File name:

4857496168202240.zip

Full analysis: https://app.any.run/tasks/30ed2dfa-466c-4f70-822e-7ddd5390d54f
Verdict: Malicious activity
Analysis date: March 16, 2022, 20:19:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

07C7911FEE7B10248C0581AB2B5CEA2C

SHA1:

DFE63284E426601E444693F1210DFAD769FE05EF

SHA256:

15C502BD130BC27EB17DBD5506201B8F524C897CFB92CDC7574CF4C95620A721

SSDEEP:

6144:qB5u9bIp+MfhFB/SPYEslcFMU8nevGMjyTyejWY7jv5nSybYIkeWEjnirC9u+tOR:qU8pvfrBSPY7cFyTWYHgybR56D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • go.exe (PID: 3644)
      • go.exe (PID: 1952)
      • ovkf4nzt.exe (PID: 1512)

    • Writes to a start menu file

      • go.exe (PID: 3644)
      • go.exe (PID: 1952)

    • Changes the autorun value in the registry

      • go.exe (PID: 3644)
      • go.exe (PID: 1952)

    • Uses Task Scheduler to autorun other applications

      • cmd.exe (PID: 1432)

    • Starts Visual C# compiler

      • go.exe (PID: 3644)
      • go.exe (PID: 1952)

    • Loads the Task Scheduler COM API

      • schtasks.exe (PID: 2140)
      • wbengine.exe (PID: 3276)

    • Drops executable file immediately after starts

      • csc.exe (PID: 452)
      • go.exe (PID: 1952)
      • csc.exe (PID: 328)

    • Deletes shadow copies

      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 3484)
      • cmd.exe (PID: 1704)

    • Application was injected by another process

      • svchost.exe (PID: 332)
      • svchost.exe (PID: 876)
      • SearchIndexer.exe (PID: 2996)

    • Runs injected code in another process

      • wbadmin.exe (PID: 2844)

    • Starts BCDEDIT.EXE to disable recovery

      • cmd.exe (PID: 3676)

    • Turns off the firewall via NETSH.EXE

      • cmd.exe (PID: 1104)

    • Disables Windows Defender

      • go.exe (PID: 1952)

  • SUSPICIOUS

    • Reads the computer name

      • WinRAR.exe (PID: 3732)
      • go.exe (PID: 3644)
      • go.exe (PID: 1952)
      • WMIC.exe (PID: 2560)
      • ovkf4nzt.exe (PID: 1512)
      • mshta.exe (PID: 3616)

    • Creates files in the user directory

      • go.exe (PID: 3644)

    • Executable content was dropped or overwritten

      • go.exe (PID: 3644)
      • WinRAR.exe (PID: 3732)
      • csc.exe (PID: 452)
      • go.exe (PID: 1952)
      • csc.exe (PID: 328)

    • Checks supported languages

      • WinRAR.exe (PID: 3732)
      • cmd.exe (PID: 1432)
      • csc.exe (PID: 452)
      • go.exe (PID: 1952)
      • go.exe (PID: 3644)
      • cvtres.exe (PID: 4072)
      • csc.exe (PID: 328)
      • cvtres.exe (PID: 4056)
      • cmd.exe (PID: 2408)
      • cmd.exe (PID: 3484)
      • cmd.exe (PID: 3288)
      • cmd.exe (PID: 1704)
      • cmd.exe (PID: 3676)
      • cmd.exe (PID: 2140)
      • cmd.exe (PID: 1104)
      • cmd.exe (PID: 2484)
      • ovkf4nzt.exe (PID: 1512)
      • mshta.exe (PID: 3616)
      • WMIC.exe (PID: 2560)

    • Starts CMD.EXE for commands execution

      • go.exe (PID: 3644)
      • go.exe (PID: 1952)

    • Drops a file with a compile date too recent

      • go.exe (PID: 3644)
      • csc.exe (PID: 452)
      • WinRAR.exe (PID: 3732)
      • go.exe (PID: 1952)
      • csc.exe (PID: 328)

    • Creates files in the program directory

      • go.exe (PID: 3644)
      • csc.exe (PID: 452)
      • csc.exe (PID: 328)
      • SearchIndexer.exe (PID: 2996)
      • go.exe (PID: 1952)

    • Application launched itself

      • go.exe (PID: 3644)

    • Creates files in the Windows directory

      • go.exe (PID: 1952)
      • svchost.exe (PID: 876)
      • wbadmin.exe (PID: 2844)

    • Changes default file association

      • go.exe (PID: 1952)

    • Executed as Windows Service

      • vssvc.exe (PID: 3896)
      • wbengine.exe (PID: 3276)
      • vds.exe (PID: 3060)

    • Uses NETSH.EXE for network configuration

      • cmd.exe (PID: 1104)
      • cmd.exe (PID: 2484)

    • Reads Environment values

      • netsh.exe (PID: 2096)
      • netsh.exe (PID: 2520)

    • Executed via COM

      • DllHost.exe (PID: 3656)
      • vdsldr.exe (PID: 3980)

    • Writes to a desktop.ini file (may be used to cloak folders)

      • go.exe (PID: 1952)

    • Starts MSHTA.EXE for opening HTA or HTMLS files

      • ovkf4nzt.exe (PID: 1512)

    • Reads Microsoft Outlook installation path

      • mshta.exe (PID: 3616)

  • INFO

    • Checks supported languages

      • schtasks.exe (PID: 2140)
      • svchost.exe (PID: 876)
      • vssadmin.exe (PID: 3668)
      • wbadmin.exe (PID: 2844)
      • vssvc.exe (PID: 3896)
      • bcdedit.exe (PID: 3224)
      • bcdedit.exe (PID: 3236)
      • wbadmin.exe (PID: 2608)
      • netsh.exe (PID: 2096)
      • netsh.exe (PID: 2520)
      • wbengine.exe (PID: 3276)
      • DllHost.exe (PID: 3656)
      • vdsldr.exe (PID: 3980)
      • vds.exe (PID: 3060)

    • Manual execution by user

      • go.exe (PID: 3644)
      • ovkf4nzt.exe (PID: 1512)

    • Reads the computer name

      • schtasks.exe (PID: 2140)
      • wbadmin.exe (PID: 2844)
      • vssadmin.exe (PID: 3668)
      • vssvc.exe (PID: 3896)
      • netsh.exe (PID: 2096)
      • netsh.exe (PID: 2520)
      • wbengine.exe (PID: 3276)
      • DllHost.exe (PID: 3656)
      • vdsldr.exe (PID: 3980)
      • vds.exe (PID: 3060)
      • wbadmin.exe (PID: 2608)

    • Reads internet explorer settings

      • mshta.exe (PID: 3616)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: 15d7342be36d20ce615647fac9c2277f46b6d19aa54f3cf3d99e49d6ce0486d0
ZipUncompressedSize: 485888
ZipCompressedSize: 348505
ZipCRC: 0xc7089b66
ZipModifyDate: 1980:00:00 00:00:00
ZipCompression: Deflated
ZipBitFlag: 0x0009
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
87
Monitored processes
35
Malicious processes
6
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start inject inject inject winrar.exe go.exe cmd.exe schtasks.exe no specs csc.exe cvtres.exe no specs go.exe csc.exe cvtres.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs cmd.exe no specs vssadmin.exe no specs wbadmin.exe no specs cmd.exe no specs cmd.exe no specs wmic.exe no specs wbadmin.exe no specs cmd.exe no specs svchost.exe svchost.exe searchindexer.exe vssvc.exe no specs bcdedit.exe no specs bcdedit.exe no specs netsh.exe no specs netsh.exe no specs wbengine.exe no specs SPPSurrogate no specs vdsldr.exe no specs vds.exe no specs ovkf4nzt.exe no specs mshta.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
328"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\i5sboeob.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
go.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
332C:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\system32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
452"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\odptmeg3.cmdline"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
go.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.0.30319.34209 built by: FX452RTMGDR
876C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1104"C:\Windows\System32\cmd.exe" /C netsh advfirewall set currentprofile state offC:\Windows\System32\cmd.exego.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1432"C:\Windows\System32\cmd.exe" /C schtasks /CREATE /SC ONLOGON /TN Loki /TR C:\Users\admin\AppData\Roaming\winlogon.exe /RU SYSTEM /RL HIGHEST /FC:\Windows\System32\cmd.exe
go.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1512"C:\ProgramData\ovkf4nzt.exe" "C:\Users\admin\Desktop\[jesushelp01@techmail.info][C4BA3647]ratherbrown.jpg.Loki" C:\ProgramData\ovkf4nzt.exeExplorer.EXE
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
0
Version:
0.0.0.0
1704"C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quietC:\Windows\System32\cmd.exego.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1952"C:\Users\admin\Desktop\go.exe" C:\Users\admin\Desktop\go.exe
go.exe
User:
admin
Company:
Microsoft
Integrity Level:
HIGH
Description:
svchost
Exit code:
0
Version:
1.0.0.0
2096netsh advfirewall set currentprofile state offC:\Windows\system32\netsh.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Network Command Shell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
8
Suspicious files
2 392
Text files
400
Unknown types
92

Dropped files

PID
Process
Filename
Type
876svchost.exeC:\Windows\appcompat\programs\RecentFileCache.bcftxt
MD5:
SHA256:
452csc.exeC:\ProgramData\3srqvmc3.exeexecutable
MD5:
SHA256:
452csc.exeC:\ProgramData\CSCF41E2E2A78C34658937750879B8021C0.TMPres
MD5:
SHA256:
3644go.exeC:\ProgramData\info.Lokihtml
MD5:
SHA256:
1952go.exeC:\Users\admin\AppData\Local\Temp\i5sboeob.cmdlinetext
MD5:
SHA256:
3644go.exeC:\Users\admin\AppData\Local\Temp\odptmeg3.cmdlinetext
MD5:
SHA256:
452csc.exeC:\Users\admin\AppData\Local\Temp\odptmeg3.outtext
MD5:
SHA256:
3644go.exeC:\Users\admin\AppData\Local\Temp\odptmeg3.0.cstext
MD5:10B6718BE4F289FF55BA79E70761CD94
SHA256:5A069E12E8222CC928722C39C6DAA871C23C977E3D43CF90CF8E46A05EC14494
3732WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb3732.14320\15d7342be36d20ce615647fac9c2277f46b6d19aa54f3cf3d99e49d6ce0486d0executable
MD5:8AEA251877CB4F5EE6CF357831F8620C
SHA256:15D7342BE36D20CE615647FAC9C2277F46B6D19AA54F3CF3D99E49D6CE0486D0
3644go.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exeexecutable
MD5:8AEA251877CB4F5EE6CF357831F8620C
SHA256:15D7342BE36D20CE615647FAC9C2277F46B6D19AA54F3CF3D99E49D6CE0486D0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
13
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3644
go.exe
POST
200
91.223.82.6:80
http://loki-locker.one/index.php
NL
binary
601 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.1:139
unknown
3644
go.exe
91.223.82.6:80
loki-locker.one
Iws Networks LLC
NL
malicious
192.168.100.2:139
whitelisted
192.168.100.1:445
unknown
192.168.100.2:445
whitelisted

DNS requests

Domain
IP
Reputation
loki-locker.one
  • 91.223.82.6
malicious

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
4857496168202240.zip