analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://emails-executive.com

Full analysis: https://app.any.run/tasks/b5e7b208-4a9b-4af8-bc7c-bc7abd1cc715
Verdict: Malicious activity
Analysis date: May 15, 2019, 16:07:51
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

0794024139FB885F83CE262AA30CDDFA

SHA1:

2B7A58A1D2740430A523C9989667615997DC257A

SHA256:

9710E79911E7B0335E6F4983BBBCA5A0E3451E17C0852B9D1E38C9F484E21D73

SSDEEP:

3:N1Kb9IUEzZI:C5IK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 3376)

    • Creates files in the program directory

      • firefox.exe (PID: 3376)

  • INFO

    • Reads CPU info

      • firefox.exe (PID: 3376)

    • Application launched itself

      • firefox.exe (PID: 3376)

    • Creates files in the user directory

      • firefox.exe (PID: 3376)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
3376"C:\Program Files\Mozilla Firefox\firefox.exe" http://emails-executive.comC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2880"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.0.127679456\1524193629" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 1128 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3624"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.6.1960698376\707033108" -childID 1 -isForBrowser -prefsHandle 1740 -prefMapHandle 1544 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 1572 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3032"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.13.1422572602\1958967738" -childID 2 -isForBrowser -prefsHandle 2636 -prefMapHandle 2644 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 2656 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2972"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3376.20.220751222\1806993081" -childID 3 -isForBrowser -prefsHandle 3336 -prefMapHandle 3352 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3376 "\\.\pipe\gecko-crash-server-pipe.3376" 3452 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
638
Read events
636
Write events
2
Delete events
0

Modification events

(PID) Process:(3376) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3376) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
Executable files
1
Suspicious files
79
Text files
25
Unknown types
47

Dropped files

PID
Process
Filename
Type
3376firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
3376firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\trash19812
MD5:
SHA256:
3376firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3376firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3376firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
3376firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
3376firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:6C32CB3FD01869207E7AAE8B28598F29
SHA256:4F8ECF8007F6CC603991256AACF38224ADBA7D0A16685706072D1AADC0604303
3376firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:8F89A5889E1615F65674DAF6A01A2454
SHA256:F6D3FDE91836D607A3311A6E0A12463C811F791A9F231D2FF8542D772FA22ED7
3376firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:82F61C08D68502377826CA7EA054CEA7
SHA256:85801BCE5D7CE3A2ABC14E3208151AC9D324A6EA82FB2ADA1D10BAA8EF58E7DF
3376firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\except-flash-digest256.sbstorebinary
MD5:C921D8E98FA01B4F303481E112202E92
SHA256:4EF1038730EC8BC7206713C29A936768831B922C5E6C83355FD62D7401D8C1DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
20
TCP/UDP connections
38
DNS requests
69
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3376
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3376
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
3376
firefox.exe
GET
200
91.195.240.126:80
http://sedoparking.com/frmpark/emails-executive.com/IONOSParkingUS/park.js
DE
html
675 b
whitelisted
3376
firefox.exe
GET
200
74.208.236.109:80
http://emails-executive.com/defaultsite
US
html
586 b
suspicious
3376
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3376
firefox.exe
POST
200
172.217.22.99:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
3376
firefox.exe
GET
404
74.208.236.109:80
http://emails-executive.com/favicon.ico
US
html
586 b
suspicious
3376
firefox.exe
GET
200
216.58.210.2:80
http://pagead2.googlesyndication.com/apps/domainpark/show_afd_ads.js
US
html
1.29 Kb
whitelisted
3376
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3376
firefox.exe
GET
200
91.195.240.126:80
http://sedoparking.com/search/registrar.php?domain=emails-executive.com&rpv=2&registrar=IONOSParkingUS&gst=3B1gslimc5_w1mp20fXXviXEj69RqYkDrNxH9mhPWRQyKfH3TLoEEoy02SF7L-1pOGXvsHECvqiDgLVvzLlEBzOCxXLRhSALjA&ref=
DE
html
19.4 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3376
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3376
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3376
firefox.exe
74.208.236.109:80
emails-executive.com
1&1 Internet SE
US
suspicious
3376
firefox.exe
35.164.218.3:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3376
firefox.exe
52.27.173.161:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
3376
firefox.exe
34.218.159.169:443
aus5.mozilla.org
Amazon.com, Inc.
US
unknown
3376
firefox.exe
216.58.210.2:80
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
3376
firefox.exe
172.217.16.132:443
www.google.com
Google Inc.
US
whitelisted
3376
firefox.exe
172.217.22.99:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3376
firefox.exe
91.195.240.126:80
sedoparking.com
SEDO GmbH
DE
malicious

DNS requests

Domain
IP
Reputation
emails-executive.com
  • 74.208.236.109
unknown
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
aus5.mozilla.org
  • 34.218.159.169
  • 35.164.82.230
  • 34.216.134.104
  • 34.214.241.105
  • 52.27.144.31
  • 52.32.77.100
  • 52.40.226.98
  • 52.43.79.30
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
balrog-aus5.r53-2.services.mozilla.com
  • 52.43.79.30
  • 52.40.226.98
  • 52.32.77.100
  • 52.27.144.31
  • 34.214.241.105
  • 34.216.134.104
  • 35.164.82.230
  • 34.218.159.169
whitelisted
search.services.mozilla.com
  • 52.27.173.161
  • 52.10.97.252
  • 52.88.179.171
whitelisted
search.r53-2.services.mozilla.com
  • 52.88.179.171
  • 52.10.97.252
  • 52.27.173.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
tiles.services.mozilla.com
  • 35.164.218.3
  • 52.25.71.236
  • 35.165.22.140
  • 52.26.103.165
  • 52.27.87.181
  • 52.26.166.58
  • 52.34.132.219
  • 52.35.96.157
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://emails-executive.com