analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

https://h0ujla.bn.files.1drv.com/y4mAOcGQcFjulGJ4T-pxv8PPoF5bI2KUBf6HPVKXv-5_1M5u3J7ZivuHWYM2AtYla2JvIBJwKEw8VypHxhIL3wQHzSo4-C6E2kvt1htZEGo-h9_PptdI5J_FkIt3B9K7O-VXgQ_1xuc9lVlwujBT9v8SidtUWs6Ya8-Ek7cSWgBe_rjIAl8c64FLXSmuzX63haT9DQT3CR5gVL9QGEP-Uckew/SHIPMENT%20DOCUMENT%20BL%20%2CINVOICES-pdf.tar?download&psid=1

Full analysis: https://app.any.run/tasks/c1f1a21b-4ca5-4772-bd1d-5432a24e6030
Verdict: Malicious activity
Analysis date: June 12, 2019, 06:36:53
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

F910BF80D8F9C996DABF5A799D224223

SHA1:

A3C095675C5FF7DB030E7589C3EFE36BAF7068EC

SHA256:

EFC13F882C187E1DC716F8A3CDDE69E06641866A381E8A72C2FD30B3C5E45E7D

SSDEEP:

6:2dX8j3Aj/3HdUJTpywWNkBNRLOK3V9za2BOLSWAQCKjoirzg28Jv9n:25q3Az3dU9py+D3V9F4uWAQCio8g28N9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 3912)
      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 2084)
      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 1008)

    • Actions looks like stealing of personal data

      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 1008)

  • SUSPICIOUS

    • Application launched itself

      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 2084)

    • Starts CMD.EXE for commands execution

      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 2084)
      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 3912)

    • Reads Windows Product ID

      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 1008)

    • Reads Environment values

      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 1008)

  • INFO

    • Changes internet zones settings

      • iexplore.exe (PID: 3064)

    • Manual execution by user

      • iexplore.exe (PID: 3064)
      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 2084)
      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 3912)

    • Creates files in the user directory

      • iexplore.exe (PID: 1080)

    • Application launched itself

      • chrome.exe (PID: 3276)
      • iexplore.exe (PID: 3064)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3064)
      • iexplore.exe (PID: 1080)

    • Reads internet explorer settings

      • iexplore.exe (PID: 1080)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 3064)
      • SHIPMENT DOCUMENT BL ,INVOICES-pdf.exe (PID: 1008)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 3064)

    • Changes settings of System certificates

      • iexplore.exe (PID: 3064)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
64
Monitored processes
20
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs iexplore.exe iexplore.exe chrome.exe no specs chrome.exe no specs winrar.exe no specs shipment document bl ,invoices-pdf.exe no specs cmd.exe no specs cmd.exe no specs shipment document bl ,invoices-pdf.exe shipment document bl ,invoices-pdf.exe cmd.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3276"C:\Program Files\Google\Chrome\Application\chrome.exe" https://h0ujla.bn.files.1drv.com/y4mAOcGQcFjulGJ4T-pxv8PPoF5bI2KUBf6HPVKXv-5_1M5u3J7ZivuHWYM2AtYla2JvIBJwKEw8VypHxhIL3wQHzSo4-C6E2kvt1htZEGo-h9_PptdI5J_FkIt3B9K7O-VXgQ_1xuc9lVlwujBT9v8SidtUWs6Ya8-Ek7cSWgBe_rjIAl8c64FLXSmuzX63haT9DQT3CR5gVL9QGEP-Uckew/SHIPMENT%20DOCUMENT%20BL%20%2CINVOICES-pdf.tar?download&psid=1C:\Program Files\Google\Chrome\Application\chrome.exe
explorer.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2600"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=73.0.3683.75 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6f5e0f18,0x6f5e0f28,0x6f5e0f34C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
3668"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=3384 --on-initialized-event-handle=308 --parent-handle=312 /prefetch:6C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
73.0.3683.75
2236"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=960,879739905061943554,18376928256344750665,131072 --enable-features=PasswordImport --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=3951898115158110506 --mojo-platform-channel-handle=952 --ignored=" --type=renderer " /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
128"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,879739905061943554,18376928256344750665,131072 --enable-features=PasswordImport --service-pipe-token=927289249614774528 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=927289249614774528 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
3292"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,879739905061943554,18376928256344750665,131072 --enable-features=PasswordImport --service-pipe-token=13326005839914048453 --lang=en-US --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=13326005839914048453 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Version:
73.0.3683.75
3604"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=960,879739905061943554,18376928256344750665,131072 --enable-features=PasswordImport --service-pipe-token=184379875556032298 --lang=en-US --extension-process --enable-offline-auto-reload --enable-offline-auto-reload-visible-only --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --service-request-channel-token=184379875556032298 --renderer-client-id=3 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2212 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
1724"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=960,879739905061943554,18376928256344750665,131072 --enable-features=PasswordImport --disable-gpu-sandbox --use-gl=disabled --gpu-preferences=KAAAAAAAAACAAwAAAQAAAAAAAAAAAGAAAAAAAAEAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --service-request-channel-token=11512753656242486938 --mojo-platform-channel-handle=3712 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google Inc.
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
73.0.3683.75
3064"C:\Program Files\Internet Explorer\iexplore.exe" C:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
1080"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3064 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 182
Read events
1 959
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
10
Text files
65
Unknown types
4

Dropped files

PID
Process
Filename
Type
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\index
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_0
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_1
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_2
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\ShaderCache\GPUCache\data_3
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\c1a2eefa-3fde-41cf-b3d9-571036810192.tmp
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\index
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\data_reduction_proxy_leveldb\000018.dbtmp
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_0
MD5:
SHA256:
3276chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
16
DNS requests
11
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3064
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3064
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3276
chrome.exe
13.107.42.12:443
h0ujla.bn.files.1drv.com
Microsoft Corporation
US
suspicious
3276
chrome.exe
172.217.22.35:443
clientservices.googleapis.com
Google Inc.
US
whitelisted
3276
chrome.exe
172.217.22.78:443
sb-ssl.google.com
Google Inc.
US
whitelisted
3276
chrome.exe
172.217.16.196:443
www.google.com
Google Inc.
US
whitelisted
216.58.208.35:443
ssl.gstatic.com
Google Inc.
US
whitelisted
3276
chrome.exe
216.58.206.13:443
accounts.google.com
Google Inc.
US
whitelisted
1080
iexplore.exe
13.107.42.12:443
h0ujla.bn.files.1drv.com
Microsoft Corporation
US
suspicious
3276
chrome.exe
172.217.18.99:443
www.gstatic.com
Google Inc.
US
whitelisted
3276
chrome.exe
172.217.16.142:443
clients1.google.com
Google Inc.
US
whitelisted

DNS requests

Domain
IP
Reputation
h0ujla.bn.files.1drv.com
  • 13.107.42.12
whitelisted
clientservices.googleapis.com
  • 172.217.22.35
whitelisted
accounts.google.com
  • 216.58.206.13
shared
sb-ssl.google.com
  • 172.217.22.78
whitelisted
www.google.com
  • 172.217.16.196
whitelisted
ssl.gstatic.com
  • 216.58.208.35
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.gstatic.com
  • 172.217.18.99
whitelisted
clients1.google.com
  • 172.217.16.142
whitelisted
smtp.privateemail.com
  • 199.193.7.228
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
https://h0ujla.bn.files.1drv.com/y4mAOcGQcFjulGJ4T-pxv8PPoF5bI2KUBf6HPVKXv-5_1M5u3J7ZivuHWYM2AtYla2JvIBJwKEw8VypHxhIL3wQHzSo4-C6E2kvt1htZEGo-h9_PptdI5J_FkIt3B9K7O-VXgQ_1xuc9lVlwujBT9v8SidtUWs6Ya8-Ek7cSWgBe_rjIAl8c64FLXSmuzX63haT9DQT3CR5gVL9QGEP-Uckew/SHIPMENT%20DOCUMENT%20BL%20%2CINVOICES-pdf.tar?download&psid=1