Malware analysis 1.zip Malicious activity | ANY.RUN

Add for printing

File name:	1.zip
Full analysis:	https://app.any.run/tasks/fb0f35c6-93c1-4448-ac40-d41e4f1d96ca
Verdict:	Malicious activity
Analysis date:	July 11, 2019, 14:34:33
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:	opendir
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v1.0 to extract
MD5:	80F644C89E7F51A2F946ACFB6B0B98BC
SHA1:	3B7ADF85519EB21294DD155ECA285939303D9D85
SHA256:	030252E31AB244710DB8CB6E7F1E33A5B36D1B3DE94189770001B00D85772967
SSDEEP:	98304:ZrTNT+9pShnPgbcfbQ3d5aJJzt6vIDOay9Yphe:RpT+ShnP8cfbwdm/oaMYphe

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (75.0.3770.100)
Google Update Helper (1.3.34.7)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.7.2 (4.7.03062)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.21.27702 (14.21.27702.2)
Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 (14.21.27702)
Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 (14.21.27702)
Mozilla Firefox 67.0.4 (x86 en-US) (67.0.4)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
Update for Microsoft .NET Framework 4.7.2 (KB4087364) (1)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB4019990
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Loads dropped or rewritten executable
  - SearchProtocolHost.exe (PID: 2436)
  - PlaystationChecker.exe (PID: 1448)
- Writes to a start menu file
  - psapi.exe (PID: 2236)
  - psapi.exe (PID: 3696)
- Application was dropped or rewritten from another process
  - NETcore.exe (PID: 3624)
  - PlaystationChecker.exe (PID: 1448)
  - NETcore.exe (PID: 3172)
- Changes settings of System certificates
  - psapi.exe (PID: 2236)
SUSPICIOUS
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 300)
  - psapi.exe (PID: 2236)
- Creates files in the user directory
  - psapi.exe (PID: 2236)
- Adds / modifies Windows certificates
  - psapi.exe (PID: 2236)
INFO
- Manual execution by user
  - psapi.exe (PID: 2236)
  - PlaystationChecker.exe (PID: 1448)
  - chrome.exe (PID: 2252)
- Dropped object may contain Bitcoin addresses
  - psapi.exe (PID: 2236)
- Application launched itself
  - chrome.exe (PID: 2252)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.kmz	\|	Google Earth saved working session (60)
.zip	\|	ZIP compressed archive (40)

EXIF

ZIP

ZipFileName:	PSN Checker [Crack.sx]/
ZipUncompressedSize:	-
ZipCompressedSize:	-
ZipCRC:	0x00000000
ZipModifyDate:	2019:02:21 21:10:19
ZipCompression:	None
ZipBitFlag:	-
ZipRequiredVersion:	10

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
300	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1.zip"	C:\Program Files\WinRAR\WinRAR.exe		explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
2236	"C:\Users\admin\Desktop\PSN Checker [Crack.sx]\psapi.exe"	C:\Users\admin\Desktop\PSN Checker [Crack.sx]\psapi.exe		explorer.exe
User: admin Company: Litecore Integrity Level: MEDIUM Description: Windows Core Version: 1.0.0.0
2436	"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe8_ Global\UsGthrCtrlFltPipeMssGthrPipe8 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"	C:\Windows\System32\SearchProtocolHost.exe	—	SearchIndexer.exe
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft Windows Search Protocol Host Exit code: 0 Version: 7.00.7600.16385 (win7_rtm.090713-1255)
3624	"C:\Users\admin\AppData\Roaming\DOTNET\NETcore.exe"	C:\Users\admin\AppData\Roaming\DOTNET\NETcore.exe	—	psapi.exe
User: admin Company: Logistics.OVH Integrity Level: MEDIUM Description: Windows_Logistics Version: 6.1.0.0
1448	"C:\Users\admin\Desktop\PSN Checker [Crack.sx]\PlaystationChecker.exe"	C:\Users\admin\Desktop\PSN Checker [Crack.sx]\PlaystationChecker.exe	—	explorer.exe
User: admin Integrity Level: MEDIUM Description: PlaystationChecker Exit code: 0 Version: 1.0.0.0
3696	"C:\Users\admin\Desktop\PSN Checker [Crack.sx]\psapi.exe"	C:\Users\admin\Desktop\PSN Checker [Crack.sx]\psapi.exe		PlaystationChecker.exe
User: admin Company: Litecore Integrity Level: MEDIUM Description: Windows Core Version: 1.0.0.0
3172	"C:\Users\admin\AppData\Roaming\DOTNET\NETcore.exe"	C:\Users\admin\AppData\Roaming\DOTNET\NETcore.exe	—	psapi.exe
User: admin Company: Logistics.OVH Integrity Level: MEDIUM Description: Windows_Logistics Version: 6.1.0.0
2252	"C:\Program Files\Google\Chrome\Application\chrome.exe"	C:\Program Files\Google\Chrome\Application\chrome.exe		explorer.exe
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100
3940	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=75.0.3770.100 --initial-client-data=0x7c,0x80,0x84,0x78,0x88,0x6619a9d0,0x6619a9e0,0x6619a9ec	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100
1144	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=watcher --main-thread-id=2836 --on-initialized-event-handle=312 --parent-handle=316 /prefetch:6	C:\Program Files\Google\Chrome\Application\chrome.exe	—	chrome.exe
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Version: 75.0.3770.100

Add for printing

Total events

1 892

Read events

1 772

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

210

Unknown types

Dropped files

PID	Process	Filename		Type
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\System.Windows.Forms.dll		—
		MD5:—	SHA256:—
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\psapi.exe		—
		MD5:—	SHA256:—
2252	chrome.exe	C:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\LOG.old		text
		MD5:DC32343F45B01764B6267AD36548102A	SHA256:A250F5AD57D4BD58AAE92810D50278E3BE2DBF869F126A3A3519691BCDFC2075
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\System.dll		executable
		MD5:0228B88AB75AC1260FE43350D016579B	SHA256:11C56129F3C3485141314CC6B84EF9C6CFC0567283562E03A83FBE1B101E3F50
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\PlaystationChecker.exe		executable
		MD5:B6A1F955DB5FB9CB0F6834490476D9F6	SHA256:79C23758CF6A27C9914AC03773BFA511264F4D6EE4BB15BF202899AE5D2892E4
2236	psapi.exe	C:\Users\admin\AppData\Roaming\DOTNET\NETcore.exe		executable
		MD5:984AAED410A3BC033ECAA9418B780E2F	SHA256:0A5CF95D06C49D9F19746D0C694AFE920A769F6B61F6574D20408D371502659C
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\PlaystationChecker.pdb		pdb
		MD5:372D235FDFE443CDD7C7C7D3AA1CC62D	SHA256:DD512D7800B21AC768EF964E36A542026C9CC68106C7731A113A4C28F682A5FA
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\System.Management.dll		executable
		MD5:9330B45C996F17D223F2D73958292682	SHA256:431AB608722156C2DFF9B1221639D677AD23ECBC7D19ABD72CD0FAF5C82C5A3E
2236	psapi.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Discord.lnk		lnk
		MD5:2E628118717C44AAFACC9BC8B794A11E	SHA256:02AAC5A93A65CE40C33D0415FED697AFBCA3CDE1373748B09AE29E1D54A12D9F
300	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRa300.22389\PSN Checker [Crack.sx]\BruteEngine.dll		executable
		MD5:317D5DEABDB509BE15D14FBA4E1DC3BC	SHA256:883198948ACF83999374A442451ACD6D63B406A2F5E174F10F23FCFC8252DA06

