analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Dados.Do.Processo-BR-2019.A2018753135012.html

Full analysis: https://app.any.run/tasks/6e5c6928-ddb2-4f34-8c7a-1b1667c435f0
Verdict: Malicious activity
Analysis date: June 19, 2019, 16:34:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with CRLF line terminators
MD5:

5B063DDCC11071B5DCEDEE3D0C02A1D8

SHA1:

78BA1B19B02967A4079E712E480E7E712153DFC7

SHA256:

587824B50576C936569976E79B36DB23C0ADB4B1EE85C0F43894AD12D36D6E69

SSDEEP:

3:xkhz9JMzVJu+1v3pY2fHLBLJsHnvn:x83MRJVxrHLBLsv

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • reg.exe (PID: 2180)

    • Application was dropped or rewritten from another process

      • lc8ED7.tmp (PID: 3644)

  • SUSPICIOUS

    • Creates files in the program directory

      • firefox.exe (PID: 3492)

    • Starts CMD.EXE for commands execution

      • MsiExec.exe (PID: 2472)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2060)
      • msiexec.exe (PID: 2380)
      • MsiExec.exe (PID: 2472)

    • Creates files in the user directory

      • MsiExec.exe (PID: 2472)

    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 2472)

    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 2672)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 3520)
      • iexplore.exe (PID: 2116)

    • Application launched itself

      • iexplore.exe (PID: 2932)
      • firefox.exe (PID: 3492)
      • msiexec.exe (PID: 2380)

    • Creates files in the user directory

      • iexplore.exe (PID: 3520)
      • iexplore.exe (PID: 2116)
      • firefox.exe (PID: 3492)

    • Changes internet zones settings

      • iexplore.exe (PID: 2932)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2932)
      • iexplore.exe (PID: 2116)

    • Reads CPU info

      • firefox.exe (PID: 3492)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2932)

    • Manual execution by user

      • firefox.exe (PID: 3492)
      • WinRAR.exe (PID: 2060)
      • msiexec.exe (PID: 3924)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2932)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2932)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 2472)

    • Starts application with an unusual extension

      • MsiExec.exe (PID: 2472)

    • Dropped object may contain Bitcoin addresses

      • firefox.exe (PID: 3492)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
62
Monitored processes
19
Malicious processes
1
Suspicious processes
1

Behavior graph

Click at the process to see the details
start drop and start iexplore.exe iexplore.exe no specs iexplore.exe firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe winrar.exe msiexec.exe no specs msiexec.exe msiexec.exe cmd.exe no specs cmd.exe no specs cmd.exe no specs reg.exe shutdown.exe no specs lc8ed7.tmp no specs shutdown.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2932"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\Desktop\Dados.Do.Processo-BR-2019.A2018753135012.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1073807364
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3520"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2932 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2116"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2932 CREDAT:137473C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3492"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
3016"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.0.1617236296\381895828" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 1136 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
65.0.2
3044"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.6.1483897241\1182748120" -childID 1 -isForBrowser -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 1728 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
3392"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.13.1478401227\794223812" -childID 2 -isForBrowser -prefsHandle 2596 -prefMapHandle 2600 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 2612 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
2572"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3492.20.862337869\778685838" -childID 3 -isForBrowser -prefsHandle 3392 -prefMapHandle 3396 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3492 "\\.\pipe\gecko-crash-server-pipe.3492" 3408 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Exit code:
0
Version:
65.0.2
2060"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\Dados Do Processo .zip" C:\Users\admin\Downloads\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3924"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\Dados Do Processo .msi" C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1073807364
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
2 655
Read events
2 485
Write events
153
Delete events
17

Modification events

(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
460000006E000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{363EF6CD-92B0-11E9-B3B3-5254004A04AF}
Value:
0
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(2932) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307060003001300100023000E00B602
Executable files
10
Suspicious files
65
Text files
66
Unknown types
65

Dropped files

PID
Process
Filename
Type
2932iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2932iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2116iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@unbouncepages[2].txt
MD5:
SHA256:
2116iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3I8O2GZ1\tribunal-01[1].txt
MD5:
SHA256:
2932iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFB89DB5DE43DE896C.TMP
MD5:
SHA256:
2116iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3I8O2GZ1\tribunal-01[1].htmhtml
MD5:8C6099EED5F1256E6D505E68D051D0C5
SHA256:9DBA3340B9E6434E8E6DF2458EF9BCC1589382685F7EB7B2BB0FCEF1257E29F5
2116iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:7C815A4ADE0C6031275E2FE8727BEE1D
SHA256:0368619E1ADA91D684EA2D55367358CACFA06CBED074B032BBCC943C5A47CF26
2116iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\9METC5YK\unbouncepages[1].xmltext
MD5:76BDB07956ACCD3A5EF913F7D8AD13A1
SHA256:BC9FC693009494C42AA75C9054ED8135A214C19EA385DFD59392FF3BB4926A00
2116iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:A424A737B094F378AFABB5FEA48FC565
SHA256:417C167CB20E6128BA2BAA2736688362664671C7FF7E231234075B5E2B209CA9
2116iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\LQFPMWVK\counter[1].jstext
MD5:4C274C0D8F5BF85D30C409BB8FAC6A32
SHA256:A73C618915DA6A33730C524438B54D35AAEBEFD9E43C5EDECFF8103EAD294FAF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
65
DNS requests
110
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2116
iexplore.exe
GET
200
52.222.167.29:80
http://builder-assets.unbounce.com/published-css/main-1ea3e9f.z.css
US
text
2.89 Kb
shared
2116
iexplore.exe
GET
200
54.93.101.66:80
http://unbouncepages.com/tribunal-01/?b309433
DE
html
1.96 Kb
whitelisted
2116
iexplore.exe
GET
200
52.222.167.29:80
http://builder-assets.unbounce.com/published-css/main-1ea3e9f.z.css
US
text
2.89 Kb
shared
3492
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3492
firefox.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.74 Kb
whitelisted
3492
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3492
firefox.exe
GET
200
52.222.167.29:80
http://builder-assets.unbounce.com/published-css/main-1ea3e9f.z.css
US
text
2.89 Kb
shared
3492
firefox.exe
GET
200
52.222.167.29:80
http://builder-assets.unbounce.com/published-js/main.bundle-4e498eb.z.js
US
text
32.3 Kb
shared
3492
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3492
firefox.exe
GET
200
104.20.2.47:80
http://c.statcounter.com/t.php?sc_project=10577348&java=1&security=bd270615&u1=11BD9BDF6E964F6BFE88B62CB4B5418A&sc_random=0.1699402397299863&jg=new&rr=1.1.1.1.1.1.1.1.1&resolution=1280&h=720&camefrom=&u=http%3A//unbouncepages.com/tribunal-01/%3Fb309433&t=&rcat=d&rdom=d&rdomg=new&bb=1&sc_snum=1&sess=cfa820&p=0&invisible=1
US
image
49 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2932
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2116
iexplore.exe
52.70.121.38:443
rebrand.ly
Amazon.com, Inc.
US
unknown
2116
iexplore.exe
104.20.3.47:443
www.statcounter.com
Cloudflare Inc
US
shared
2116
iexplore.exe
104.20.2.47:80
www.statcounter.com
Cloudflare Inc
US
shared
2116
iexplore.exe
52.222.167.29:80
builder-assets.unbounce.com
Amazon.com, Inc.
US
whitelisted
2116
iexplore.exe
54.93.101.66:80
unbouncepages.com
Amazon.com, Inc.
DE
malicious
2116
iexplore.exe
18.196.95.178:80
unbouncepages.com
Amazon.com, Inc.
DE
malicious
3492
firefox.exe
35.244.181.201:443
aus5.mozilla.org
US
suspicious
3492
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3492
firefox.exe
172.217.18.106:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
rebrand.ly
  • 52.70.121.38
  • 52.5.10.174
whitelisted
unbouncepages.com
  • 18.196.95.178
  • 54.93.101.66
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
builder-assets.unbounce.com
  • 52.222.167.29
  • 52.222.167.79
  • 52.222.167.244
  • 52.222.167.121
shared
www.statcounter.com
  • 104.20.3.47
  • 104.20.2.47
whitelisted
c.statcounter.com
  • 104.20.2.47
  • 104.20.3.47
whitelisted
aus5.mozilla.org
  • 35.244.181.201
whitelisted
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
balrog-aus5.r53-2.services.mozilla.com
  • 35.244.181.201
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Dados.Do.Processo-BR-2019.A2018753135012.html