analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

EmailExpressTab-24878311.7z

Full analysis: https://app.any.run/tasks/4a06365f-8b68-4135-931e-d323d8e42452
Verdict: Malicious activity
Analysis date: September 18, 2019, 20:45:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
adware
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.3
MD5:

C522E6C74E28FB07289E47CBA5779FB5

SHA1:

FF486EDF92F323CFCA70A4679E7017C576133E98

SHA256:

CB7C200CEE8BB0D747E635D0E37CA9251B4BBFED744784145D54EAA165297B1F

SSDEEP:

6144:NfS9nXenWVU+B2Wfmv1QzdF+yX80NKR3lVLi3pqRlMde2K:c9GWV/B2W+NwcOShXikRGdY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Changes settings of System certificates

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Connects to CnC server

      • IEXPLORE.EXE (PID: 2464)
    • Changes the autorun value in the registry

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
  • SUSPICIOUS

    • Changes tracing settings of the file or console

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Reads internet explorer settings

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Adds / modifies Windows certificates

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Changes the started page of IE

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Executable content was dropped or overwritten

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Starts Internet Explorer

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Creates a software uninstall entry

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Creates files in the user directory

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
    • Reads Internet Cache Settings

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
  • INFO

    • Manual execution by user

      • c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe (PID: 3468)
      • chrome.exe (PID: 2996)
    • Changes internet zones settings

      • IEXPLORE.EXE (PID: 2012)
    • Reads Internet Cache Settings

      • IEXPLORE.EXE (PID: 2464)
      • IEXPLORE.EXE (PID: 560)
    • Adds / modifies Windows certificates

      • IEXPLORE.EXE (PID: 2464)
    • Reads the hosts file

      • chrome.exe (PID: 2996)
      • chrome.exe (PID: 4004)
    • Changes settings of System certificates

      • IEXPLORE.EXE (PID: 2464)
    • Reads internet explorer settings

      • IEXPLORE.EXE (PID: 2464)
      • IEXPLORE.EXE (PID: 560)
    • Application launched itself

      • chrome.exe (PID: 2996)
      • IEXPLORE.EXE (PID: 2012)
    • Creates files in the user directory

      • IEXPLORE.EXE (PID: 2464)
      • IEXPLORE.EXE (PID: 2012)
      • IEXPLORE.EXE (PID: 560)
    • Dropped object may contain Bitcoin addresses

      • IEXPLORE.EXE (PID: 560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (gen) (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
71
Monitored processes
28
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
3488"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\EmailExpressTab-24878311.7z"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3468"C:\Users\admin\Desktop\c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe" C:\Users\admin\Desktop\c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
explorer.exe
User:
admin
Company:
SpringTech Ltd.
Integrity Level:
HIGH
Exit code:
0
Version:
5.2.0.9
2012"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://search.hdownloadmyinboxhelper.com/?source=-lp0-bb9-iei-dd&uid=c1e52f49-3470-46c3-918c-a9a4bcb15d58&uc=20190918&ap=appfocus1&i_id=email_spt__1.30C:\Program Files\Internet Explorer\IEXPLORE.EXE
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2464"C:\Program Files\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:79873C:\Program Files\Internet Explorer\IEXPLORE.EXE
IEXPLORE.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2996"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
3221225547
Version:
75.0.3770.100
3776"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6d6ca9d0,0x6d6ca9e0,0x6d6ca9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
636"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3000 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3812"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1012,2265331104311899644,1200611993502303201,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=12789097582829997466 --mojo-platform-channel-handle=1028 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
4004"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1012,2265331104311899644,1200611993502303201,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=981689702047075961 --mojo-platform-channel-handle=1604 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3860"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1012,2265331104311899644,1200611993502303201,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=6898173943053913369 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
1 426
Read events
1 148
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
46
Text files
255
Unknown types
16

