analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://fwf.su

Full analysis: https://app.any.run/tasks/60f20571-31e3-408d-853c-72baf2906c69
Verdict: Malicious activity
Analysis date: August 08, 2020, 07:59:18
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7AD9B58122B11FBE3F29A63ADE27DC7C

SHA1:

FC954DEBC6C0A75FA4523C5BFA08C1A9A1857107

SHA256:

8AA43756BA1295A0004EE65FE076A9158445EC7BBA94A5F54E30E9E33ABBCDB1

SSDEEP:

3:N1KY+WQ:CY+WQ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 2664)
    • Changes internet zones settings

      • iexplore.exe (PID: 2664)
    • Application launched itself

      • iexplore.exe (PID: 2664)
      • chrome.exe (PID: 3612)
    • Reads internet explorer settings

      • iexplore.exe (PID: 924)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 924)
      • iexplore.exe (PID: 2664)
      • chrome.exe (PID: 744)
    • Manual execution by user

      • chrome.exe (PID: 3612)
    • Creates files in the user directory

      • iexplore.exe (PID: 924)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2664)
    • Changes settings of System certificates

      • iexplore.exe (PID: 2664)
    • Reads the hosts file

      • chrome.exe (PID: 3612)
      • chrome.exe (PID: 744)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
20
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2664"C:\Program Files\Internet Explorer\iexplore.exe" http://fwf.suC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
924"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2664 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3612"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6e89a9d0,0x6e89a9e0,0x6e89a9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
1452"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3604 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3736"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=1306261369832159019 --mojo-platform-channel-handle=1044 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
744"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=11644921944773133878 --mojo-platform-channel-handle=1628 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=3474999687005122064 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2256 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=2128300387794261105 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2492 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
2196"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1020,17575309210115232400,18368900533140169120,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=449669257233557827 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2484 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 330
Read events
1 170
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
74
Text files
92
Unknown types
24

