File name:

Net-Worm.zip

Full analysis: https://app.any.run/tasks/7d1120b3-bc63-42d9-9704-e88eeb6454c8
Verdict: Malicious activity
Analysis date: March 10, 2024, 14:08:28
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v4.5 to extract, compression method=deflate
MD5:

C767D9A19901A2E540D3BA41168C7694

SHA1:

CE2CE6F04807CA1F536A9880292850781747733D

SHA256:

03CEF643BAA7561DD495994D4701AC3983964AFC014971BBD128307ECF94C1D5

SSDEEP:

98304:eFmmecd/fuc8nJUxB3wyEuo0vZ9RNkxFg3m8IUbfkhR98mw9csB69sxLGR9O976z:MwPy8dfIc

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • WinRAR.exe (PID: 3700)
      • EternalRocks.exe (PID: 1888)

    • Changes the autorun value in the registry

      • Opaserv.l.exe (PID: 3212)

    • Starts NET.EXE for service management

      • net.exe (PID: 2120)
      • net.exe (PID: 3500)
      • Opaserv.l.exe (PID: 1336)
      • net.exe (PID: 2244)
      • net.exe (PID: 2388)
      • net.exe (PID: 2484)
      • net.exe (PID: 2592)
      • net.exe (PID: 2788)
      • net.exe (PID: 3936)
      • net.exe (PID: 120)
      • net.exe (PID: 1836)
      • Opaserv.l.exe (PID: 3212)

  • SUSPICIOUS

    • Creates file in the systems drive root

      • ntvdm.exe (PID: 1992)

    • Executable content was dropped or overwritten

      • EternalRocks.exe (PID: 1888)

    • The process creates files with name similar to system file names

      • EternalRocks.exe (PID: 1888)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3700)

    • Manual execution by a user

      • ntvdm.exe (PID: 1992)
      • notepad.exe (PID: 3464)
      • Opaserv.l.exe (PID: 3212)
      • Opaserv.l.exe (PID: 1336)
      • EternalRocks.exe (PID: 2724)
      • Sasser.A.exe (PID: 2024)
      • Sasser.B.exe (PID: 2936)
      • Rahack.exe (PID: 3768)
      • Blaster.A.exe (PID: 3772)
      • Blaster.E.exe (PID: 3464)
      • Rahack.exe (PID: 3156)
      • Kobalc.exe (PID: 1696)
      • Kobalc.exe (PID: 3992)
      • EternalRocks.exe (PID: 1888)

    • Create files in a temporary directory

      • EternalRocks.exe (PID: 1888)

    • Checks supported languages

      • EternalRocks.exe (PID: 1888)
      • Opaserv.l.exe (PID: 3212)

    • Reads the machine GUID from the registry

      • EternalRocks.exe (PID: 1888)

    • Reads the computer name

      • EternalRocks.exe (PID: 1888)
      • Opaserv.l.exe (PID: 3212)

    • Reads Environment values

      • EternalRocks.exe (PID: 1888)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 45
ZipBitFlag: 0x0800
ZipCompression: Deflated
ZipModifyDate: 2024:03:03 01:03:34
ZipCRC: 0x00000000
ZipCompressedSize: 2
ZipUncompressedSize: -
ZipFileName: Net-Worm/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
89
Monitored processes
35
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe notepad.exe no specs opaserv.l.exe net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs eternalrocks.exe ntvdm.exe no specs eternalrocks.exe no specs opaserv.l.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs net1.exe no specs sasser.b.exe sasser.a.exe rahack.exe no specs rahack.exe no specs blaster.a.exe no specs blaster.e.exe no specs kobalc.exe no specs kobalc.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
120NET STOP NAVAPSVCC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1336"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Opaserv.l.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Opaserv.l.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
1696"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Kolabc\Kobalc.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Kolabc\Kobalc.exeexplorer.exe
User:
admin
Company:
Microsoft® Windows NET Runtime Optimization Service
Integrity Level:
MEDIUM
Exit code:
0
Version:
5.1.2600.0 (xpclient.010817-1148)
1836NET STOP SWEEPSRV.SYSC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
1888"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\EternalRocks.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\EternalRocks.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
EternalRocks
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\net-worm\net-worm\eternalrocks.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1992"C:\Windows\system32\ntvdm.exe" -i1 C:\Windows\System32\ntvdm.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\ntvdm.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2024"C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.A.exe" C:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.A.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225477
2096C:\Windows\system32\net1 STOP PERSFWC:\Windows\System32\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
2120NET STOP AVPCCC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\net.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\netutils.dll
c:\windows\system32\browcli.dll
2244NET STOP MCSHIELDC:\Windows\System32\net.exeOpaserv.l.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
4 423
Read events
4 402
Write events
21
Delete events
0

Modification events

(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3700) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Net-Worm.zip
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3700) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
63
Suspicious files
2
Text files
20
Unknown types
2

Dropped files

PID
Process
Filename
Type
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Kolabc\Kobalc.exeexecutable
MD5:15717CD327A723820D71900611545917
SHA256:DB6CEA7E8D62D3B21EFE3B423B48C131E345CB55F168CBE1F142E491BB812747
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Opaserv.l.exeexecutable
MD5:71C981D4F5316C3AD1DEEFE48FDDB94A
SHA256:DE709DACAC623C637448DC91F6DFD441A49C89372AF2C53E2027E4AF5310B95D
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.B.exeexecutable
MD5:FA3348956253F9F733B28B4CF1D45942
SHA256:00808F00EC970E3ED518ED40BA77F64BE2B9761B02FBAEA2047C5AC82D8B8F99
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Loveware.txttext
MD5:9F59E4D545E1A16EC4AD1B11291C5346
SHA256:CD41EB3B411ABD314E90D980F4E05D7D2DB60FB8A9616F84754B4E1EEB10F290
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.A.exeexecutable
MD5:EF1952B755BA912B9F60B2ED8DD68D30
SHA256:B2FA6EDAA5FFC51D12150424355A0C86AC9F46D7EC772D35AB8D9F4FE7996D91
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Rahack\Rahack.exeexecutable
MD5:70089174CF0B97D4E4DE889F03E97A7A
SHA256:400C72EF312E3B46FE417AA82D6691D18A07C0708E94B6FA7B47934909D3DB7C
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Blaster\Blaster.A.exeexecutable
MD5:5AE700C1DFFB00CEF492844A4DB6CD69
SHA256:258F82166D20C68497A66D82349FC81899FDE8FE8C1CC66E59F739A9EA2C95A9
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\EternalRocks.exeexecutable
MD5:C52F20A854EFB013A0A1248FD84AAA95
SHA256:CF8533849EE5E82023AD7ADBDBD6543CB6DB596C53048B1A0C00B3643A72DB30
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Sasser\Sasser.c.sourcecode.txttext
MD5:28FAD72D643985282FB85CA9B7892DFB
SHA256:FEBBF809124ED9D5771CA2DA4F2D8FD23643970BECC3D6B062E14CC97FAEE4B7
3700WinRAR.exeC:\Users\admin\AppData\Local\Temp\Net-Worm\Net-Worm\Blaster\Blaster.E.exeexecutable
MD5:8676210E6246948201AA014DB471DE90
SHA256:2E481059B9BC9686C676D69A80202EED5022C9A53ECD8CAC215E70C601DD7FDC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Net-Worm.zip