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/page/12/	US	html	23.6 Kb	suspicious
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/wp-content/themes/twentyfourteen/style.css?ver=5.0.2	US	text	14.4 Kb	suspicious
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/wp-content/plugins/social-polls-by-opinionstage/js/shortcodes.js?ver=18.1.0	US	text	275 b	suspicious
2324	chrome.exe	GET	302	216.58.206.14:80	http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx	US	html	516 b	whitelisted
2324	chrome.exe	GET	200	173.194.188.102:80	http://r1---sn-4g5ednss.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvOWVmQUFXS041NV9ZVXlJVWwxbGc5TUM4dw/7519.422.0.3_pkedcjkdefgpdelpbcmbmeomcjbeemfm.crx?cms_redirect=yes&mip=185.183.107.227&mm=28&mn=sn-4g5ednss&ms=nvh&mt=1562855902&mv=m&mvi=0&pl=24&shardbypass=yes	US	crx	862 Kb	whitelisted
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/wp-content/plugins/shortcodes-ultimate/assets/js/other-shortcodes.js?ver=5.0.1	US	text	2.07 Kb	suspicious
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/wp-content/uploads/2019/02/error.png	US	image	20.5 Kb	suspicious
2324	chrome.exe	GET	200	104.27.179.224:80	http://s01.riotpixels.net/data/21/5b/215bfd5a-d7b3-4b61-86d6-5d5bcc69bc07.jpg.240p.jpg	US	image	6.20 Kb	suspicious
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1	US	text	3.92 Kb	suspicious
2324	chrome.exe	GET	200	104.24.126.50:80	http://fitgirl-repacks.site/wp-content/plugins/jetpack/modules/theme-tools/compat/twentyfourteen.css?ver=5.5.1	US	text	1.62 Kb	suspicious

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
2236	psapi.exe	151.101.0.133:443	raw.githubusercontent.com	Fastly	US	malicious
2324	chrome.exe	216.58.205.227:443	clientservices.googleapis.com	Google Inc.	US	whitelisted
—	—	216.58.207.68:443	www.google.com	Google Inc.	US	whitelisted
3696	psapi.exe	151.101.0.133:443	raw.githubusercontent.com	Fastly	US	malicious
2324	chrome.exe	216.58.208.35:443	www.google.com.ua	Google Inc.	US	whitelisted
2324	chrome.exe	172.217.16.142:443	clients2.google.com	Google Inc.	US	whitelisted
2236	psapi.exe	196.40.24.242:443	www.bvs.sa.cr	RADIOGRAFICA COSTARRICENSE	CR	unknown
2324	chrome.exe	172.217.22.99:443	www.google.at	Google Inc.	US	whitelisted
2324	chrome.exe	216.58.208.45:443	accounts.google.com	Google Inc.	US	whitelisted
2324	chrome.exe	216.58.206.14:443	redirector.gvt1.com	Google Inc.	US	whitelisted

DNS requests

Domain	IP	Reputation
raw.githubusercontent.com	151.101.0.133 151.101.64.133 151.101.128.133 151.101.192.133	shared
www.bvs.sa.cr	196.40.24.242	unknown
clientservices.googleapis.com	216.58.205.227	whitelisted
accounts.google.com	216.58.208.45	shared
www.google.com.ua	216.58.208.35	whitelisted
clients2.google.com	172.217.16.142	whitelisted
www.google.com	216.58.207.68	whitelisted
www.google.at	172.217.22.99	whitelisted
clients2.googleusercontent.com	172.217.23.161	whitelisted
redirector.gvt1.com	216.58.206.14	whitelisted

Threats

PID	Process	Class	Message
—	—	Potentially Bad Traffic	ET DNS Query for .su TLD (Soviet Union) Often Malware Related

Add for printing

No debug info

General Info

1.zip

80F644C89E7F51A2F946ACFB6B0B98BC

3B7ADF85519EB21294DD155ECA285939303D9D85

030252E31AB244710DB8CB6E7F1E33A5B36D1B3DE94189770001B00D85772967

98304:ZrTNT+9pShnPgbcfbQ3d5aJJzt6vIDOay9Yphe:RpT+ShnP8cfbwdm/oaMYphe

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Loads dropped or rewritten executable

Writes to a start menu file

Application was dropped or rewritten from another process

Changes settings of System certificates

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

Adds / modifies Windows certificates

INFO

Manual execution by user

Dropped object may contain Bitcoin addresses

Application launched itself

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings