analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Masaüstü.zip

Full analysis: https://app.any.run/tasks/f3fcd788-6a52-43ba-bfbd-d0783e4909a5
Verdict: Malicious activity
Analysis date: October 05, 2022, 06:59:19
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

958FDD16B1E9C8AFF868BA8FF1F263B8

SHA1:

20EDD3A8831818954B1280A2A8BABDA7BBC42C18

SHA256:

0A5C2C19DC97377D811DFF9E8397DE7FE1CB3967103823A89CC928E0D4207B0D

SSDEEP:

98304:8MUGU7xNNiJdXz8o3X/kJMbSmFFOtOLplRPNnxg+:8MIXGdz8onoMbhFOKp/NR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • setup.exe (PID: 1236)
      • setup.exe (PID: 3804)
      • USBGuard.exe (PID: 500)
      • USBGuardUpdate.exe (PID: 2548)
      • USBGuardUpdate.exe (PID: 2256)
      • usb_disk_security.ts3 (PID: 4068)
      • USBGuardUpdate.exe (PID: 3848)

    • Saves itself using an automatic execution at the hidden registry location

      • setup.tmp (PID: 2364)

    • Changes the autorun value in the registry

      • setup.tmp (PID: 2364)

    • Loads dropped or rewritten executable

      • USBGuard.exe (PID: 500)

  • SUSPICIOUS

    • Reads the machine GUID from the registry

      • WinRAR.exe (PID: 1188)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Reads Internet Settings

      • WinRAR.exe (PID: 1188)
      • USBGuard.exe (PID: 500)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Reads the Windows owner or organization settings

      • setup.tmp (PID: 2364)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Creates a directory in Program Files

      • setup.tmp (PID: 2364)

    • Executed via COM

      • DllHost.exe (PID: 3616)

    • Starts application with an unusual extension

      • USBGuardUpdate.exe (PID: 2256)

    • Starts itself from another location

      • usb_disk_security.ts3 (PID: 4068)

  • INFO

    • Checks supported languages

      • WinRAR.exe (PID: 1188)
      • setup.tmp (PID: 3400)
      • setup.exe (PID: 1236)
      • setup.exe (PID: 3804)
      • setup.tmp (PID: 2364)
      • USBGuard.exe (PID: 500)
      • USBGuardUpdate.exe (PID: 2256)
      • usb_disk_security.ts3 (PID: 4068)
      • USBGuardUpdate.exe (PID: 3848)

    • Process checks LSA protection

      • WinRAR.exe (PID: 1188)
      • setup.tmp (PID: 3400)
      • setup.tmp (PID: 2364)
      • USBGuard.exe (PID: 500)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Reads the computer name

      • WinRAR.exe (PID: 1188)
      • setup.tmp (PID: 3400)
      • setup.tmp (PID: 2364)
      • USBGuard.exe (PID: 500)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Creates a file in a temporary directory

      • WinRAR.exe (PID: 1188)
      • setup.exe (PID: 1236)
      • setup.tmp (PID: 2364)
      • setup.exe (PID: 3804)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Creates files in the user directory

      • WinRAR.exe (PID: 1188)
      • USBGuard.exe (PID: 500)
      • USBGuardUpdate.exe (PID: 2256)
      • USBGuardUpdate.exe (PID: 3848)

    • Application was dropped or rewritten from another process

      • setup.tmp (PID: 3400)
      • setup.tmp (PID: 2364)

    • Loads dropped or rewritten executable

      • setup.tmp (PID: 2364)

    • Creates a software uninstall entry

      • setup.tmp (PID: 2364)

    • Creates files in the program directory

      • setup.tmp (PID: 2364)
      • USBGuardUpdate.exe (PID: 2256)
      • usb_disk_security.ts3 (PID: 4068)

    • Reads the machine GUID from the registry

      • DllHost.exe (PID: 3616)

    • Manual execution by user

      • USBGuard.exe (PID: 500)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
55
Monitored processes
11
Malicious processes
7
Suspicious processes
2

Behavior graph

Click at the process to see the details
drop and start start drop and start drop and start winrar.exe no specs setup.exe no specs setup.tmp no specs setup.exe setup.tmp Copy/Move/Rename/Delete/Link Object no specs usbguard.exe no specs usbguardupdate.exe no specs usbguardupdate.exe usb_disk_security.ts3 no specs usbguardupdate.exe

