analyze malware
- Huge database of samples and IOCs
- Custom VM setup
- Unlimited submissions
- Interactive approach
| File name: | 69460ECBBDBFD75E24D17F2EC9CEA018.zip |
| Full analysis: | https://app.any.run/tasks/56b2cc37-609d-4d9d-a142-6fb2d8d7ebe1 |
| Verdict: | Malicious activity |
| Analysis date: | March 30, 2020, 15:44:04 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract |
| MD5: | 28AEEC0ECE912604640B565B3516425D |
| SHA1: | 80BF49485E4BDFFF9759A361A87585F89F1063D9 |
| SHA256: | 010007346778C5FFAFF4B237B641011108717E2A50578C02E8E33DE08C3CB18A |
| SSDEEP: | 12288:bm0K08wzy0GKH+GoMm49svP7AJEGtgMN132Wo7ES+vxx:brVzcw+c6vP7AZOZr+vxx |
MALICIOUS
Loads dropped or rewritten executable
- SearchProtocolHost.exe (PID: 3548)
- explorer.exe (PID: 372)
- rundll32.exe (PID: 3404)
- rundll32.exe (PID: 3560)
Renames files like Ransomware
- explorer.exe (PID: 372)
Runs app for hidden code execution
- explorer.exe (PID: 372)
SUSPICIOUS
Executable content was dropped or overwritten
- WinRAR.exe (PID: 3612)
Creates files in the user directory
- explorer.exe (PID: 372)
Starts CMD.EXE for commands execution
- explorer.exe (PID: 372)
Uses RUNDLL32.EXE to load library
- cmd.exe (PID: 2976)
INFO
No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipFileName: | filedata |
|---|---|
| ZipUncompressedSize: | 672256 |
| ZipCompressedSize: | 456438 |
| ZipCRC: | 0x255178e7 |
| ZipModifyDate: | 2020:03:27 09:48:04 |
| ZipCompression: | Deflated |
| ZipBitFlag: | 0x0002 |
| ZipRequiredVersion: | 20 |
Total processes
42
Monitored processes
7
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process |
|---|---|---|---|---|
| 3612 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\69460ECBBDBFD75E24D17F2EC9CEA018.zip" | C:\Program Files\WinRAR\WinRAR.exe | explorer.exe | |
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0 | ||||
| 3548 | "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" | C:\Windows\System32\SearchProtocolHost.exe | — | SearchIndexer.exe |
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255) | ||||
| 372 | C:\Windows\Explorer.EXE | C:\Windows\explorer.exe | — | — |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 2976 | "C:\Windows\system32\cmd.exe" | C:\Windows\system32\cmd.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Version: 6.1.7601.17514 (win7sp1_rtm.101119-1850) | ||||
| 2684 | rundll32.exe filedata.dll | C:\Windows\system32\rundll32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3404 | rundll32.exe filedata.dll, DLLRegisterServer | C:\Windows\system32\rundll32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
| 3560 | rundll32.exe filedata.dll, DllRegisterServer | C:\Windows\system32\rundll32.exe | — | cmd.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
Total events
3 299
Read events
3 082
Write events
0
Delete events
0
Modification events
Executable files
2
Suspicious files
0
Text files
0
Unknown types
3
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 372 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-ms | automaticdestinations-ms | |
MD5:81D6CE71FA74EAE1DBB6CAE81AFB0739 | SHA256:F737A9638BE8A5D09A7E5EF0827E80A7EB7AA00F81F1B4E6C8C784153F418099 | |||
| 3612 | WinRAR.exe | C:\Users\admin\Desktop\filedata | executable | |
MD5:69460ECBBDBFD75E24D17F2EC9CEA018 | SHA256:B9F64C2237F8A56DAA5F8E1E1A9A3A2D4EB3E1EB9CD25A23E3B6FE2DC4F8081D | |||
| 372 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\69460ECBBDBFD75E24D17F2EC9CEA018.zip.lnk | lnk | |
MD5:E3A4E7FADDC9FB67A6DA578BDF9F5B40 | SHA256:7FB7872BAFF4D4F0D55B0DDE9C75300A22B4B7DBD5657A7E4B52E2030886EDDD | |||
| 372 | explorer.exe | C:\Users\admin\Desktop\filedata.dll | executable | |
MD5:69460ECBBDBFD75E24D17F2EC9CEA018 | SHA256:B9F64C2237F8A56DAA5F8E1E1A9A3A2D4EB3E1EB9CD25A23E3B6FE2DC4F8081D | |||
| 372 | explorer.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-ms | automaticdestinations-ms | |
MD5:9E8454CFC772FC9DC5A2F5FE283C6A46 | SHA256:FF588223F9F52ECA889A025A399F283125D8D3DFDCBF9401E4C2DBF3D1595A39 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0
HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report