analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Ghost-Browser.png

Full analysis: https://app.any.run/tasks/7a025d5f-10d4-4746-8bd8-3e95245d290c
Verdict: Malicious activity
Analysis date: April 14, 2019, 20:25:35
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: image/png
File info: PNG image data, 32 x 32, 8-bit colormap, non-interlaced
MD5:

5B873230E99DCC727DFAE00142327129

SHA1:

F553FC44AE3DD8C97C8755C5F03E279CB5C5129E

SHA256:

A98874CAFA05F9D30AB02BFB58026A483A2AAEB1F5798A274DF67D4DFD2189BE

SSDEEP:

24:h+aH8Hxf0JE53P+7jV58FHGTEgMZpVNpWfLTL1eCWl2mLC2IaW1hB8ZiB:h+28Hx8WejQFHeLMZpV88rAmcHKw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    No suspicious indicators.
  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2492)
    • Reads internet explorer settings

      • iexplore.exe (PID: 2492)
    • Application launched itself

      • iexplore.exe (PID: 3720)
    • Creates files in the user directory

      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 3568)
      • iexplore.exe (PID: 2492)
    • Changes internet zones settings

      • iexplore.exe (PID: 3720)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 3720)
    • Changes settings of System certificates

      • iexplore.exe (PID: 3720)
    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.png | Portable Network Graphics (100)

EXIF

Composite

Megapixels: 0.001
ImageSize: 32x32

PNG

Transparency: (Binary data 8 bytes, use -b option to extract)
Palette: (Binary data 492 bytes, use -b option to extract)
Interlace: Noninterlaced
Filter: Adaptive
Compression: Deflate/Inflate
ColorType: Palette
BitDepth: 8
ImageHeight: 32
ImageWidth: 32
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
4
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2512"C:\Windows\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\AppData\Local\Temp\Ghost-Browser.pngC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3720"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2492"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3720 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3568C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
Total events
879
Read events
788
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
5
Text files
147
Unknown types
19

Dropped files

PID
Process
Filename
Type
3720iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
3720iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FNIC19MS\softpedia_com[1].txt
MD5:
SHA256:
2492iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\index.datdat
MD5:14C76B2255A166DD8074F29769100358
SHA256:92E4E837A538DF7D8B3DA64CB7B9544C5E805646D5441CC4EE8BA2E569F9B494
2492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:E06C88155521B991B82C988319CBF916
SHA256:5CBEA17E61B1AD49F21CB662948AA6CD7CE7DCE9AFACD4393224BF0ED7A192C6
2492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ZVZXNHM\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\FNIC19MS\f[1].txttext
MD5:408C9FDB7FF0DD19E147B83B6C2C4D89
SHA256:356ED093ADA476ACB0ED5AE174E7CE47D32401A1ACD9AD28AF77FF484715EB16
3720iexplore.exeC:\Users\admin\AppData\Local\Temp\StructuredQuery.logtext
MD5:8CAC9849C1E615E04DC09EA858990A09
SHA256:331BC69C0DB2379EF0AA8643F4CD4CE003F87A3CB2541FE46E34F2DC3F410723
2492iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\Q93G3HKT\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
2492iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\PK5Q77MZ\www.softpedia[1].xmltext
MD5:55D11A5A3D325771BBB7659F79146C5F
SHA256:C028FD6C8B74B99720235785995F0C64360F3B5771831DECEDBAEDB2C3B59F14
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
83
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2492
iexplore.exe
GET
301
64.225.158.189:80
http://softpedia.com/
CA
html
230 b
whitelisted
2492
iexplore.exe
GET
200
93.184.221.240:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
55.6 Kb
whitelisted
2492
iexplore.exe
GET
200
13.32.222.30:80
http://x.ss2.us/x.cer
US
der
1.27 Kb
whitelisted
3720
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3720
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
2492
iexplore.exe
64.225.158.189:80
softpedia.com
Peer 1 Network (USA) Inc.
CA
unknown
2492
iexplore.exe
64.225.158.189:443
softpedia.com
Peer 1 Network (USA) Inc.
CA
unknown
2492
iexplore.exe
216.58.205.226:443
pagead2.googlesyndication.com
Google Inc.
US
whitelisted
2492
iexplore.exe
64.225.158.192:443
www.softpedia.com
Peer 1 Network (USA) Inc.
CA
unknown
2492
iexplore.exe
69.16.175.42:443
cdnssl.softpedia.com
Highwinds Network Group, Inc.
US
malicious
2492
iexplore.exe
172.217.16.162:443
adservice.google.es
Google Inc.
US
whitelisted
2492
iexplore.exe
69.16.175.10:443
cdnssl.softpedia.com
Highwinds Network Group, Inc.
US
malicious
2492
iexplore.exe
216.58.207.78:443
www.google-analytics.com
Google Inc.
US
whitelisted
2492
iexplore.exe
13.32.222.30:80
x.ss2.us
Amazon.com, Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
softpedia.com
  • 64.225.158.189
unknown
www.softpedia.com
  • 64.225.158.192
  • 64.225.158.189
  • 64.225.158.191
  • 64.225.158.190
suspicious
pagead2.googlesyndication.com
  • 216.58.205.226
whitelisted
cdnssl.softpedia.com
  • 69.16.175.42
  • 69.16.175.10
malicious
adservice.google.es
  • 172.217.16.162
whitelisted
adservice.google.com
  • 172.217.16.162
whitelisted
quantcast.mgr.consensu.org
  • 13.32.219.216
  • 13.32.219.181
  • 13.32.219.210
  • 13.32.219.115
whitelisted
www.google-analytics.com
  • 216.58.207.78
whitelisted
x.ss2.us
  • 13.32.222.30
  • 13.32.222.12
  • 13.32.222.51
  • 13.32.222.163
whitelisted

Threats

No threats detected
No debug info