientservices.googleapis.com
  • 172.217.22.35
whitelisted
polarityweb.weebly.com
  • 199.34.228.54
  • 199.34.228.53
suspicious
accounts.google.com
  • 172.217.16.141
shared
cdn2.editmysite.com
  • 151.101.1.46
  • 151.101.65.46
  • 151.101.129.46
  • 151.101.193.46
whitelisted
fonts.googleapis.com
  • 172.217.23.138
whitelisted
ajax.googleapis.com
  • 172.217.18.106
  • 172.217.16.202
  • 216.58.210.10
  • 172.217.22.74
  • 172.217.16.138
  • 216.58.208.42
  • 216.58.207.74
  • 216.58.207.42
  • 216.58.206.10
  • 172.217.18.170
  • 172.217.22.10
  • 172.217.23.170
  • 216.58.205.234
  • 172.217.22.106
whitelisted
fonts.gstatic.com
  • 172.217.23.163
whitelisted
images.dmca.com
  • 151.139.242.29
whitelisted
translate.google.com
  • 172.217.16.206
whitelisted
www.google-analytics.com
  • 172.217.23.142
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://polarityweb.weebly.com/download.html