Malware analysis sample_126.zip Malicious activity | ANY.RUN

Add for printing

File name:	sample_126.zip
Full analysis:	https://app.any.run/tasks/51986585-d825-46c9-adda-71085ae9965b
Verdict:	Malicious activity
Analysis date:	June 12, 2019, 11:20:04
OS:	Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract
MD5:	4B5EDB3C9D6FD125C1641707489BE5A5
SHA1:	3F3A61C82AFD2F1CA7CE6CABBC65511D8D829ED5
SHA256:	0835382BA5F66511C4521D2670F462E6D41DA8F64AFF1E7C8BD4BC6DA2D7D1C0
SSDEEP:	12288:+XhY+Iyrru/6lKZ77PWGM6C5UN25ApsIT8fCrdZdQgmSZ4LmGL7cXVhuPNzmu:uIyWUKN7HMH5il8AdZdBP4LmGL7Tcu

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 60 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: none
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 8.0.7601.17514 undefined
Adobe Acrobat Reader DC MUI (15.023.20070)
Adobe Flash Player 26 ActiveX (26.0.0.131)
Adobe Flash Player 26 NPAPI (26.0.0.131)
Adobe Flash Player 26 PPAPI (26.0.0.131)
Adobe Refresh Manager (1.8.0)
CCleaner (5.35)
FileZilla Client 3.36.0 (3.36.0)
Google Chrome (73.0.3683.75)
Google Update Helper (1.3.33.23)
Java 8 Update 92 (8.0.920.14)
Java Auto Updater (2.8.92.14)
Microsoft .NET Framework 4.6.1 (4.6.01055)
Microsoft Office Access MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Access Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Excel MUI (English) 2010 (14.0.6029.1000)
Microsoft Office OneNote MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Outlook MUI (English) 2010 (14.0.6029.1000)
Microsoft Office PowerPoint MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Professional 2010 (14.0.6029.1000)
Microsoft Office Proof (English) 2010 (14.0.6029.1000)
Microsoft Office Proof (French) 2010 (14.0.6029.1000)
Microsoft Office Proof (Spanish) 2010 (14.0.6029.1000)
Microsoft Office Proofing (English) 2010 (14.0.6029.1000)
Microsoft Office Publisher MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Shared Setup Metadata MUI (English) 2010 (14.0.6029.1000)
Microsoft Office Single Image 2010 (14.0.6029.1000)
Microsoft Office Word MUI (English) 2010 (14.0.6029.1000)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (9.0.30729.6161)
Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (10.0.40219)
Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2017 Redistributable (x86) - 14.15.26706 (14.15.26706.0)
Microsoft Visual C++ 2017 x86 Additional Runtime - 14.15.26706 (14.15.26706)
Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.15.26706 (14.15.26706)
Mozilla Firefox 65.0.2 (x86 en-US) (65.0.2)
Notepad++ (32-bit x86) (7.5.1)
Opera 12.15 (12.15.1748)
Skype version 8.29 (8.29)
VLC media player (2.2.6)
WinRAR 5.60 (32-bit) (5.60.0)

Hotfixes

Client LanguagePack Package
Client Refresh LanguagePack Package
CodecPack Basic Package
Foundation Package
IE Troubleshooters Package
InternetExplorer Optional Package
KB2534111
KB2999226
KB976902
LocalPack AU Package
LocalPack CA Package
LocalPack GB Package
LocalPack US Package
LocalPack ZA Package
ProfessionalEdition
UltimateEdition

Add for printing

MALICIOUS
- Application was dropped or rewritten from another process
  - cstart.exe (PID: 2244)
  - gmin.exe (PID: 3236)
  - cmin.exe (PID: 1240)
  - sample_126.exe (PID: 2468)
SUSPICIOUS
- Executable content was dropped or overwritten
  - sample_126.exe (PID: 2468)
- Creates files in the user directory
  - cmin.exe (PID: 1240)
  - sample_126.exe (PID: 2468)
INFO
- Manual execution by user
  - sample_126.exe (PID: 2468)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipFileName:	sample_126/
ZipUncompressedSize:	-
ZipCompressedSize:	-
ZipCRC:	0x00000000
ZipModifyDate:	2018:05:01 18:48:23
ZipCompression:	None
ZipBitFlag:	-
ZipRequiredVersion:	20

