analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
download:

Launcher_x64.zip

Full analysis: https://app.any.run/tasks/b8651c6f-afa5-485d-a1ab-f8672fcb03f0
Verdict: Malicious activity
Analysis date: January 17, 2020, 18:25:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

C63DB239AC50A871475EC8F77F5CEC6E

SHA1:

0602A9459A41172AC18EC08F37E9EF5F9E536B91

SHA256:

0813F9C1C8E128E4DF002A8DECD23EE65A37ED6AAA4A8AA98F2743587F5430A4

SSDEEP:

98304:vq72XgABrSzxYkvEFKOV/vgvpsQrEEY8mrYZLuaPwzN9WFSfwXaCx87IW:vJXAzxFvrORmsCG8WyLuaPwzLf9L7IW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3352)
      • Install.exe (PID: 3156)

    • Application was dropped or rewritten from another process

      • Install.exe (PID: 1012)
      • Install.exe (PID: 3156)

    • Actions looks like stealing of personal data

      • Install.exe (PID: 3156)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2580)
      • Install.exe (PID: 3156)

    • Application launched itself

      • Install.exe (PID: 1012)

    • Creates files in the user directory

      • Install.exe (PID: 3156)

    • Reads the cookies of Google Chrome

      • Install.exe (PID: 3156)

    • Reads the cookies of Mozilla Firefox

      • Install.exe (PID: 3156)

    • Checks for external IP

      • Install.exe (PID: 3156)

  • INFO

    • Manual execution by user

      • Install.exe (PID: 1012)
      • WinRAR.exe (PID: 2580)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2019:11:09 21:47:21
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: en-US/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start rundll32.exe no specs winrar.exe searchprotocolhost.exe no specs install.exe no specs install.exe

Process information

PID
CMD
Path
Indicators
Parent process
3980"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\Launcher_x64.zip.xpiC:\Windows\system32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2580"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\Launcher_x64.zip" C:\Users\admin\Desktop\Launcher_x64\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3352"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
1012"C:\Users\admin\Desktop\Launcher_x64\Install.exe" C:\Users\admin\Desktop\Launcher_x64\Install.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
3156"C:\Users\admin\Desktop\Launcher_x64\Install.exe"C:\Users\admin\Desktop\Launcher_x64\Install.exe
Install.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Total events
506
Read events
452
Write events
0
Delete events
0

Modification events

No data
Executable files
52
Suspicious files
0
Text files
1
Unknown types
1

Dropped files

PID
Process
Filename
Type
3156Install.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\admin@mywps[1].txttext
MD5:7C3CA7E42331B6EFFFBA06D7C7E425EC
SHA256:678BC639314C03956FB832AB3C774DDADC853FF863A1C470764B63F4DCE18869
2580WinRAR.exeC:\Users\admin\Desktop\Launcher_x64\en-US\lan-eng.lgexecutable
MD5:A0013AD05AC0ECB1C2245C9766208DB7
SHA256:8EDC34711B37FFCE64E8591C1696AFB175E091D241523E0CF5187B4B1FC3CB0D
2580WinRAR.exeC:\Users\admin\Desktop\Launcher_x64\xperm.dllexecutable
MD5:1B8F236C551EF8ED2CDE51ADAB838A87
SHA256:A0BA71E322FBCE81FE792B4ABE09CB6D46A26CB38757018184B0346942AA9C54
2580WinRAR.exeC:\Users\admin\Desktop\Launcher_x64\Install.exeexecutable
MD5:C31AF634CBB863567F1E57EA55778944
SHA256:2C35DFBB09631EE37FF89AF9A4E47062C13EAA2E017000E6B750CBE1D47566E8
2580WinRAR.exeC:\Users\admin\Desktop\Launcher_x64\inc\bin.dllexecutable
MD5:E567AEE9682F4DBE9251C68EFB5E00E1
SHA256:05AB975ECD6F278AEDEC586485152334C6AB967F0497D2ECB65EB5226AAA57C5
3156Install.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-localization-l1-2-0.dllexecutable
MD5:EFF11130BFE0D9C90C0026BF2FB219AE
SHA256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
3156Install.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-handle-l1-1-0.dllexecutable
MD5:6DB54065B33861967B491DD1C8FD8595
SHA256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
3156Install.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-namedpipe-l1-1-0.dllexecutable
MD5:6F6796D1278670CCE6E2D85199623E27
SHA256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
3156Install.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-datetime-l1-1-0.dllexecutable
MD5:CB978304B79EF53962408C611DFB20F5
SHA256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
3156Install.exeC:\Users\admin\AppData\Local\Temp\9622D276\api-ms-win-core-interlocked-l1-1-0.dllexecutable
MD5:D97A1CB141C6806F0101A5ED2673A63D
SHA256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
3
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3156
Install.exe
GET
200
208.95.112.1:80
http://ip-api.com/json
unknown
text
264 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3156
Install.exe
208.95.112.1:80
ip-api.com
IBURST
malicious
3156
Install.exe
104.18.56.40:443
fiasyfssa.mywps.me
Cloudflare Inc
US
suspicious

DNS requests

Domain
IP
Reputation
fiasyfssa.mywps.me
  • 104.18.56.40
  • 104.18.57.40
suspicious
ip-api.com
  • 208.95.112.1
shared

Threats

PID
Process
Class
Message
3156
Install.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup ip-api.com
3156
Install.exe
Potential Corporate Privacy Violation
AV POLICY Internal Host Retrieving External IP Address (ip-api. com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Launcher_x64.zip