analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

index.html

Full analysis: https://app.any.run/tasks/97dca356-552a-44b6-a942-bc750fe56383
Verdict: Malicious activity
Analysis date: April 15, 2019, 04:42:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
phishing
opendir
evasion
Indicators:
MIME: text/html
File info: HTML document, UTF-8 Unicode text, with very long lines, with CRLF, LF line terminators
MD5:

330A1E9EA592AB86D5EB647D279111A1

SHA1:

84E4F70A52DB31E1EB5E57E85812A0B43C0999EC

SHA256:

BC1C2503E92DDECDE7F7E763ACB04ED4B10C94111B2D39FA4CEFC7A7C206B545

SSDEEP:

3072:L9+JUGs4xyjH06NgucVD2rRuNNaFlERPkPsnHwnKzQWhjbYfLGF2R8:L0BvyjH04rmafLGF26

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Checks for external IP

      • firefox.exe (PID: 2716)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2716)

  • INFO

    • Reads internet explorer settings

      • iexplore.exe (PID: 2888)

    • Reads CPU info

      • firefox.exe (PID: 2716)

    • Application launched itself

      • iexplore.exe (PID: 1740)
      • firefox.exe (PID: 2716)

    • Changes internet zones settings

      • iexplore.exe (PID: 1740)

    • Creates files in the user directory

      • firefox.exe (PID: 2716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.htm/html | HyperText Markup Language with DOCTYPE (80.6)
.html | HyperText Markup Language (19.3)

EXIF

HTML

viewport: width=device-width,initial-scale=1.0,maximum-scale=2.0
Description: Read today's top stories news, weather, sport, entertainment, lifestyle, money, cars and more, all expertly curated from across top UK and global news providers
Title: MSN UK: Latest news, weather, Hotmail sign in, Outlook email, Bing
Robots: noydir,noodp
msapplicationConfig: none
msapplicationTileImage: //static-global-s-msn-com.akamaized.net/hp-neu/sc/1f/08ced4.png
msapplicationTileColor: #224f7b
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
41
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
1740"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\index.htmlC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2888"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:1740 CREDAT:79873C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\internet explorer\iexplore.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2716"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3212"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.0.412893490\317306690" -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - "C:\Users\admin\AppData\LocalLow\Mozilla\Temp-{ce348e4c-7d33-445e-89f9-60108c51bcaf}" 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1144 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
2248"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.6.941578298\284876011" -childID 1 -isForBrowser -prefsHandle 1640 -prefMapHandle 1632 -prefsLen 1 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 1604 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
3336"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.13.2008739171\1402424782" -childID 2 -isForBrowser -prefsHandle 2484 -prefMapHandle 2488 -prefsLen 216 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 2500 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
1904"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2716.20.1947592695\603357558" -childID 3 -isForBrowser -prefsHandle 3312 -prefMapHandle 3264 -prefsLen 5824 -prefMapSize 180950 -schedulerPrefs 0001,2 -parentBuildID 20190225143501 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2716 "\\.\pipe\gecko-crash-server-pipe.2716" 3236 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
65.0.2
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\dbghelp.dll
Total events
1 000
Read events
947
Write events
53
Delete events
0

Modification events

(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000071000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active
Operation:writeName:{DBF62141-5F38-11E9-B63D-5254004A04AF}
Value:
0
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Type
Value:
4
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Count
Value:
1
(PID) Process:(1740) iexplore.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore
Operation:writeName:Time
Value:
E307040001000F0004002A001700C503
Executable files
1
Suspicious files
72
Text files
36
Unknown types
53

Dropped files

PID
Process
Filename
Type
1740iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
1740iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
1740iexplore.exeC:\Users\admin\AppData\Local\Temp\~DF09FA0CDF871141F5.TMP
MD5:
SHA256:
1740iexplore.exeC:\Users\admin\AppData\Local\Temp\~DFD545628BAF9A6FB3.TMP
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2716firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs.jstext
MD5:C52C31E2D546FC217645CD7F542CF3E0
SHA256:73974F60357B038693803F51CA750E9ED609A3376548C88C117FA1FCBB328236
2716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.binbinary
MD5:79262A046A800BC3C3125FF94893CC51
SHA256:EA78CB0E02CA9BD0DC9AE055B82486E63ED4643A53717970A20D5FED7D18A51E
2716firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-child-current.binbinary
MD5:82F61C08D68502377826CA7EA054CEA7
SHA256:85801BCE5D7CE3A2ABC14E3208151AC9D324A6EA82FB2ADA1D10BAA8EF58E7DF
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
53
DNS requests
99
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2716
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
2716
firefox.exe
GET
302
192.186.217.98:80
http://innovationengraving.com/dhh/ii/index.php
US
unknown
2716
firefox.exe
GET
192.169.61.196:80
http://www.whatsmyip.us/showipsimple.php
US
suspicious
2716
firefox.exe
GET
192.169.61.196:80
http://www.whatsmyip.us/showipsimple.php
US
suspicious
2716
firefox.exe
GET
192.169.61.196:80
http://www.whatsmyip.us/showipsimple.php
US
suspicious
2716
firefox.exe
POST
200
216.58.207.67:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2716
firefox.exe
GET
200
192.185.31.182:80
http://iesupersale.com/uu/AEJ3dI/javascript/facebox/src/facebox.css
US
text
490 b
malicious
2716
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2716
firefox.exe
GET
200
192.185.31.182:80
http://iesupersale.com/uu/AEJ3dI/javascript/watermark/jquery.watermark.js
US
text
6.90 Kb
malicious
2716
firefox.exe
GET
192.169.61.196:80
http://www.whatsmyip.us/showipsimple.php
US
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2716
firefox.exe
35.166.112.39:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
1740
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4
System
104.43.203.255:445
otf.msn.com
Microsoft Corporation
US
whitelisted
4
System
2.16.186.35:445
static-global-s-msn-com.akamaized.net
Akamai International B.V.
whitelisted
2716
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
4
System
2.16.186.9:445
static-global-s-msn-com.akamaized.net
Akamai International B.V.
whitelisted
4
System
2.16.186.9:139
static-global-s-msn-com.akamaized.net
Akamai International B.V.
whitelisted
2716
firefox.exe
172.217.21.234:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2716
firefox.exe
35.164.130.113:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
2716
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted

DNS requests

Domain
IP
Reputation
static-global-s-msn-com.akamaized.net
  • 2.16.186.35
  • 2.16.186.9
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
otf.msn.com
  • 104.43.203.255
whitelisted
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
  • 173.223.11.150
  • 173.223.11.152
whitelisted
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
  • 173.223.11.152
  • 173.223.11.150
whitelisted
search.services.mozilla.com
  • 35.166.112.39
  • 52.88.150.81
  • 34.213.175.109
whitelisted
search.r53-2.services.mozilla.com
  • 34.213.175.109
  • 52.88.150.81
  • 35.166.112.39
whitelisted
tiles.services.mozilla.com
  • 35.164.130.113
  • 52.34.132.219
  • 35.162.29.26
  • 35.165.22.140
  • 35.164.197.9
  • 52.26.103.165
  • 52.35.250.5
  • 52.10.122.55
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.10.122.55
  • 52.35.250.5
  • 52.26.103.165
  • 35.164.197.9
  • 35.165.22.140
  • 35.162.29.26
  • 52.34.132.219
  • 35.164.130.113
whitelisted
snippets.cdn.mozilla.net
  • 13.32.159.2
whitelisted

Threats

PID
Process
Class
Message
2716
firefox.exe
A Network Trojan was detected
SUSPICIOUS [PTsecurity] Adobe/Excel Phishing JS
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
2716
firefox.exe
Potential Corporate Privacy Violation
ET POLICY Possible External IP Lookup www.whatsmyip.us
3 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
index.html