| URL: | https://secure.sharefile.com/Authentication/Login#ForgotPassword |
| Full analysis: | https://app.any.run/tasks/f79dd953-d6a6-45ad-a790-836fd0111ac0 |
| Verdict: | Malicious activity |
| Analysis date: | December 06, 2018, 06:09:39 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MD5: | 998297C33487AB45A4C38B84EC3B871A |
| SHA1: | 1804929EB9FBF9F5D41D49B256DE7B9D06A6EC8C |
| SHA256: | DB2FB1ADCFD78967FC2067C136FF322A707F244648CC8464511200EB8F684E96 |
| SSDEEP: | 3:N8N3uKEL4kadfJROFn:2ZuKEL4xfI |
MALICIOUS
Application was dropped or rewritten from another process
- setup-stub.exe (PID: 3492)
- Firefox Installer.exe (PID: 2200)
- setup.exe (PID: 1132)
- setup-stub.exe (PID: 2708)
- maintenanceservice_installer.exe (PID: 2544)
- maintenanceservice.exe (PID: 3164)
- ns810B.tmp (PID: 3008)
- firefox.exe (PID: 3776)
- firefox.exe (PID: 2336)
- firefox.exe (PID: 3164)
- firefox.exe (PID: 2132)
Loads dropped or rewritten executable
- setup-stub.exe (PID: 3492)
- setup-stub.exe (PID: 2708)
- maintenanceservice_installer.exe (PID: 2544)
- firefox.exe (PID: 2336)
- firefox.exe (PID: 2132)
- setup.exe (PID: 1132)
- firefox.exe (PID: 3776)
- firefox.exe (PID: 3164)
SUSPICIOUS
Executable content was dropped or overwritten
- setup-stub.exe (PID: 3492)
- iexplore.exe (PID: 2920)
- iexplore.exe (PID: 2604)
- Firefox Installer.exe (PID: 2200)
- setup.exe (PID: 1132)
- setup-stub.exe (PID: 2708)
- download.exe (PID: 284)
- maintenanceservice_installer.exe (PID: 2544)
- firefox.exe (PID: 3776)
Application launched itself
- setup-stub.exe (PID: 3492)
Creates files in the program directory
- setup-stub.exe (PID: 2708)
- maintenanceservice_installer.exe (PID: 2544)
- maintenanceservice.exe (PID: 3164)
- setup.exe (PID: 1132)
Modifies the open verb of a shell class
- setup.exe (PID: 1132)
Starts application with an unusual extension
- setup.exe (PID: 1132)
Creates a software uninstall entry
- maintenanceservice_installer.exe (PID: 2544)
- setup.exe (PID: 1132)
Creates files in the user directory
- setup.exe (PID: 1132)
Loads DLL from Mozilla Firefox
- setup.exe (PID: 1132)
Creates COM task schedule object
- setup.exe (PID: 1132)
INFO
Reads internet explorer settings
- iexplore.exe (PID: 3192)
- iexplore.exe (PID: 1488)
- iexplore.exe (PID: 2604)
Creates files in the user directory
- iexplore.exe (PID: 1488)
- FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2632)
- firefox.exe (PID: 3776)
Reads Internet Cache Settings
- iexplore.exe (PID: 3192)
- iexplore.exe (PID: 1488)
- iexplore.exe (PID: 2604)
Reads settings of System Certificates
- iexplore.exe (PID: 2920)
- firefox.exe (PID: 3776)
Application launched itself
- iexplore.exe (PID: 2920)
- firefox.exe (PID: 3776)
Changes internet zones settings
- iexplore.exe (PID: 2920)
Adds / modifies Windows certificates
- iexplore.exe (PID: 2920)
Changes settings of System certificates
- iexplore.exe (PID: 2920)
Dropped object may contain Bitcoin addresses
- iexplore.exe (PID: 1488)
- firefox.exe (PID: 3776)
Reads CPU info
- firefox.exe (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
53
Monitored processes
17
Malicious processes
12
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 284 | "C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\download.exe" /INI=C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\config.ini | C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\download.exe | setup-stub.exe | ||||||||||||
User: admin Company: Mozilla Integrity Level: HIGH Description: Firefox Exit code: 0 Version: 18.05 Modules
| |||||||||||||||
| 1132 | .\setup.exe /INI=C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\config.ini | C:\Users\admin\AppData\Local\Temp\7zSC118D65A\setup.exe | download.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: HIGH Description: Firefox Installer Exit code: 0 Version: 63.0.3 Modules
| |||||||||||||||
| 1488 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:203009 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2132 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3776.0.679522072\1054372570" -childID 1 -isForBrowser -prefsHandle 1840 -prefMapHandle 1208 -prefsLen 1 -prefMapSize 178740 -schedulerPrefs 0001,2 -parentBuildID 20181114214635 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3776 "\\.\pipe\gecko-crash-server-pipe.3776" 1896 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 63.0.3 Modules
| |||||||||||||||
| 2200 | "C:\Users\admin\Downloads\Firefox Installer.exe" | C:\Users\admin\Downloads\Firefox Installer.exe | iexplore.exe | ||||||||||||
User: admin Company: Mozilla Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 18.05 Modules
| |||||||||||||||
| 2336 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3776.6.1811442278\1829059301" -childID 2 -isForBrowser -prefsHandle 1100 -prefMapHandle 1824 -prefsLen 41 -prefMapSize 178740 -schedulerPrefs 0001,2 -parentBuildID 20181114214635 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 3776 "\\.\pipe\gecko-crash-server-pipe.3776" 1792 tab | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 63.0.3 Modules
| |||||||||||||||
| 2544 | "C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe" | C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe | ns810B.tmp | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: HIGH Description: Mozilla Maintenance Service Installer Exit code: 0 Version: 63.0.3 Modules
| |||||||||||||||
| 2604 | "C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:203010 | C:\Program Files\Internet Explorer\iexplore.exe | iexplore.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Internet Explorer Exit code: 0 Version: 8.00.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 2632 | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -Embedding | C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe | — | svchost.exe | |||||||||||