Dropped files

PID
Process
Filename
Type
3488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3488.5679\c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d
MD5:
SHA256:
2012IEXPLORE.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I0488CJO\favicon[1].ico
MD5:
SHA256:
2012IEXPLORE.EXEC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\Cab1FB8.tmp
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\Tar1FB9.tmp
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\Cab1FD9.tmp
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\Tar1FDA.tmp
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\Cab2049.tmp
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Local\Temp\Tar204A.tmp
MD5:
SHA256:
2464IEXPLORE.EXEC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@hdownloadmyinboxhelper[1].txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
16
TCP/UDP connections
83
DNS requests
46
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
GET
23.23.51.23:80
http://www.browser-tech.com/ies/api.cgi?act=getConfig&id=&rf=1&ver=5.2.0.9&proto=1&ihp=&nto=
US
shared
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
GET
200
52.2.163.213:80
http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=c1e52f49-3470-46c3-918c-a9a4bcb15d58&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_accepted
US
image
109 b
suspicious
4004
chrome.exe
GET
404
34.192.88.201:80
http://www.browser-tech.com/favicon.ico
US
html
282 b
shared
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
GET
500
23.23.51.23:80
http://www.browser-tech.com/advplatform/api.cgi?act=postStat&cx=-1&cy=-1&id=&rf=1&ver=5.2.0.9&proto=1
US
html
617 b
shared
2464
IEXPLORE.EXE
GET
302
54.86.196.110:80
http://search.hdownloadmyinboxhelper.com/?source=-lp0-bb9-iei-dd&uid=c1e52f49-3470-46c3-918c-a9a4bcb15d58&uc=20190918&ap=appfocus1&i_id=email_spt__1.30
US
html
285 b
malicious
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
GET
200
52.2.163.213:80
http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=c1e52f49-3470-46c3-918c-a9a4bcb15d58&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_shown
US
image
109 b
suspicious
4004
chrome.exe
GET
302
172.217.22.14:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx
US
html
513 b
whitelisted
2464
IEXPLORE.EXE
GET
200
205.185.216.10:80
http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
US
compressed
57.0 Kb
whitelisted
4004
chrome.exe
GET
404
34.192.88.201:80
http://www.browser-tech.com/download/?d=0&h=1&pnid=4&domain=hemailexpress.co&implementation_id=email_spt_&source=d-ccc3-lp0-cp_1021348764-bb8&adprovider=appfocus1&user_id=fc9f8bea-b4b0-42c6-94c9-d8f54e27eee4&dfn=Email%20Express%20Tab&spo=0&appname=Email%20Express%20Tab&appdesc=Search%20your%20favorite%20Email%20sites%20instantly%20from%20your%20home%20and%20new%20tab%20page!&ies=s,h&sso=
US
html
282 b
shared
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
GET
200
52.2.163.213:80
http://imp.hdownloadmyinboxhelper.com/impression.do?implementation_id=email_spt__1.30&source=-lp0-bb9-iei-dd&sub_id=20190918&traffic_source=appfocus1&user_id=c1e52f49-3470-46c3-918c-a9a4bcb15d58&useragent=Mozilla%2F5.0+(Windows+NT+10.0%3B+WOW64%3B+Trident%2F7.0%3B+rv%3A11.0)+like+Gecko&subid2=8.0.7601.17514&event=ex_set_hp
US
image
109 b
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2012
IEXPLORE.EXE
13.107.21.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
23.23.51.23:80
www.browser-tech.com
Amazon.com, Inc.
US
malicious
2464
IEXPLORE.EXE
54.86.196.110:443
search.hdownloadmyinboxhelper.com
Amazon.com, Inc.
US
malicious
2464
IEXPLORE.EXE
205.185.216.10:80
www.download.windowsupdate.com
Highwinds Network Group, Inc.
US
whitelisted
3468
c18f6845de650f16fc03597180eb216062fdc4f5eb3935c123b09e73989f558d.exe
52.2.163.213:80
imp.hdownloadmyinboxhelper.com
Amazon.com, Inc.
US
suspicious
2464
IEXPLORE.EXE
54.86.196.110:80
search.hdownloadmyinboxhelper.com
Amazon.com, Inc.
US
malicious
2464
IEXPLORE.EXE
52.50.109.222:443
appfocus.go2cloud.org
Amazon.com, Inc.
IE
suspicious
2464
IEXPLORE.EXE
143.204.238.218:80
x.ss2.us
US
unknown
4004
chrome.exe
172.217.16.131:443
www.google.com.ua
Google Inc.
US
whitelisted
4004
chrome.exe
216.58.208.42:443
fonts.googleapis.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
www.browser-tech.com
  • 23.23.51.23
  • 34.192.88.201
shared
imp.hdownloadmyinboxhelper.com
  • 52.2.163.213
  • 54.87.172.192
unknown
search.hdownloadmyinboxhelper.com
  • 54.86.196.110
  • 54.156.85.122
unknown
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
x.ss2.us
  • 143.204.238.218
  • 143.204.238.65
  • 143.204.238.18
  • 143.204.238.175
whitelisted
www.download.windowsupdate.com
  • 205.185.216.10
  • 205.185.216.42
whitelisted
appfocus.go2cloud.org
  • 52.50.109.222
  • 54.72.199.154
  • 52.30.52.254
shared
imp.onesearch.org
  • 35.173.75.18
  • 35.168.129.108
whitelisted
apis.google.com
  • 172.217.22.14
whitelisted
dap2y8k6nefku.cloudfront.net
  • 143.204.238.82
  • 143.204.238.50
  • 143.204.238.57
  • 143.204.238.64
whitelisted

Threats

PID
Process
Class
Message
2464
IEXPLORE.EXE
Misc activity
ADWARE [PTsecurity] Application.AdSearch (A)
1 ETPRO signatures available at the full report
No debug info