analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

D.zip

Full analysis: https://app.any.run/tasks/8ad4ed26-db3e-4b77-8c20-7c73d4093e8a
Verdict: Malicious activity
Analysis date: April 23, 2019, 13:03:41
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

597729CA7F5E23E427EE5B0123C2BF9B

SHA1:

E7BC846B19EB8DE30C143BD98E01288E86016957

SHA256:

04D139F98FE6585DB4634F8AAB52F773FD747C187BF6B2DB9BA91469CF4858EA

SSDEEP:

24576:7a7kNpACohB3usTtd+zCyN08Yp0JzmCBbmP+2JaW130n3gTfoG2mjwFY6uLZwrUZ:okpzoXusxFp0JZBbmPnJakkwT12mKiLh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 4056)

  • SUSPICIOUS

    • Creates files in the user directory

      • notepad++.exe (PID: 2908)
      • powershell.exe (PID: 2880)
      • powershell.exe (PID: 2952)
      • powershell.exe (PID: 3852)
      • powershell.exe (PID: 4080)
      • powershell.exe (PID: 664)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:04:02 13:48:02
ZipCRC: 0x6f741b06
ZipCompressedSize: 324
ZipUncompressedSize: 528
ZipFileName: bleigmth.ps1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
73
Monitored processes
17
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs explorer.exe no specs Copy/Move/Rename/Delete/Link Object no specs notepad++.exe gup.exe Copy/Move/Rename/Delete/Link Object no specs Copy/Move/Rename/Delete/Link Object no specs Copy/Move/Rename/Delete/Link Object no specs Copy/Move/Rename/Delete/Link Object no specs Copy/Move/Rename/Delete/Link Object no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs cmd.exe no specs powershell.exe no specs notepad++.exe powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2316"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\D.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3388"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2512C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2908"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\bleigmth.ps1"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Exit code:
0
Version:
7.51
2560"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Don HO [email protected]
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
948C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2308C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
536C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3824C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4020C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 651
Read events
2 311
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
12
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
2316WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2316.15119\bleigmth.ps1
MD5:
SHA256:
2316WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2316.15119\tfwsirfm.txt
MD5:
SHA256:
948DllHost.exeC:\Users\bbenini
MD5:
SHA256:
948DllHost.exeC:\Users\bbenini\AppData
MD5:
SHA256:
2308DllHost.exeC:\Users\bbenini\AppData\Roaming
MD5:
SHA256:
536DllHost.exeC:\Users\bbenini\AppData\Roaming\iacpjjpt
MD5:
SHA256:
664powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OF6HEFOLME4M70UP7IRM.temp
MD5:
SHA256:
4080powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\VCTC8VUFG01AQME0LF2D.temp
MD5:
SHA256:
3852powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TCF2WVK1TLSJZBTTQN24.temp
MD5:
SHA256:
2952powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N4N9L62VWSS5020QBOKC.temp
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.21.242.187:80
http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUxKexpHsscfrb4UuQdf%2FEFWCFiRACEAoBQUIAAAFThXNqC4Xspwg%3D
NL
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.21.242.187:80
isrg.trustid.ocsp.identrust.com
Akamai International B.V.
NL
whitelisted
2560
gup.exe
37.59.28.236:443
notepad-plus-plus.org
OVH SAS
FR
whitelisted

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 37.59.28.236
whitelisted
isrg.trustid.ocsp.identrust.com
  • 2.21.242.187
  • 2.21.242.197
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
D.zip