User: admin Company: Adobe Systems Incorporated Integrity Level: MEDIUM Description: Adobe® Flash® Player Installer/Uninstaller 26.0 r0 Exit code: 0 Version: 26,0,0,131 Modules
| |||||||||||||||
| 2708 | "C:\Users\admin\AppData\Local\Temp\7zS89828B1A\setup-stub.exe" /UAC:40290 /NCRC | C:\Users\admin\AppData\Local\Temp\7zS89828B1A\setup-stub.exe | setup-stub.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: HIGH Description: Firefox Installer Exit code: 0 Version: 63.0.3 Modules
| |||||||||||||||
Total events
3 450
Read events
3 053
Write events
374
Delete events
23
Modification events
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main |
| Operation: | write | Name: | CompatibilityFlags |
Value: 0 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 0 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 1 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones |
| Operation: | write | Name: | SecuritySafe |
Value: 1 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
| Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
| Operation: | write | Name: | SavedLegacySettings |
Value: 4600000069000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery\Active |
| Operation: | write | Name: | {931B0C15-F91D-11E8-BAD8-5254004A04AF} |
Value: 0 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Type |
Value: 4 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Count |
Value: 3 | |||
| (PID) Process: | (2920) iexplore.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{2670000A-7350-4F3C-8081-5663EE0C6C49}\iexplore |
| Operation: | write | Name: | Time |
Value: E2070C000400060006000A000600FE02 | |||
Executable files
169
Suspicious files
133
Text files
240
Unknown types
135
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2920 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 2920 | iexplore.exe | C:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico | — | |
MD5:— | SHA256:— | |||
| 2920 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico | — | |
MD5:— | SHA256:— | |||
| 1488 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\internet-explorer-downloads[1].txt | — | |
MD5:— | SHA256:— | |||
| 3192 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\MSHist012018120620181207\index.dat | dat | |
MD5:— | SHA256:— | |||
| 2920 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012018120620181207\index.dat | dat | |
MD5:— | SHA256:— | |||
| 1488 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\override[1].css | text | |
MD5:— | SHA256:— | |||
| 1488 | iexplore.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\Low\admin@microsoft[2].txt | text | |
MD5:— | SHA256:— | |||
| 1488 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\bf-d3d307[1] | text | |
MD5:— | SHA256:— | |||
| 3192 | iexplore.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\OCDM6JB6\fonts[1].css | text | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
101
DNS requests
146
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
2708 | setup-stub.exe | GET | 200 | 52.10.26.75:80 | http://download-stats.mozilla.org/stub/v8/release/release/en-US/0/0/6/1/7601/1/0/0/2/0/42449032/42449032/0/0/4/4/0/0/22/1/0/0/1/61.0.2/20180807170231/63.0.3/20181114214635/1/1/0/3/52.222.152.199/0/0/0 | US | — | — | whitelisted |
3776 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3776 | firefox.exe | POST | 200 | 216.58.215.238:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
3776 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3776 | firefox.exe | POST | 200 | 188.121.36.239:80 | http://ocsp.godaddy.com/ | NL | der | 1.74 Kb | whitelisted |
3776 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3776 | firefox.exe | POST | 200 | 188.121.36.239:80 | http://ocsp.godaddy.com/ | NL | der | 1.74 Kb | whitelisted |
3776 | firefox.exe | POST | 200 | 216.58.215.238:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
3776 | firefox.exe | POST | 200 | 216.58.215.238:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
3776 | firefox.exe | POST | 200 | 216.58.215.238:80 | http://ocsp.pki.goog/GTSGIAG3 | US | der | 463 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
2920 | iexplore.exe | 204.79.197.200:80 | www.bing.com | Microsoft Corporation | US | whitelisted |
2920 | iexplore.exe | 52.22.72.157:443 | secure.sharefile.com | Amazon.com, Inc. | US | unknown |
3192 | iexplore.exe | 52.22.72.157:443 | secure.sharefile.com | Amazon.com, Inc. | US | unknown |
1488 | iexplore.exe | 2.16.186.26:443 | statics-uhf-neu.akamaized.net | Akamai International B.V. | — | whitelisted |
1488 | iexplore.exe | 104.109.67.247:443 | mem.gfx.ms | Akamai International B.V. | NL | whitelisted |
1488 | iexplore.exe | 2.21.41.70:443 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
1488 | iexplore.exe | 2.16.186.40:443 | img-prod-cms-rt-microsoft-com.akamaized.net | Akamai International B.V. | — | whitelisted |
2920 | iexplore.exe | 2.21.41.70:443 | www.microsoft.com | GTT Communications Inc. | FR | malicious |
1488 | iexplore.exe | 2.21.36.173:443 | support.microsoft.com | GTT Communications Inc. | FR | malicious |
1488 | iexplore.exe | 23.37.60.23:443 | windows.microsoft.com | Akamai Technologies, Inc. | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
www.bing.com |
| whitelisted |
secure.sharefile.com |
| whitelisted |
windows.microsoft.com |
| whitelisted |
support.microsoft.com |
| malicious |
statics-uhf-neu.akamaized.net |
| whitelisted |
mem.gfx.ms |
| whitelisted |
www.microsoft.com |
| whitelisted |
img-prod-cms-rt-microsoft-com.akamaized.net |
| whitelisted |
www.getfirefox.com |
| suspicious |
www.mozilla.org |
| whitelisted |