analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://brandbestie.com/surface.php?ogev=AKME25100

Full analysis: https://app.any.run/tasks/a951be3c-8b63-4d13-9c66-1419c3061f98
Verdict: Malicious activity
Analysis date: July 11, 2019, 15:17:01
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MD5:

3E0C66988B25E48F097FC5F8062E75A8

SHA1:

B2314CA94EF4B390ADB48167CA0C3039C2FE4D33

SHA256:

F1A4FFDF27F512F27CE62034F781373E64E9E2B7F78F07028E51F90F4CEFB492

SSDEEP:

3:N1KcZWBZ3WQXDsDpgTVn:CcZWBZmCQOZ

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    No malicious indicators.
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 2964)
  • INFO

    • Reads CPU info

      • firefox.exe (PID: 2964)
    • Application launched itself

      • firefox.exe (PID: 2964)
    • Creates files in the user directory

      • firefox.exe (PID: 2964)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
38
Monitored processes
5
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start firefox.exe firefox.exe no specs firefox.exe firefox.exe firefox.exe

Process information

PID
CMD
Path
Indicators
Parent process
2964"C:\Program Files\Mozilla Firefox\firefox.exe" http://brandbestie.com/surface.php?ogev=AKME25100C:\Program Files\Mozilla Firefox\firefox.exe
explorer.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
2544"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.0.1065099667\2043949149" -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 1180 gpuC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
67.0.4
3252"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.3.1503263083\514737761" -childID 1 -isForBrowser -prefsHandle 1648 -prefMapHandle 1636 -prefsLen 1 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 1712 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
3508"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.13.352418375\1006092511" -childID 2 -isForBrowser -prefsHandle 2740 -prefMapHandle 2756 -prefsLen 5842 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 2772 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
2700"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2964.20.720515202\1430677782" -childID 3 -isForBrowser -prefsHandle 3536 -prefMapHandle 3540 -prefsLen 6726 -prefMapSize 188076 -parentBuildID 20190619235627 -greomni "C:\Program Files\Mozilla Firefox\omni.ja" -appomni "C:\Program Files\Mozilla Firefox\browser\omni.ja" -appdir "C:\Program Files\Mozilla Firefox\browser" - 2964 "\\.\pipe\gecko-crash-server-pipe.2964" 3548 tabC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
LOW
Description:
Firefox
Version:
67.0.4
Total events
559
Read events
556
Write events
3
Delete events
0

Modification events

(PID) Process:(2964) firefox.exeKey:HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher
Operation:writeName:C:\Program Files\Mozilla Firefox\firefox.exe|Browser
Value:
0000000000000000
(PID) Process:(2964) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
Operation:writeName:ProxyEnable
Value:
0
(PID) Process:(2964) firefox.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
Operation:writeName:SavedLegacySettings
Value:
4600000077000000010000000000000000000000000000000000000000000000C0E333BBEAB1D301000000000000000000000000020000001700000000000000FE800000000000007D6CB050D9C573F70B000000000000006D00330032005C004D00530049004D004700330032002E0064006C000100000004AA400014AA4000040000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C0A8016400000000000000000000000000000000000000000800000000000000805D3F00983740000008000002000000000000600000002060040000B8A94000020000008802000060040000B8A9400004000000F8010000B284000088B64000B84B400043003A000000000000000000000000000000000000000000
Executable files
2
Suspicious files
63
Text files
60
Unknown types
52

Dropped files

PID
Process
Filename
Type
2964firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\prefs-1.js
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dat.tmp
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1451318868ntouromlalnodry--epcr.sqlite-shm
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\search.json.mozlz4.tmp
MD5:
SHA256:
2964firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\pluginreg.dattext
MD5:37818D9B7248F34395C2DB3C0BD4B07F
SHA256:FF229E03D2AB696E81957957EA8D71280B5800A2B0F70EA77998C3FA4E98A8A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
37
DNS requests
89
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2964
firefox.exe
GET
301
43.255.154.110:80
http://brandbestie.com/surface.php?ogev=AKME25100
SG
html
258 b
malicious
2964
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2964
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2964
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2964
firefox.exe
POST
200
93.184.220.29:80
http://ocsp.digicert.com/
US
der
471 b
whitelisted
2964
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2964
firefox.exe
POST
200
151.139.128.14:80
http://ocsp.comodoca4.com/
US
der
279 b
whitelisted
2964
firefox.exe
POST
200
216.58.208.35:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2964
firefox.exe
POST
200
216.58.205.227:80
http://ocsp.pki.goog/GTSGIAG3
US
der
471 b
whitelisted
2964
firefox.exe
GET
200
2.16.106.209:80
http://detectportal.firefox.com/success.txt
unknown
text
8 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2964
firefox.exe
43.255.154.110:80
brandbestie.com
GoDaddy.com, LLC
SG
malicious
2964
firefox.exe
2.16.106.209:80
detectportal.firefox.com
Akamai International B.V.
whitelisted
2964
firefox.exe
52.35.245.125:443
push.services.mozilla.com
Amazon.com, Inc.
US
unknown
2964
firefox.exe
34.251.59.153:443
location.services.mozilla.com
Amazon.com, Inc.
IE
unknown
2964
firefox.exe
99.86.121.58:443
snippets.cdn.mozilla.net
AT&T Services, Inc.
US
unknown
2964
firefox.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2964
firefox.exe
172.217.16.170:443
safebrowsing.googleapis.com
Google Inc.
US
whitelisted
2964
firefox.exe
52.11.30.237:443
search.services.mozilla.com
Amazon.com, Inc.
US
unknown
2964
firefox.exe
216.58.208.35:80
ocsp.pki.goog
Google Inc.
US
whitelisted
2964
firefox.exe
79.141.161.20:80
for-diet.net
GB
unknown

DNS requests

Domain
IP
Reputation
brandbestie.com
  • 43.255.154.110
malicious
detectportal.firefox.com
  • 2.16.106.209
  • 2.16.106.152
whitelisted
a1089.dscd.akamai.net
  • 2.16.106.152
  • 2.16.106.209
whitelisted
location.services.mozilla.com
  • 34.251.59.153
  • 52.18.148.152
  • 34.243.21.190
whitelisted
locprod1-elb-eu-west-1.prod.mozaws.net
  • 34.243.21.190
  • 52.18.148.152
  • 34.251.59.153
whitelisted
push.services.mozilla.com
  • 52.35.245.125
whitelisted
autopush.prod.mozaws.net
  • 52.35.245.125
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
cs9.wac.phicdn.net
  • 93.184.220.29
whitelisted
snippets.cdn.mozilla.net
  • 99.86.121.58
whitelisted

Threats

No threats detected
No debug info