Dropped files

PID
Process
Filename
Type
924iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\CabD477.tmp
MD5:
SHA256:
924iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\TarD478.tmp
MD5:
SHA256:
924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\5IWPIAR9\style[1].csstext
MD5:2D5DE31090E3AA0B14EAC2A9F96AE273
SHA256:1F12854C80AFD1C18ADE0A7C26F00CAC5CDB917CB6DDEE36BBA33F00DFC50814
924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08der
MD5:9E1EB3DDA03ED5B39D68CB26399E3C2E
SHA256:161399C3C4D0942A0AFE35D59B26D984D24C6E502253CDBDAECCDD9A0B53380E
924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EC857EA77AAC13CEFF12FA12A84DC3FBder
MD5:D9C0BD15B828CC12C0A7983A826AD5F1
SHA256:2769708934467FE9FA9AE0A06746F298A2DDBEF2DB307FFE47451B6FEEDA580C
924iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\NO8W9RNS.txttext
MD5:B500A5D414169FAEE533F6498DB2177C
SHA256:34D5B8C802578417A404B0C4C0EB5089AD13474362F6FD040D92A8768F5ABCFA
924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CFE86DBBE02D859DC92F1E17E0574EE8_46766FC45507C0B9E264E4C18BC7288Bder
MD5:1C400D233070530C717A810D7F9BC99E
SHA256:58B407B0DDF17FBF78FCB2E2DAD4FABAADA9BD88641F19941480951A200AE4E0
924iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\MFAQUS6V\0LWMMVL3.htmhtml
MD5:A7369EBC2A72D17689493EA927DFE932
SHA256:F14A5702B80B837CAD1203A4611681DF5A0B97AACE3854E4485B12221F75B467
924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08binary
MD5:50C356C3287D61482A4946D613CEF31F
SHA256:F7360BD6F7DF65CAB10B702C68054BA36AED8F4A6B1E924487748FFA688B783D
924iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EC857EA77AAC13CEFF12FA12A84DC3FBbinary
MD5:2D190EAD3C9A814AB3A727DD3EEECD04
SHA256:CD72014631D02ED9B3707426CF19912EB13C2CDBCC290354228CBBB1DBE5B323
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
93
DNS requests
32
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
924
iexplore.exe
GET
84.252.146.184:80
http://fwf.su/instagram_review.jpg
RU
suspicious
924
iexplore.exe
GET
84.252.146.184:80
http://fwf.su/instagram_review-2.jpg
RU
suspicious
924
iexplore.exe
GET
302
5.101.152.189:80
http://okolijoh.pisiboi.beget.tech/6gLsX4
RU
malicious
924
iexplore.exe
GET
200
84.252.146.184:80
http://fwf.su/
RU
html
12.1 Kb
suspicious
924
iexplore.exe
GET
200
2.16.107.80:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
unknown
der
1.37 Kb
whitelisted
924
iexplore.exe
GET
404
84.252.146.184:80
http://fwf.su/rafaello.png
RU
html
1.22 Kb
suspicious
924
iexplore.exe
GET
404
84.252.146.184:80
http://fwf.su/rosa-v-kolbe-bright-1.jpg
RU
html
1.22 Kb
suspicious
924
iexplore.exe
GET
404
84.252.146.184:80
http://fwf.su/jquery.fancybox.min.css
RU
html
1.22 Kb
suspicious
924
iexplore.exe
GET
404
84.252.146.184:80
http://fwf.su/application.min.js-1.js
RU
html
1.22 Kb
suspicious
924
iexplore.exe
GET
200
2.16.107.114:80
http://ocsp.int-x3.letsencrypt.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBR%2B5mrncpqz%2FPiiIGRsFqEtYHEIXQQUqEpqYwR93brm0Tm3pkVl7%2FOo7KECEgQFqOVv9SQRh8o48BtBPyckdQ%3D%3D
unknown
der
527 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
924
iexplore.exe
84.252.146.184:80
fwf.su
LLC masterhost
RU
suspicious
924
iexplore.exe
5.101.152.189:80
okolijoh.pisiboi.beget.tech
Beget Ltd
RU
malicious
924
iexplore.exe
2.16.107.114:80
ocsp.int-x3.letsencrypt.org
Akamai International B.V.
suspicious
924
iexplore.exe
79.110.24.33:443
naughty-avenues1.com
RO
unknown
924
iexplore.exe
184.24.77.59:80
isrg.trustid.ocsp.identrust.com
Time Warner Cable Internet LLC
US
suspicious
924
iexplore.exe
216.58.207.74:443
fonts.googleapis.com
Google Inc.
US
whitelisted
924
iexplore.exe
2.16.107.80:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
suspicious
924
iexplore.exe
216.58.207.35:80
ocsp.pki.goog
Google Inc.
US
whitelisted
924
iexplore.exe
216.58.206.3:443
fonts.gstatic.com
Google Inc.
US
whitelisted
744
chrome.exe
172.217.18.99:443
clientservices.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
fwf.su
  • 84.252.146.184
  • 84.252.146.194
  • 84.252.146.94
  • 84.252.146.135
suspicious
okolijoh.pisiboi.beget.tech
  • 5.101.152.189
malicious
naughty-avenues1.com
  • 79.110.24.33
unknown
isrg.trustid.ocsp.identrust.com
  • 2.16.107.80
  • 2.16.107.73
  • 184.24.77.59
  • 184.24.77.73
whitelisted
ocsp.int-x3.letsencrypt.org
  • 2.16.107.114
  • 2.16.107.43
whitelisted
fonts.googleapis.com
  • 216.58.207.74
whitelisted
ocsp.pki.goog
  • 216.58.207.35
whitelisted
fonts.gstatic.com
  • 216.58.206.3
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query for .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
924
iexplore.exe
Potentially Bad Traffic
ET POLICY HTTP Request to .su TLD (Soviet Union) Often Malware Related
2 ETPRO signatures available at the full report
No debug info