analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://www.mediafire.com/file/if4bbi7lqm6km7h/INVOICE_FOR_2019_PAID.rar/file

Full analysis: https://app.any.run/tasks/d0fd38b3-7eb4-4529-96ea-eb24593256ed
Verdict: Malicious activity
Analysis date: January 11, 2019, 03:04:47
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

BC7173B9E943C4D477549003E02FD9AB

SHA1:

83B32D2C65A71D15E5C273D98D2E9B9DEEB42618

SHA256:

D54D39CFD49211BD09DDD45C7E971364AAEB6B1D12137DA5195C13A35F765937

SSDEEP:

3:N8DSLw3eGUoCnRTOvNX6vgaKcA:2OLw3eGenRCvNX6v0cA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Application was dropped or rewritten from another process

      • INVOICE FOR 2019 PAID.exe (PID: 2824)
      • INVOICE FOR 2019 PAID.exe (PID: 3212)
  • SUSPICIOUS

    • Application launched itself

      • INVOICE FOR 2019 PAID.exe (PID: 3212)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2760)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 1144)
      • firefox.exe (PID: 2700)
      • firefox.exe (PID: 3020)
      • firefox.exe (PID: 3180)
    • Reads Internet Cache Settings

      • firefox.exe (PID: 3020)
    • Application launched itself

      • firefox.exe (PID: 3020)
    • Creates files in the user directory

      • firefox.exe (PID: 3020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start firefox.exe firefox.exe firefox.exe firefox.exe winrar.exe invoice for 2019 paid.exe no specs invoice for 2019 paid.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3020"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.mediafire.com/file/if4bbi7lqm6km7h/INVOICE_FOR_2019_PAID.rar/fileC:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
61.0.2
2700"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.0.1907529621\1609618617" -childID 1 -isForBrowser -prefsHandle 1320 -prefsLen 8310 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1364 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
1144"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.6.248971301\1058499419" -childID 2 -isForBrowser -prefsHandle 2296 -prefsLen 11442 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2468 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
3180"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.12.1594092730\1014574154" -childID 3 -isForBrowser -prefsHandle 2740 -prefsLen 12017 -schedulerPrefs 0001,2 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2936 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
61.0.2
2760"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\INVOICE FOR 2019 PAID.rar"C:\Program Files\WinRAR\WinRAR.exe
firefox.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3212"C:\Users\admin\AppData\Local\Temp\Rar$EXa2760.41993\INVOICE FOR 2019 PAID.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2760.41993\INVOICE FOR 2019 PAID.exeWinRAR.exe
User:
admin
Company:
precanaanitic
Integrity Level:
MEDIUM
Description:
Goons
Exit code:
0
Version:
3.05.0003
2824C:\Users\admin\AppData\Local\Temp\Rar$EXa2760.41993\INVOICE FOR 2019 PAID.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa2760.41993\INVOICE FOR 2019 PAID.exeINVOICE FOR 2019 PAID.exe
User:
admin
Company:
precanaanitic
Integrity Level:
MEDIUM
Description:
Goons
Version:
3.05.0003
Total events
1 000
Read events
969
Write events
31
Delete events
0

Modification events

(PID) Process:(3020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(3020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
(PID) Process:(3020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
(PID) Process:(3020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
1
(PID) Process:(3020) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.rar\OpenWithProgids
Operation:writeName:WinRAR
Value:
(PID) Process:(2760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2760) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\5F\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\INVOICE FOR 2019 PAID.rar
(PID) Process:(2760) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
Executable files
3
Suspicious files
47
Text files
9
Unknown types
22

Dropped files

PID
Process
Filename
Type
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cert9.db-journal
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3561288849sdhlie.sqlite-shm
MD5:
SHA256:
3020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\cache2\entries\5836DD6DFF0C68E2B20366BE50746F3F507BF9BFder
MD5:0FF715554B369B1C0F9CD0719F61F84E
SHA256:481267B8551D1EF6940A123EFE51BB158B10FAF2CD62C002AA6C9D5DBC6CF9CD
3020firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\safebrowsing-updating\base-track-digest256.sbstorebinary
MD5:CD82F4495EAFE523B9B6B938C828611B
SHA256:576A0D2C3AD8D66BB202439B18F9FD563F92D9DDD9582A3C4CCE0ECAFD4F0908
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
11
DNS requests
30
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3020
firefox.exe
POST
200
216.58.207.46:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
3020
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3020
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3020
firefox.exe
GET
200
2.16.186.50:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3020
firefox.exe
104.19.194.29:443
www.mediafire.com
Cloudflare Inc
US
shared
3020
firefox.exe
2.16.186.50:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
3020
firefox.exe
216.58.207.46:80
ocsp.pki.goog
Google Inc.
US
whitelisted
3020
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3020
firefox.exe
172.217.16.138:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
3020
firefox.exe
52.89.32.107:443
search.r53-2.services.mozilla.com
Amazon.com, Inc.
US
unknown
3020
firefox.exe
52.10.130.148:443
tiles.services.mozilla.com
Amazon.com, Inc.
US
unknown
3020
firefox.exe
52.222.161.24:443
tracking-protection.cdn.mozilla.net
Amazon.com, Inc.
US
unknown
3020
firefox.exe
199.91.153.116:443
download1869.mediafire.com
MediaFire, LLC
US
unknown
3020
firefox.exe
52.33.113.226:443
shavar.services.mozilla.com
Amazon.com, Inc.
US
unknown

DNS requests

Domain
IP
Reputation
detectportal.firefox.com
  • 2.16.186.50
  • 2.16.186.112
whitelisted
www.mediafire.com
  • 104.19.194.29
  • 104.19.195.29
shared
a1089.dscd.akamai.net
  • 2.16.186.112
  • 2.16.186.50
whitelisted
search.r53-2.services.mozilla.com
  • 34.216.89.123
  • 52.27.184.151
  • 52.89.32.107
whitelisted
search.services.mozilla.com
  • 52.89.32.107
  • 52.27.184.151
  • 34.216.89.123
whitelisted
tiles.services.mozilla.com
  • 52.10.130.148
  • 52.39.131.77
  • 34.216.156.21
  • 52.34.107.172
  • 52.25.70.97
  • 35.166.45.24
  • 52.41.60.30
  • 52.40.109.206
whitelisted
tiles.r53-2.services.mozilla.com
  • 52.40.109.206
  • 52.41.60.30
  • 35.166.45.24
  • 52.25.70.97
  • 52.34.107.172
  • 34.216.156.21
  • 52.39.131.77
  • 52.10.130.148
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
download1869.mediafire.com
  • 199.91.153.116
unknown

Threats

No threats detected
No debug info