analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://ferrelgas.com

Full analysis: https://app.any.run/tasks/9eb2bffe-b25c-4f58-802b-0e90d812e8e1
Verdict: Malicious activity
Analysis date: February 21, 2020, 17:28:42
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

7CFBEE88F859A4E9BF3CD7B089AD6021

SHA1:

8A53B87FBA9515EE78AC59442D3D94C29676BF7B

SHA256:

CBD5A23CA380D9EB1953A4D6FF8A4BFD5348B4DABDE83E40A6A58378C6026B8F

SSDEEP:

3:N1KYnKIn:CYTn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 2192)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 3172)

    • Changes internet zones settings

      • iexplore.exe (PID: 3172)

    • Creates files in the user directory

      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 3172)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3148)

    • Manual execution by user

      • chrome.exe (PID: 2192)

    • Reads the hosts file

      • chrome.exe (PID: 2192)
      • chrome.exe (PID: 1232)

    • Application launched itself

      • chrome.exe (PID: 2192)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3148)
      • iexplore.exe (PID: 3172)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3172)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3172)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
34
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3172"C:\Program Files\Internet Explorer\iexplore.exe" http://ferrelgas.comC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3148"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3172 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2192"C:\Program Files\Google\Chrome\Application\chrome.exe" C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2696"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6ebaa9d0,0x6ebaa9e0,0x6ebaa9ecC:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
348"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3952 --on-initialized-event-handle=324 --parent-handle=328 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
3460"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1044,2281785545762161517,14815996722198865169,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAADgAAAgAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=14575763051948177652 --mojo-platform-channel-handle=1060 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
1232"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=1044,2281785545762161517,14815996722198865169,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --service-request-channel-token=17510949707045437274 --mojo-platform-channel-handle=1564 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
75.0.3770.100
2848"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,2281785545762161517,14815996722198865169,131072 --enable-features=PasswordImport --lang=en-US --instant-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=1302962207864243904 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
3368"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,2281785545762161517,14815996722198865169,131072 --enable-features=PasswordImport --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=5484865884098360159 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2472 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
75.0.3770.100
3912"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1044,2281785545762161517,14815996722198865169,131072 --enable-features=PasswordImport --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=7061521932388864069 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2464 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
75.0.3770.100
Total events
11 563
Read events
2 030
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
54
Text files
265
Unknown types
18

Dropped files

PID
Process
Filename
Type
3172iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3148iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Cab8351.tmp
MD5:
SHA256:
3148iexplore.exeC:\Users\admin\AppData\Local\Temp\Low\Tar8352.tmp
MD5:
SHA256:
3148iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\0N7XOESD.txt
MD5:
SHA256:
3148iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\239H7LYX.txt
MD5:
SHA256:
3148iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\8QU1CQCK.txttext
MD5:47856CEEB6B9B4815A0911BEEF977563
SHA256:A8E7343D9FCC53C2485CD41A24CF902623510790BC2B98FBB6C43333654647F8
3148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\MSIMGSIZ.DATsmt
MD5:35A630E2762596C2FF1FA42BB771C0BC
SHA256:1DAD94E78944BC3B1524B1F6E1FB697091E36688AC69845413034D1DAE64DA02
3148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\453HF2UZ.htmhtml
MD5:21834AD833D98D5F13806B8775E3F486
SHA256:FFE38BA7B983B9CC17AC3A32F2BB83C959D836B57CC0834F8619BA2E38249BB7
3148iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\DY534W2X\caf[1].jstext
MD5:7DD876FBA6B74E475B62305E2AF9597E
SHA256:11A212C8979304C915D80884EAF68E978275C17C54B20A1B8A7A4A8AEE499B88
2192chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-5E50136C-890.pma
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
61
DNS requests
40
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3148
iexplore.exe
GET
200
91.195.240.136:80
http://ww1.ferrelgas.com/?sub1=a579586e-54cf-11ea-8541-366ff543d90f&ec_rls=ogcustKUo0InmKzUjhrpSAzWlFt6NIC21Q_WDJvSonP0AuykVCvjyJUkTWsvdhh0v8x61npkH1cS5cBEQsYnTHOnpPfwfIx8UUcO8YRC9ufJcKYv4_cwgBrb9B83cQavDhr7J0IPkUSEI3fZZq-atTp2gQ1ACsj9Hpo3EV23EsdiP2yhFk3QqdNPVBTbEwOpns
DE
html
21.7 Kb
malicious
3148
iexplore.exe
GET
200
205.234.175.175:80
http://img.sedoparking.com/js/jquery-1.11.3.custom.min.js
US
text
24.5 Kb
whitelisted
3148
iexplore.exe
GET
200
205.234.175.175:80
http://img.sedoparking.com/templates/brick_gfx/common/logo_2016_bbbbbb.svg
US
image
2.02 Kb
whitelisted
3148
iexplore.exe
GET
200
172.217.22.4:80
http://www.google.com/adsense/domains/caf.js
US
text
55.5 Kb
whitelisted
3148
iexplore.exe
GET
200
172.217.23.163:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
3148
iexplore.exe
GET
200
172.217.23.163:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDvdxhhS3x8DggAAAAALnGY
US
der
472 b
whitelisted
3148
iexplore.exe
GET
200
172.217.23.163:80
http://ocsp.pki.goog/gts1o1/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQDvdxhhS3x8DggAAAAALnGY
US
der
472 b
whitelisted
1232
chrome.exe
GET
200
91.195.240.136:80
http://ww1.ferrelgas.com/?sub1=a579586e-54cf-11ea-8541-366ff543d90f&ec_rls=ogcustKUo0InmKzUjhrpSAzWlFt6NIC21Q_WDJvSonP0AuykVCvjyJUkTWsvdhh0v8x61npkH1cS5cBEQsYnTHOnpPfwfIx8UUcO8YRC9ufJcKYv4_cwgBrb9B83cQavDhr7J0IPkUSEI3fZZq-atTp2gQ1ACsj9Hpo3EV23EsdiP2yhFk3QqdNPVBTbEwOpns
DE
html
21.8 Kb
malicious
1232
chrome.exe
GET
200
205.234.175.175:80
http://img.sedoparking.com/js/jquery-1.11.3.custom.min.js
US
text
24.5 Kb
whitelisted
3148
iexplore.exe
GET
200
172.217.23.163:80
http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
US
der
468 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3148
iexplore.exe
69.162.80.61:80
ferrelgas.com
Limestone Networks, Inc.
US
malicious
3148
iexplore.exe
172.217.22.4:80
www.google.com
Google Inc.
US
whitelisted
3172
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3148
iexplore.exe
91.195.240.136:80
ww1.ferrelgas.com
SEDO GmbH
DE
malicious
3148
iexplore.exe
172.217.22.4:443
www.google.com
Google Inc.
US
whitelisted
3148
iexplore.exe
205.234.175.175:80
img.sedoparking.com
CacheNetworks, Inc.
US
suspicious
3148
iexplore.exe
172.217.23.163:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3148
iexplore.exe
216.58.210.3:80
www.gstatic.com
Google Inc.
US
whitelisted
1232
chrome.exe
172.217.18.10:443
fonts.googleapis.com
Google Inc.
US
whitelisted
1232
chrome.exe
216.58.210.3:443
www.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
ferrelgas.com
  • 69.162.80.61
malicious
api.bing.com
  • 13.107.5.80
whitelisted
www.bing.com
  • 13.107.21.200
  • 204.79.197.200
whitelisted
ww1.ferrelgas.com
  • 91.195.240.136
malicious
img.sedoparking.com
  • 205.234.175.175
whitelisted
www.google.com
  • 172.217.22.4
whitelisted
www.gstatic.com
  • 216.58.210.3
whitelisted
ocsp.pki.goog
  • 172.217.23.163
whitelisted
clientservices.googleapis.com
  • 172.217.21.227
whitelisted
accounts.google.com
  • 216.58.207.45
shared

Threats

PID
Process
Class
Message
1232
chrome.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://ferrelgas.com