analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

OlympicScreensaver.zip

Full analysis: https://app.any.run/tasks/db6f469a-ad18-4c8c-a84a-337970cf1276
Verdict: Malicious activity
Analysis date: October 04, 2022, 23:45:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

B9AEDB353706D551EFCBED81FC88F221

SHA1:

1AA7A8F95C08CFF37B0B4131E8D4518BF0771CA3

SHA256:

0BA6A0019C7E8A31A0525A4774295D15D2A70CFA9EAFD692793167C0F0A71953

SSDEEP:

98304:NXh3/iAQn1imuG7BLA+0E9PmdSDfpngDVQeaOZlB:NxvV2uIB6EgMfyDaOh

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • WinRAR.exe (PID: 3328)
      • ntvdm.exe (PID: 1692)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3328)

    • Checks supported languages

      • WinRAR.exe (PID: 3328)

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 3328)
      • ntvdm.exe (PID: 1692)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3328)
      • ntvdm.exe (PID: 1692)

    • Executes application which crashes

      • csrstub.exe (PID: 3100)

    • Creates files in the Windows directory

      • ntvdm.exe (PID: 1692)

  • INFO

    • Checks supported languages

      • csrstub.exe (PID: 3100)
      • ntvdm.exe (PID: 1692)
      • explorer.exe (PID: 3044)
      • rundll32.exe (PID: 2032)

    • Manual execution by user

      • csrstub.exe (PID: 3100)
      • rundll32.exe (PID: 2032)
      • explorer.exe (PID: 3044)

    • Reads the computer name

      • rundll32.exe (PID: 2032)
      • explorer.exe (PID: 3044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
46
Monitored processes
5
Malicious processes
1
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe csrstub.exe ntvdm.exe rundll32.exe no specs explorer.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\OlympicScreensaver.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
3100C:\Windows\system32\csrstub.exe 67634196 -P "C:\Users\admin\Desktop\NBCSETUP.EXE" C:\Windows\system32\csrstub.exe
Explorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
allows lua to launch 16-bit applications
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1692"C:\Windows\system32\ntvdm.exe" -i1 -wsC:\Windows\system32\ntvdm.exe
csrstub.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
NTVDM.EXE
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2032"C:\Windows\system32\rundll32.exe" shell32.dll,Control_RunDLL desk.cpl,screensaver,@screensaverC:\Windows\system32\rundll32.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3044"C:\Windows\explorer.exe" C:\Windows\explorer.exeExplorer.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 092
Read events
1 051
Write events
41
Delete events
0

Modification events

(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3328) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\16C\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\virtio_ivshmem_master_build.zip
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\OlympicScreensaver.zip
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(3328) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
Executable files
3
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1692ntvdm.exeC:\Windows\NBCSETUP.screxecutable
MD5:34A1788C2C3E8C853CA7CCF44DB65AF6
SHA256:1D920EE3439F7B24B78682EB7A88D69EC90254BB8A4ECD64E015A729D5EC6890
3328WinRAR.exeC:\Users\admin\Desktop\NBCSETUP.EXEexecutable
MD5:E35131DE40A01BF60A595FCA715FC7CC
SHA256:444E856F8776244E1809BC807605EE044CFFA3876622AA95377394111F515DE2
1692ntvdm.exeC:\Windows\NBCSETUP.exeexecutable
MD5:9A45FF6A9D1BF68721146E44BC2A04D8
SHA256:A28619DE6AD6D9C24D4CC8943E7DF354A8FF6BF1163D449A0E2E52DB397869D0
1692ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsB682.tmptext
MD5:8CF6DDB5AA59B49F34B967CD46F013B6
SHA256:EE06792197C3E025B84860A72460EAF628C66637685F8C52C5A08A9CC35D376C
2032rundll32.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Themes\Custom.themetext
MD5:C1FCF55A48CAF02CBC0FEC89C8B44C9D
SHA256:1497F2B7237A7DAEF8DF4568F8BFEF1B7B8FEBE4082A797725C410DF1CE3B961
1692ntvdm.exeC:\Users\admin\AppData\Local\Temp\scsB692.tmptext
MD5:4C361DEA398F7AEEF49953BDC0AB4A9B
SHA256:06D61C23E6CA59B9DDAD1796ECCC42C032CD8F6F424AF6CFEE5D085D36FF7DFD
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
OlympicScreensaver.zip