analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://secure.sharefile.com/Authentication/Login#ForgotPassword

Full analysis: https://app.any.run/tasks/f79dd953-d6a6-45ad-a790-836fd0111ac0
Verdict: Malicious activity
Analysis date: December 06, 2018, 06:09:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

998297C33487AB45A4C38B84EC3B871A

SHA1:

1804929EB9FBF9F5D41D49B256DE7B9D06A6EC8C

SHA256:

DB2FB1ADCFD78967FC2067C136FF322A707F244648CC8464511200EB8F684E96

SSDEEP:

3:N8N3uKEL4kadfJROFn:2ZuKEL4xfI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • Firefox Installer.exe (PID: 2200)
      • setup-stub.exe (PID: 2708)
      • setup-stub.exe (PID: 3492)
      • setup.exe (PID: 1132)
      • maintenanceservice_installer.exe (PID: 2544)
      • maintenanceservice.exe (PID: 3164)
      • ns810B.tmp (PID: 3008)
      • firefox.exe (PID: 2132)
      • firefox.exe (PID: 3776)
      • firefox.exe (PID: 2336)
      • firefox.exe (PID: 3164)

    • Loads dropped or rewritten executable

      • setup-stub.exe (PID: 2708)
      • setup-stub.exe (PID: 3492)
      • setup.exe (PID: 1132)
      • maintenanceservice_installer.exe (PID: 2544)
      • firefox.exe (PID: 3776)
      • firefox.exe (PID: 2132)
      • firefox.exe (PID: 2336)
      • firefox.exe (PID: 3164)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • iexplore.exe (PID: 2920)
      • Firefox Installer.exe (PID: 2200)
      • iexplore.exe (PID: 2604)
      • setup-stub.exe (PID: 3492)
      • setup-stub.exe (PID: 2708)
      • download.exe (PID: 284)
      • setup.exe (PID: 1132)
      • maintenanceservice_installer.exe (PID: 2544)
      • firefox.exe (PID: 3776)

    • Application launched itself

      • setup-stub.exe (PID: 3492)

    • Creates files in the program directory

      • setup-stub.exe (PID: 2708)
      • maintenanceservice_installer.exe (PID: 2544)
      • maintenanceservice.exe (PID: 3164)
      • setup.exe (PID: 1132)

    • Loads DLL from Mozilla Firefox

      • setup.exe (PID: 1132)

    • Creates COM task schedule object

      • setup.exe (PID: 1132)

    • Modifies the open verb of a shell class

      • setup.exe (PID: 1132)

    • Creates a software uninstall entry

      • setup.exe (PID: 1132)
      • maintenanceservice_installer.exe (PID: 2544)

    • Starts application with an unusual extension

      • setup.exe (PID: 1132)

    • Creates files in the user directory

      • setup.exe (PID: 1132)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 1488)
      • iexplore.exe (PID: 3192)
      • iexplore.exe (PID: 2604)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3192)
      • iexplore.exe (PID: 1488)
      • iexplore.exe (PID: 2604)

    • Application launched itself

      • iexplore.exe (PID: 2920)
      • firefox.exe (PID: 3776)

    • Changes internet zones settings

      • iexplore.exe (PID: 2920)

    • Creates files in the user directory

      • iexplore.exe (PID: 1488)
      • FlashUtil32_26_0_0_131_ActiveX.exe (PID: 2632)
      • firefox.exe (PID: 3776)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2920)

    • Dropped object may contain Bitcoin addresses

      • iexplore.exe (PID: 1488)
      • firefox.exe (PID: 3776)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2920)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2920)
      • firefox.exe (PID: 3776)

    • Reads CPU info

      • firefox.exe (PID: 3776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
53
Monitored processes
17
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start drop and start drop and start iexplore.exe iexplore.exe iexplore.exe flashutil32_26_0_0_131_activex.exe no specs iexplore.exe firefox installer.exe setup-stub.exe setup-stub.exe download.exe setup.exe ns810b.tmp no specs maintenanceservice_installer.exe maintenanceservice.exe no specs firefox.exe firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2920"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3192"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1488"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:203009C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2632C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exe -EmbeddingC:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_131_ActiveX.exesvchost.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe® Flash® Player Installer/Uninstaller 26.0 r0
Version:
26,0,0,131
2604"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2920 CREDAT:203010C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
2200"C:\Users\admin\Downloads\Firefox Installer.exe" C:\Users\admin\Downloads\Firefox Installer.exe
iexplore.exe
User:
admin
Company:
Mozilla
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
18.05
3492.\setup-stub.exeC:\Users\admin\AppData\Local\Temp\7zS89828B1A\setup-stub.exe
Firefox Installer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox Installer
Exit code:
0
Version:
63.0.3
2708"C:\Users\admin\AppData\Local\Temp\7zS89828B1A\setup-stub.exe" /UAC:40290 /NCRCC:\Users\admin\AppData\Local\Temp\7zS89828B1A\setup-stub.exe
setup-stub.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
HIGH
Description:
Firefox Installer
Exit code:
0
Version:
63.0.3
284"C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\download.exe" /INI=C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\config.iniC:\Users\admin\AppData\Local\Temp\nsc4289.tmp\download.exe
setup-stub.exe
User:
admin
Company:
Mozilla
Integrity Level:
HIGH
Description:
Firefox
Exit code:
0
Version:
18.05
1132.\setup.exe /INI=C:\Users\admin\AppData\Local\Temp\nsc4289.tmp\config.iniC:\Users\admin\AppData\Local\Temp\7zSC118D65A\setup.exe
download.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
HIGH
Description:
Firefox Installer
Exit code:
0
Version:
63.0.3
Total events
3 450
Read events
3 053
Write events
0
Delete events
0

