File name:

Net-Worm.zip

Full analysis: https://app.any.run/tasks/7d1120b3-bc63-42d9-9704-e88eeb6454c8
Verdict: Malicious activity
Analysis date: March 10, 2024, 14:08:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

C767D9A19901A2E540D3BA41168C7694

SHA1:

CE2CE6F04807CA1F536A9880292850781747733D

SHA256:

03CEF643BAA7561DD495994D4701AC3983964AFC014971BBD128307ECF94C1D5

SSDEEP:

98304:eFmmecd/fuc8nJUxB3wyEuo0vZ9RNkxFg3m8IUbfkhR98mw9csB69sxLGR9O976z:MwPy8dfIc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3700)
      • EternalRocks.exe (PID: 1888)

    • Starts NET.EXE for service management

      • Opaserv.l.exe (PID: 3212)
      • net.exe (PID: 2120)
      • net.exe (PID: 120)
      • net.exe (PID: 3500)
      • net.exe (PID: 1836)
      • net.exe (PID: 3936)
      • net.exe (PID: 2388)
      • Opaserv.l.exe (PID: 1336)
      • net.exe (PID: 2244)
      • net.exe (PID: 2788)
      • net.exe (PID: 2484)
      • net.exe (PID: 2592)

    • Changes the autorun value in the registry

      • Opaserv.l.exe (PID: 3212)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • EternalRocks.exe (PID: 1888)

    • Creates file in the systems drive root

      • ntvdm.exe (PID: 1992)

    • The process creates files with name similar to system file names

      • EternalRocks.exe (PID: 1888)

  • INFO

    • Manual execution by a user

      • Opaserv.l.exe (PID: 3212)
      • notepad.exe (PID: 3464)
      • EternalRocks.exe (PID: 1888)
      • EternalRocks.exe (PID: 2724)
      • Opaserv.l.exe (PID: 1336)
      • ntvdm.exe (PID: 1992)
      • Rahack.exe (PID: 3768)
      • Blaster.E.exe (PID: 3464)
      • Kobalc.exe (PID: 3992)
      • Kobalc.exe (PID: 1696)
      • Sasser.B.exe (PID: 2936)
      • Sasser.A.exe (PID: 2024)
      • Rahack.exe (PID: 3156)
      • Blaster.A.exe (PID: 3772)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3700)

    • Checks supported languages

      • Opaserv.l.exe (PID: 3212)
      • EternalRocks.exe (PID: 1888)

    • Reads the computer name

      • Opaserv.l.exe (PID: 3212)
      • EternalRocks.exe (PID: 1888)

    • Reads the machine GUID from the registry

      • EternalRocks.exe (PID: 1888)

    • Reads Environment values

      • EternalRocks.exe (PID: 1888)

    • Create files in a temporary directory

      • EternalRocks.exe (PID: 1888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 45
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2024:03:03 01:03:34
ZipCRC: 0x00000000
ZipCompressedSize: 2
ZipUncompressedSize: -
ZipFileName: Net-Worm/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
35
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe notepad.exe no specs opaserv.l.exe net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs eternalrocks.exe ntvdm.exe no specs eternalrocks.exe no specs opaserv.l.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs sasser.b.exe sasser.a.exe rahack.exe no specs rahack.exe no specs blaster.a.exe no specs blaster.e.exe no specs kobalc.exe no specs kobalc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120NET STOP NAVAPSVCC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1336"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Opaserv.l.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Opaserv.l.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1696"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Kolabc\Kobalc.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Kolabc\Kobalc.exeexplorer.exe
User:
admin
Company:
Microsoft® Windows NET Runtime Optimization Service
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.1.2600.0 (xpclient.010817-1148)
1836NET STOP SWEEPSRV.SYSC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1888"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\EternalRocks.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\EternalRocks.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
EternalRocks
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\net-worm\net-worm\eternalrocks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1992"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\System32\ntvdm.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2024"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.A.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.A.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
2096C:\Windows\system32\net1 STOP PERSFWC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2120NET STOP AVPCCC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2244NET STOP MCSHIELDC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 423
Read events
4 402
Write events
21
Delete events
0

Modification events

(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Net-Worm.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
63
Suspicious files
2
Text files
20
Unknown types
2

Dropped files

PID
Process
Filename
Type
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\EternalRocks.exeexecutable
MD5:C52F20A854EFB013A0A1248FD84AAA95
SHA256:CF8533849EE5E82023AD7ADBDBD6543CB6DB596C53048B1A0C00B3643A72DB30
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Blaster\Blaster.A.exeexecutable
MD5:5AE700C1DFFB00CEF492844A4DB6CD69
SHA256:258F82166D20C68497A66D82349FC81899FDE8FE8C1CC66E59F739A9EA2C95A9
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Kolabc\Kobalc.exeexecutable
MD5:15717CD327A723820D71900611545917
SHA256:DB6CEA7E8D62D3B21EFE3B423B48C131E345CB55F168CBE1F142E491BB812747
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Opaserv.l.exeexecutable
MD5:71C981D4F5316C3AD1DEEFE48FDDB94A
SHA256:DE709DACAC623C637448DC91F6DFD441A49C89372AF2C53E2027E4AF5310B95D
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.B.exeexecutable
MD5:FA3348956253F9F733B28B4CF1D45942
SHA256:00808F00EC970E3ED518ED40BA77F64BE2B9761B02FBAEA2047C5AC82D8B8F99
1992ntvdm.exeC:\Users\admin\AppData\Local\Temp\scs440A.tmptext
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B
SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
1888EternalRocks.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\bins\Architouch-1.0.0.0.xmlxml
MD5:A1831D45CE3DFD223BB9D8B84D2A95BC
SHA256:30DEF3ABC40401605580F6E21F81FE6D63A19E7EEA8AD0CFF661165AE6F3B7E5
1888EternalRocks.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\bins\cnli-1.dllexecutable
MD5:A539D27F33EF16E52430D3D2E92E9D5C
SHA256:DB0831E19A4E3A736EA7498DADC2D6702342F75FD8F7FBAE1894EE2E9738C2B4
1888EternalRocks.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\shadowbrokers.zipcompressed
MD5:6FDBEE99DC99A63AC6A5809450D55AD5
SHA256:70EC0E2B6F9FF88B54618A5F7FBD55B383CF62F8E7C3795C25E2F613BFDDF45D
1888EternalRocks.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\bins\adfw-2.dllexecutable
MD5:31D696F93EC84E635C4560034340E171
SHA256:F06D02359666B763E189402B7FBF9DFA83BA6F4DA2E7D037B3F9AEBEFD2D5A45
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Net-Worm.zip