Process information

PID
CMD
Path
Indicators
Parent process
1188"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Masaüstü.zip"C:\Program Files\WinRAR\WinRAR.exeExplorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
1236"C:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exeWinRAR.exe
User:
admin
Company:
Zbshareware Lab
Integrity Level:
MEDIUM
Description:
USB Disk Security Setup
Exit code:
0
Version:
6.0.0.126
3400"C:\Users\admin\AppData\Local\Temp\is-V4BIA.tmp\setup.tmp" /SL5="$40184,4058717,147456,C:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exe" C:\Users\admin\AppData\Local\Temp\is-V4BIA.tmp\setup.tmpsetup.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3804"C:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exe" /SPAWNWND=$40168 /NOTIFYWND=$40184 C:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exe
setup.tmp
User:
admin
Company:
Zbshareware Lab
Integrity Level:
HIGH
Description:
USB Disk Security Setup
Exit code:
0
Version:
6.0.0.126
2364"C:\Users\admin\AppData\Local\Temp\is-HH2MQ.tmp\setup.tmp" /SL5="$50164,4058717,147456,C:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exe" /SPAWNWND=$40168 /NOTIFYWND=$40184 C:\Users\admin\AppData\Local\Temp\is-HH2MQ.tmp\setup.tmp
setup.exe
User:
admin
Integrity Level:
HIGH
Description:
Setup/Uninstall
Exit code:
0
Version:
51.1052.0.0
3616C:\Windows\system32\DllHost.exe /Processid:{3AD05575-8857-4850-9277-11B85BDB8E09}C:\Windows\system32\DllHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
COM Surrogate
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
500"C:\Program Files\USB Disk Security\USBGuard.exe" C:\Program Files\USB Disk Security\USBGuard.exeExplorer.EXE
User:
admin
Company:
Zbshareware Lab
Integrity Level:
MEDIUM
Description:
USB Disk Security
Version:
6.0.0.126
2548"C:\Program Files\USB Disk Security\USBGuardUpdate.exe" C:\Program Files\USB Disk Security\USBGuardUpdate.exeUSBGuard.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
MEDIUM
Description:
TrueUpdate Client
Exit code:
3221226540
Version:
3.5.4.1
2256"C:\Program Files\USB Disk Security\USBGuardUpdate.exe" C:\Program Files\USB Disk Security\USBGuardUpdate.exe
USBGuard.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
TrueUpdate Client
Exit code:
12
Version:
3.5.4.1
4068"C:\Program Files\USB Disk Security\usb_disk_security.ts3" "/TUCPS:USBGuardUpdate.exe" "/DATFILE:C:\Program Files\USB Disk Security\USBGuardUpdate.dat" /TURCC:\Program Files\USB Disk Security\usb_disk_security.ts3USBGuardUpdate.exe
User:
admin
Company:
Indigo Rose Corporation
Integrity Level:
HIGH
Description:
TrueUpdate Client
Exit code:
0
Version:
3.5.4.1
Total events
3 685
Read events
3 558
Write events
0
Delete events
0

Modification events

No data
Executable files
23
Suspicious files
10
Text files
6
Unknown types
7

Dropped files

PID
Process
Filename
Type
1188WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa1188.33142\cr\USBGuard.exeexecutable
MD5:0F484CEBC0E6724B157E644787B66B68
SHA256:8A3945930F517B3E03FF8917C5D87DE970B57816DA0150935EF35E71DABD96D4
1188WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\cr\USBGuard.exeexecutable
MD5:0F484CEBC0E6724B157E644787B66B68
SHA256:8A3945930F517B3E03FF8917C5D87DE970B57816DA0150935EF35E71DABD96D4
2364setup.tmpC:\Users\admin\AppData\Local\Temp\is-GTU01.tmp\_isetup\_shfoldr.dllexecutable
MD5:92DC6EF532FBB4A5C3201469A5B5EB63
SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
1188WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa1188.33439\setup.exeexecutable
MD5:4A489A620A56AFE39811238592FECE8D
SHA256:970085CBD687C9518C8F885CE14B65F85A3F2D9FF9624482AC716A7731BFF2D4
2364setup.tmpC:\Program Files\USB Disk Security\is-6A7L0.tmpexecutable
MD5:B0323264705099F7F2A433B45E9D0F8F
SHA256:AE48F4CD1BC78DB899A4F69C694F0FAC52EED91372DB165B46C141E6A3DF7C6B
2364setup.tmpC:\Program Files\USB Disk Security\USBGuard.exeexecutable
MD5:B0323264705099F7F2A433B45E9D0F8F
SHA256:AE48F4CD1BC78DB899A4F69C694F0FAC52EED91372DB165B46C141E6A3DF7C6B
3804setup.exeC:\Users\admin\AppData\Local\Temp\is-HH2MQ.tmp\setup.tmpexecutable
MD5:417D7F059F4C679865C76370F713D5B4
SHA256:FB406BFFD287CD20159902B1C6710F75FB60AD887AAF7C363564255B72A282DF
1236setup.exeC:\Users\admin\AppData\Local\Temp\is-V4BIA.tmp\setup.tmpexecutable
MD5:417D7F059F4C679865C76370F713D5B4
SHA256:FB406BFFD287CD20159902B1C6710F75FB60AD887AAF7C363564255B72A282DF
2364setup.tmpC:\Program Files\USB Disk Security\is-B5KU5.tmpexecutable
MD5:0941314C042769C1B05038D7D2ACCBEC
SHA256:36C84E6BD6EEC2DC5231B81EA7688F1CE0D30FF8B1703AC938B5417455FC170B
2364setup.tmpC:\Program Files\USB Disk Security\unins000.exeexecutable
MD5:0941314C042769C1B05038D7D2ACCBEC
SHA256:36C84E6BD6EEC2DC5231B81EA7688F1CE0D30FF8B1703AC938B5417455FC170B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2256
USBGuardUpdate.exe
GET
200
50.116.10.192:80
http://www.zbshareware.net/updatenew/update6/single/usb_disk_security.ts2
US
compressed
67.5 Kb
suspicious
3848
USBGuardUpdate.exe
GET
200
50.116.10.192:80
http://www.zbshareware.com/updatenew/update6/single/usb_disk_security.ts1
US
binary
6.41 Kb
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2256
USBGuardUpdate.exe
50.116.10.192:80
www.zbshareware.net
Linode, LLC
US
suspicious
3848
USBGuardUpdate.exe
50.116.10.192:80
www.zbshareware.net
Linode, LLC
US
suspicious

DNS requests

Domain
IP
Reputation
www.zbshareware.net
  • 50.116.10.192
suspicious
www.zbshareware.com
  • 50.116.10.192
malicious

Threats

PID
Process
Class
Message
2256
USBGuardUpdate.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Masaüstü.zip