analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

foundation.html

Full analysis: https://app.any.run/tasks/db6397d0-1750-44a0-8cd2-b8de80240b6a
Verdict: Malicious activity
Analysis date: January 14, 2022, 19:38:32
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/html
File info: HTML document, ASCII text, with very long lines, with CRLF line terminators
MD5:

59D49D263BB8BF998CCF010D64B2D400

SHA1:

753B2162098FE4FAD292C945C93410D3EDE0F23F

SHA256:

D10B1C12359D1D1A8383A74BEC31EA64EC283C133385D1AAE321E23C1B9DFDC2

SSDEEP:

192:IttNuyhY+vKb3Q2sEg50LO3gg+5PprfiMX7XFQ+:mZKrQSg50L3h1JbrXFz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • iexplore.exe (PID: 3480)

    • Modifies files in Chrome extension folder

      • chrome.exe (PID: 3656)

  • INFO

    • Checks supported languages

      • explorer.exe (PID: 2776)
      • iexplore.exe (PID: 1888)
      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 3480)
      • chrome.exe (PID: 3656)
      • chrome.exe (PID: 3432)
      • chrome.exe (PID: 3760)
      • chrome.exe (PID: 2276)
      • chrome.exe (PID: 1028)
      • chrome.exe (PID: 3064)
      • chrome.exe (PID: 564)
      • chrome.exe (PID: 2056)
      • chrome.exe (PID: 1496)
      • chrome.exe (PID: 3204)
      • chrome.exe (PID: 2776)
      • chrome.exe (PID: 2296)
      • chrome.exe (PID: 4048)
      • chrome.exe (PID: 2932)

    • Reads the computer name

      • iexplore.exe (PID: 1888)
      • explorer.exe (PID: 2776)
      • iexplore.exe (PID: 3480)
      • iexplore.exe (PID: 3696)
      • chrome.exe (PID: 3656)
      • chrome.exe (PID: 3760)
      • chrome.exe (PID: 1028)
      • chrome.exe (PID: 2056)
      • chrome.exe (PID: 2932)
      • chrome.exe (PID: 3204)
      • chrome.exe (PID: 2776)

    • Checks Windows Trust Settings

      • iexplore.exe (PID: 3696)

    • Changes internet zones settings

      • iexplore.exe (PID: 3696)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3480)

    • Application launched itself

      • iexplore.exe (PID: 3696)
      • iexplore.exe (PID: 3480)
      • chrome.exe (PID: 3656)

    • Manual execution by user

      • explorer.exe (PID: 2776)
      • chrome.exe (PID: 3656)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3696)
      • chrome.exe (PID: 3760)

    • Reads the hosts file

      • chrome.exe (PID: 3656)
      • chrome.exe (PID: 3760)

    • Reads the date of Windows installation

      • iexplore.exe (PID: 3696)
      • chrome.exe (PID: 2776)

    • Creates files in the user directory

      • iexplore.exe (PID: 3696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.html | HyperText Markup Language (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
60
Monitored processes
18
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe no specs iexplore.exe no specs explorer.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3696"C:\Program Files\Internet Explorer\iexplore.exe" "C:\Users\admin\AppData\Local\Temp\foundation.html"C:\Program Files\Internet Explorer\iexplore.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
1
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3480"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3696 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1888"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3696 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2776"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3656"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\admin\AppData\Local\Temp\foundation.htmlC:\Program Files\Google\Chrome\Application\chrome.exe
Explorer.EXE
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
3432"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=86.0.4240.198 --initial-client-data=0xc8,0xcc,0xd0,0x9c,0xd4,0x6ef8d988,0x6ef8d998,0x6ef8d9a4C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
1028"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,17032843266701052223,7622012775189221704,131072 --enable-features=PasswordImport --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1068 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
86.0.4240.198
3760"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,17032843266701052223,7622012775189221704,131072 --enable-features=PasswordImport --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1344 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
86.0.4240.198
3064"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17032843266701052223,7622012775189221704,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1892 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
564"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1052,17032843266701052223,7622012775189221704,131072 --enable-features=PasswordImport --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1884 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
86.0.4240.198
Total events
17 231
Read events
16 991
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
123
Text files
92
Unknown types
10

