URL: | http://4.au.download.windowsupdate.com:80/d/msdownload/update/software/uprl/2022/01/windows-kb890830-x64-v5.97_f721274e2e00c60616b9dd6a58094167dd59f8da.exe |
Full analysis: | https://app.any.run/tasks/ac11a7bb-ecc2-4788-b1c2-74b24dcc0bd0 |
Verdict: | Malicious activity |
Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
Analysis date: | January 24, 2022, 15:28:41 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | 0C247DE4D68BBECFC0435FB3797A1DDF |
SHA1: | C04A924F24B99276CD922123D66E2B1158B3C524 |
SHA256: | C67DF696B929802C2288C4EA0E4E702C4B191F07DE3A06F689AC32988B6FBE22 |
SSDEEP: | 3:N1KqLEWd9r4E+ETdSLJkACANKX1OSML0PwITpkUCRAXhzBv2J3QOBEJn:CqDd9C0QVq9k9RAXhzBvagOBWn |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3268 | "C:\Program Files\Mozilla Firefox\firefox.exe" "http://4.au.download.windowsupdate.com:80/d/msdownload/update/software/uprl/2022/01/windows-kb890830-x64-v5.97_f721274e2e00c60616b9dd6a58094167dd59f8da.exe" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
648 | "C:\Program Files\Mozilla Firefox\firefox.exe" http://4.au.download.windowsupdate.com:80/d/msdownload/update/software/uprl/2022/01/windows-kb890830-x64-v5.97_f721274e2e00c60616b9dd6a58094167dd59f8da.exe | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
356 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.0.499002023\258823247" -parentBuildID 20201112153044 -prefsHandle 936 -prefMapHandle 920 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 648 "\\.\pipe\gecko-crash-server-pipe.648" 1200 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 83.0 Modules
| |||||||||||||||
1988 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.6.371416242\2122202073" -childID 1 -isForBrowser -prefsHandle 2976 -prefMapHandle 2972 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 648 "\\.\pipe\gecko-crash-server-pipe.648" 2988 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2316 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.13.548874651\506101904" -childID 2 -isForBrowser -prefsHandle 3328 -prefMapHandle 3288 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 648 "\\.\pipe\gecko-crash-server-pipe.648" 3360 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3204 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.20.1921727776\83660722" -childID 3 -isForBrowser -prefsHandle 3780 -prefMapHandle 3344 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 648 "\\.\pipe\gecko-crash-server-pipe.648" 3768 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
1160 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.21.1992608691\1629211799" -childID 4 -isForBrowser -prefsHandle 3760 -prefMapHandle 3756 -prefsLen 7307 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 648 "\\.\pipe\gecko-crash-server-pipe.648" 3748 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2284 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="648.34.14027955\789888926" -childID 5 -isForBrowser -prefsHandle 4108 -prefMapHandle 4104 -prefsLen 7378 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 648 "\\.\pipe\gecko-crash-server-pipe.648" 4120 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
|
(PID) Process: | (3268) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: F395042343010000 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 7B9C042343010000 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (648) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
648 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
648 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
648 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl.tmp | text | |
MD5:3625F1DDA6D119478AD89D13950C9ACA | SHA256:CB40F6A8D58901D612A86690A41D4E273F24936FC926E98F82C0918CBEF4FC64 | |||
648 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js | text | |
MD5:299A2B747C11E4BDA194E563FEA4A699 | SHA256:94EE461F62E8B4A0A65471A41E10C8C56722B73C0A019D76ACA7F5BAF109813E | |||
648 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
648 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\urlCache-current.bin | binary | |
MD5:994A33896BB41A278A315D0D796422B6 | SHA256:54EC50A20FFF8CC016710E49437CF6A11D3FE5EE7B28C185E4A9AAFEE2908B63 | |||
648 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_IiTsqCgftCMAd2R | binary | |
MD5:1BA07E59FA4BC058514CA562300AE94C | SHA256:B940ECCC2442F0CC552D590F601F8247141F876A374403217CE137AE5F8805E0 | |||
648 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
648 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
648 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
648 | firefox.exe | GET | 200 | 178.79.242.0:80 | http://4.au.download.windowsupdate.com/d/msdownload/update/software/uprl/2022/01/windows-kb890830-x64-v5.97_f721274e2e00c60616b9dd6a58094167dd59f8da.exe | DE | executable | 40.4 Mb | whitelisted |
648 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
648 | firefox.exe | POST | 200 | 142.250.185.163:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
648 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
648 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
648 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
648 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
648 | firefox.exe | 216.58.212.170:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
648 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
648 | firefox.exe | 35.163.112.241:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
648 | firefox.exe | 143.204.215.37:443 | firefox.settings.services.mozilla.com | — | US | malicious |
648 | firefox.exe | 99.86.3.118:443 | content-signature-2.cdn.mozilla.net | AT&T Services, Inc. | US | unknown |
648 | firefox.exe | 178.79.242.0:80 | 4.au.download.windowsupdate.com | Limelight Networks, Inc. | DE | whitelisted |
648 | firefox.exe | 142.250.185.163:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
648 | firefox.exe | 65.9.61.78:443 | firefox-settings-attachments.cdn.mozilla.net | AT&T Services, Inc. | US | unknown |
648 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
648 | firefox.exe | 54.244.7.161:443 | push.services.mozilla.com | Amazon.com, Inc. | US | unknown |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
4.au.download.windowsupdate.com |
| whitelisted |
windowsupdate.s.llnwi.net |
| suspicious |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
content-signature-2.cdn.mozilla.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
648 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
648 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |