analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

84f8b_dados68974942045.zip

Full analysis: https://app.any.run/tasks/076aa9da-67d8-494d-a046-a5249896af22
Verdict: Malicious activity
Threats:

Metamorfo is a trojan malware family that has been active since 2018. It remains a top threat, focusing on stealing victims’ financial information, including banking credentials and other data. The malware is known for targeting users in Brazil.

Malware Trends Tracker     >>>
Analysis date: March 31, 2020, 09:45:26
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
metamorfo
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

84F8BB1AD60607C54EB6AD0C9BAA0404

SHA1:

D15A559494EB253671C33BB5613CE7134C30B442

SHA256:

17EC2AC96AFF11AFCCBC5E2654EE47788C5D01A26BE231C88EC23447601A79A4

SSDEEP:

3072:BXi47x7Emf2s7r3a9oSbUY1ZI4SsSwPawtYvUA7y5NUSb79:BXi4j2gpSbUY1Q3wPRtZsAeIp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • NPIE.EXE (PID: 3012)

    • Changes the autorun value in the registry

      • reg.exe (PID: 952)
      • NPIE.EXE (PID: 3012)

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3548)
      • NPIE.EXE (PID: 3012)

    • METAMORFO was detected

      • NPIE.EXE (PID: 3012)

    • Connects to CnC server

      • NPIE.EXE (PID: 3012)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 3176)
      • WinRAR.exe (PID: 3924)
      • MsiExec.exe (PID: 2408)

    • Starts Microsoft Installer

      • WinRAR.exe (PID: 3924)

    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 2408)

    • Uses REG.EXE to modify Windows registry

      • MsiExec.exe (PID: 2408)

    • Reads Environment values

      • NPIE.EXE (PID: 3012)

  • INFO

    • Application launched itself

      • msiexec.exe (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:03:26 23:15:18
ZipCRC: 0x0aaa81e5
ZipCompressedSize: 125856
ZipUncompressedSize: 272896
ZipFileName: dados3213.msi
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
40
Monitored processes
7
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start drop and start winrar.exe msiexec.exe no specs msiexec.exe msiexec.exe reg.exe #METAMORFO npie.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3924"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\84f8b_dados68974942045.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3592"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa3924.27522\dados3213.msi" C:\Windows\System32\msiexec.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3176C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2408C:\Windows\system32\MsiExec.exe -Embedding 1B4EDF434749038C8EBAC9343BE9B663C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
952"C:\Windows\System32\reg.exe" add "HKCU\software\Microsoft\Windows\CurrentVersion\RunOnce" /v NPIE /t reg_sz /d C:\Users\admin\Documents\NPIE\NPIE.EXEC:\Windows\System32\reg.exe
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3012"C:\Users\admin\Documents\NPIE\NPIE.EXE" C:\Users\admin\Documents\NPIE\NPIE.EXE
MsiExec.exe
User:
admin
Company:
Avira Operations GmbH & Co. KG
Integrity Level:
MEDIUM
Description:
Avira
Version:
1.2.144.30330
3548"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe4_ Global\UsGthrCtrlFltPipeMssGthrPipe4 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
1 625
Read events
1 573
Write events
0
Delete events
0

Modification events

No data
Executable files
5
Suspicious files
3
Text files
19
Unknown types
3

Dropped files

PID
Process
Filename
Type
3176msiexec.exeC:\Windows\Installer\MSI8296.tmp
MD5:
SHA256:
3176msiexec.exeC:\Windows\Installer\MSI8314.tmp
MD5:
SHA256:
3176msiexec.exeC:\Users\admin\AppData\Local\Temp\~DF8A5F0D85B0ADA728.TMP
MD5:
SHA256:
2408MsiExec.exeC:\Users\admin\Documents\NPIE\Avira.OE.NativeCore.dll
MD5:
SHA256:
3176msiexec.exeC:\Windows\Installer\a681fa.msiexecutable
MD5:A658DA0BF1A0EBD663044708CFCEA350
SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC
2408MsiExec.exeC:\Users\admin\Documents\NPIE_NPIE_NPIE.zipcompressed
MD5:8BD367E3E35A0EE2A2EF3DE33AE21214
SHA256:9CF4C726E46022622BDB48772A88F061468D7DF5C1BB94C503D3119B83F5230B
3924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3924.27522\dados.txttext
MD5:987EE5F625D99D31BF5C4EB1029C3E71
SHA256:6F2082B077E6C9126A23843C170B9FDCF636BB4BDA61DCE231709C91FC2DC465
3176msiexec.exeC:\Windows\Installer\a681fc.ipibinary
MD5:693EDFB233013C918F73C3ABB89D6190
SHA256:A16840F60030A0A281CBB955CAEAE4DC477404AFD6377E3C85CF3FE35DEE7010
2408MsiExec.exeC:\Users\admin\Documents\NPIE\Birinb (3).icoimage
MD5:FE0A2332048DF13FCECBDB33837E15F4
SHA256:04A226B46B1297AE467D2F98330DD8822CED7AA1707341A6C16E2FEF1DB65C65
3924WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXa3924.27522\dados3213.msiexecutable
MD5:A658DA0BF1A0EBD663044708CFCEA350
SHA256:50F1F2F411B11A5529E7F7AC6590ED8FF8AB86ECC7F80F2CAF2EE2944DF07CBC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2408
MsiExec.exe
GET
200
187.17.111.35:80
http://moggiempilhadeiras.com.br/js/video2.Tar
BR
compressed
13.0 Mb
malicious
3012
NPIE.EXE
POST
5.57.226.202:80
http://novamultimidea.webcindario.com/covid19/
ES
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3012
NPIE.EXE
5.57.226.202:80
novamultimidea.webcindario.com
ServiHosting Networks S.L.
ES
malicious
2408
MsiExec.exe
187.17.111.35:80
moggiempilhadeiras.com.br
Universo Online S.A.
BR
malicious

DNS requests

Domain
IP
Reputation
moggiempilhadeiras.com.br
  • 187.17.111.35
malicious
novamultimidea.webcindario.com
  • 5.57.226.202
malicious

Threats

PID
Process
Class
Message
3012
NPIE.EXE
Potentially Bad Traffic
ET INFO Suspicious POST Request with Possible COVID-19 URI M1
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
84f8b_dados68974942045.zip