Dropped files

PID
Process
Filename
Type
3656chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-61E1D154-E48.pma
MD5:
SHA256:
3696iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157binary
MD5:FFE1B94E8BC44EB1A0FD7038A62733C6
SHA256:4239D7EF61C7CA8ADB69AC05239DB8DE8421A688E7344C3C6823598B2746BD25
3656chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Session Storage\LOG.old~RF199706.TMPtext
MD5:B628564B8042F6E2CC2F53710AAECDC0
SHA256:1D3B022BDEE9F48D79E3EC1E93F519036003642D3D72D10B05CFD47F43EFBF13
3696iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63der
MD5:AC68ACF50745357D4EA92B214D9E7132
SHA256:AE3F7FDE380D2D90571A61378E52B1BC284B4C4C6A1E099F6F022395EBED6154
3696iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63binary
MD5:4AA0B08C57DE491183D2CE6839B9974F
SHA256:A8696985BF0EC9D049EA2942C3BE7C897F3937D7ADD3737BCCD3A6F9087BA508
3656chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\LOG.oldtext
MD5:8FF312A95D60ED89857FEB720D80D4E1
SHA256:946A57FAFDD28C3164D5AB8AB4971B21BD5EC5BFFF7554DBF832CB58CC37700B
3696iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\PO2HN1X2\favicon[2].icoimage
MD5:DA597791BE3B6E732F0BC8B20E38EE62
SHA256:5B2C34B3C4E8DD898B664DBA6C3786E2FF9869EFF55D673AA48361F11325ED07
3656chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.oldtext
MD5:7721CDA9F5B73CE8A135471EB53B4E0E
SHA256:DD730C576766A46FFC84E682123248ECE1FF1887EC0ACAB22A5CE93A450F4500
3656chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ca14a83f-5c06-4e5d-9275-c58d36bd7b32.tmpbinary
MD5:5058F1AF8388633F609CADB75A75DC9D
SHA256:CDB4EE2AEA69CC6A83331BBE96DC2CAA9A299D21329EFB0336FC02A82E1839A8
3656chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Platform Notifications\LOG.old~RF199706.TMPtext
MD5:109A25C32EE1132ECD6D9F3ED9ADF01A
SHA256:DA6028DB9485C65E683643658326F02B1D0A1566DE14914EF28E5248EB94F0DD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
18
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3696
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
3696
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
3760
chrome.exe
GET
302
142.250.184.206:80
http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx
US
html
592 b
whitelisted
3760
chrome.exe
GET
200
74.125.100.102:80
http://r1---sn-5hnekn7z.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&mh=e_&mip=157.97.122.3&mm=28&mn=sn-5hnekn7z&ms=nvh&mt=1642188739&mv=m&mvi=1&pl=24&rmhost=r3---sn-5hnekn7z.gvt1.com&shardbypass=yes&smhost=r3---sn-5hneknee.gvt1.com
US
crx
242 Kb
whitelisted
3696
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?ad6a22618cbe3cbc
unknown
compressed
4.70 Kb
whitelisted
3696
iexplore.exe
GET
200
2.16.106.171:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f0b7bcf304fd8e88
unknown
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3696
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted
3760
chrome.exe
142.250.74.195:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3760
chrome.exe
142.250.185.238:443
clients2.google.com
Google Inc.
US
whitelisted
142.250.184.206:80
redirector.gvt1.com
Google Inc.
US
whitelisted
3760
chrome.exe
142.250.184.237:443
accounts.google.com
Google Inc.
US
suspicious
3760
chrome.exe
172.217.16.131:443
update.googleapis.com
Google Inc.
US
whitelisted
3696
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3696
iexplore.exe
2.16.106.171:80
ctldl.windowsupdate.com
Akamai International B.V.
whitelisted
3760
chrome.exe
74.125.100.102:80
r1---sn-5hnekn7z.gvt1.com
Google Inc.
US
whitelisted
3760
chrome.exe
142.250.186.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
ctldl.windowsupdate.com
  • 2.16.106.171
  • 2.16.106.186
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
dns.msftncsi.com
  • 131.107.255.255
shared
clientservices.googleapis.com
  • 142.250.74.195
whitelisted
accounts.google.com
  • 142.250.184.237
shared
clients2.google.com
  • 142.250.185.238
whitelisted
valdia.quatiappcn.pw
  • 172.67.211.252
  • 104.21.53.100
malicious
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET DNS Query to a *.pw domain - Likely Hostile
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
foundation.html