Modification events

No data
Executable files
169
Suspicious files
133
Text files
240
Unknown types
135

Dropped files

PID
Process
Filename
Type
2920iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RB73MZ6Y\favicon[1].ico
MD5:
SHA256:
2920iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2920iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R9ZEWH8D\favicon[1].ico
MD5:
SHA256:
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\internet-explorer-downloads[1].txt
MD5:
SHA256:
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\meversion[1]text
MD5:FC1C50416F559DA7F80776BDEED6E509
SHA256:65DC5EF8A9EEEE3D9F0F8FBB8C478003F290E53F41EEB82A2609BE436D7712CF
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\internet-explorer-downloads[1].htmhtml
MD5:C023EA3E5452242DEFD7F4B5FC660C1F
SHA256:5C6B5A180309DEE8F95DD471A018CD87458C0723203530C25EDAD5DA6A564880
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\override[1].csstext
MD5:D83CD3BAD39DC39B8C22B2CAD04B8C6D
SHA256:3D8A9440C1CC7C677F56EC1869AC1CD7C36851DFB9430B7D554137BDB5A75387
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\U2ZG9DE0\bf-d3d307[1]text
MD5:56FEACE18A53472B3247DDB03A12400B
SHA256:F2E4E654F9A7134A8FD37557F4F296DD388FD42624E3500134E954D11535A011
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\BWPPCY0O\mwfmdl2-v2.94[1].eoteot
MD5:B2BD64330A829779033E32FD5BF53FBE
SHA256:A17C0EFAA8550B6379EC5076C2ADDCA45EA9DEC7512A245AA51DC13D5EA9CE12
1488iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\PP6KS563\a6-1fffa6[1].txttext
MD5:FF5AC2BAF36E92AAC6E0AE1A40E6240F
SHA256:411FE789C7804027093C2A4D44B0744003FABC7FB71823E3EBB20779CC869D6E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
101
DNS requests
146
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2708
setup-stub.exe
GET
200
52.10.26.75:80
http://download-stats.mozilla.org/stub/v8/release/release/en-US/0/0/6/1/7601/1/0/0/2/0/42449032/42449032/0/0/4/4/0/0/22/1/0/0/1/61.0.2/20180807170231/63.0.3/20181114214635/1/1/0/3/52.222.152.199/0/0/0
US
whitelisted
3776
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
3776
firefox.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.74 Kb
whitelisted
2920
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
3776
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3776
firefox.exe
POST
200
216.58.215.238:80
http://ocsp.pki.goog/GTSGIAG3
US
der
463 b
whitelisted
3776
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3776
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
3776
firefox.exe
POST
200
188.121.36.239:80
http://ocsp.godaddy.com/
NL
der
1.74 Kb
whitelisted
3776
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1488
iexplore.exe
2.21.36.173:443
support.microsoft.com
GTT Communications Inc.
FR
malicious
2920
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
1488
iexplore.exe
23.37.60.23:443
windows.microsoft.com
Akamai Technologies, Inc.
NL
whitelisted
1488
iexplore.exe
104.109.67.247:443
mem.gfx.ms
Akamai International B.V.
NL
whitelisted
2920
iexplore.exe
52.22.72.157:443
secure.sharefile.com
Amazon.com, Inc.
US
unknown
1488
iexplore.exe
2.16.186.26:443
statics-uhf-neu.akamaized.net
Akamai International B.V.
whitelisted
3192
iexplore.exe
52.22.72.157:443
secure.sharefile.com
Amazon.com, Inc.
US
unknown
1488
iexplore.exe
2.21.41.70:443
www.microsoft.com
GTT Communications Inc.
FR
malicious
2920
iexplore.exe
2.21.41.70:443
www.microsoft.com
GTT Communications Inc.
FR
malicious
1488
iexplore.exe
2.16.186.40:443
img-prod-cms-rt-microsoft-com.akamaized.net
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
secure.sharefile.com
  • 52.22.72.157
  • 52.3.211.188
whitelisted
windows.microsoft.com
  • 23.37.60.23
whitelisted
support.microsoft.com
  • 2.21.36.173
whitelisted
statics-uhf-neu.akamaized.net
  • 2.16.186.26
  • 2.16.186.34
whitelisted
mem.gfx.ms
  • 104.109.67.247
whitelisted
www.microsoft.com
  • 2.21.41.70
whitelisted
img-prod-cms-rt-microsoft-com.akamaized.net
  • 2.16.186.40
  • 2.16.186.27
whitelisted
www.getfirefox.com
  • 63.245.208.212
suspicious
www.mozilla.org
  • 104.16.41.2
  • 104.16.40.2
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://secure.sharefile.com/Authentication/Login#ForgotPassword