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID	CMD	Path	Indicators	Parent process
3612	"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\sample_126.zip"	C:\Program Files\WinRAR\WinRAR.exe	—	explorer.exe
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.60.0
2468	"C:\Users\admin\Desktop\sample_126.exe"	C:\Users\admin\Desktop\sample_126.exe		explorer.exe
User: admin Integrity Level: MEDIUM Exit code: 0
2244	"C:\Users\admin\AppData\Roaming\cstart.exe"	C:\Users\admin\AppData\Roaming\cstart.exe	—	sample_126.exe
User: admin Company: Microsoft Integrity Level: MEDIUM Exit code: 0 Version: 1.00
1240	C:\Users\admin\AppData\Roaming\cmin.exe -o http://coinobot.2:[email protected]:8332 -g no	C:\Users\admin\AppData\Roaming\cmin.exe		cstart.exe
User: admin Company: Ufasoft Integrity Level: MEDIUM Description: bitcoin-miner Version: 7.0.2239.0
3236	C:\Users\admin\AppData\Roaming\gmin.exe -o http://us.ozco.in:8332 -u coinobot.2 -p 1234 -T	C:\Users\admin\AppData\Roaming\gmin.exe	—	cstart.exe
User: admin Integrity Level: MEDIUM Exit code: 3221225781

Add for printing

Total events

823

Read events

791

Write events

Delete events

Modification events

No data

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
3612	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DRb3612.44175\sample_126\sample_126.exe		—
		MD5:—	SHA256:—
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\poclbm120327.cl		text
		MD5:0470182A132F73E9FEAACAB82F8274FE	SHA256:55851C4FC6457F7D83E15202CB2E0A894B363B3F15F505AB72991ED83F639BC3
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\diakgcn120427.cl		text
		MD5:961444A36167A43CBA15DC65587F31A9	SHA256:D393CD16ABF3CE58533DF73A7155EE74F3E7DCDEEFB5CAF16426FBD67E0D1507
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\cstart.exe		executable
		MD5:0BD5BD12AF0978C157BB5154FECD64C2	SHA256:355CB6B5BDAA077F7F8FA6BB4BF978932EC9CD43D26D599BEC5DADCBA88378E1
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\phatk120223.cl		text
		MD5:8B3C553D0FBA4474261DD07D1FE57EAB	SHA256:B170C5AEBB94156FA7D84F67D3003611039BED163DB00B95A94C5FB6ED4B8C1C
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\libcurl-4.dll		executable
		MD5:7FEF219621CD9717A1D7FCC537DC9FBE	SHA256:F23D2ABF2C96813054DF51212F74FABBBB2D707A6B477CB2CF1D52D316A26302
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\libusb-1.0.dll		executable
		MD5:7F2523DEC5FA92C70F3AB13765D799FF	SHA256:7CEB91390AC581B78BE8A18A6EEBF7F9124A2460C4F9849EE4C75EC303412062
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\cmin.exe		executable
		MD5:2B632FC62EE59E436EB468D53C00BEDD	SHA256:7D6068F72C77001B637B41E4E0E04C82A1D235A7247EFF5BF000DC35A5A9E313
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\pthreadGC2.dll		executable
		MD5:8BC13C002F91CFF22A17F5A5191C1292	SHA256:97C1A2CABFE69B987732A1502DAC6CCE9C6E31F6F7E9142FC4BC8D92077F2DA3
2468	sample_126.exe	C:\Users\admin\AppData\Roaming\diablo120328.cl		text
		MD5:8BA9AB1F34BA302D7770BBE2F81560DB	SHA256:5A133391C497C15B581DAD364D30784B7E0C5A9C98DC4859A8BAE14D6E7B1A15

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
1240	cmin.exe	185.53.178.9:8332	us.ozco.in	Team Internet AG	DE	malicious

DNS requests

Domain	IP	Reputation
us.ozco.in	185.53.178.9	malicious

Threats

No threats detected

Add for printing

No debug info

General Info

sample_126.zip

4B5EDB3C9D6FD125C1641707489BE5A5

3F3A61C82AFD2F1CA7CE6CABBC65511D8D829ED5

0835382BA5F66511C4521D2670F462E6D41DA8F64AFF1E7C8BD4BC6DA2D7D1C0

12288:+XhY+Iyrru/6lKZ77PWGM6C5UN25ApsIT8fCrdZdQgmSZ4LmGL7cXVhuPNzmu:uIyWUKN7HMH5il8AdZdBP4LmGL7Tcu

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was dropped or rewritten from another process

SUSPICIOUS

Executable content was dropped or overwritten

Creates files in the user directory

INFO

Manual execution by user

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Information

Information

Information

Information

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings