analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Migraine.zip

Full analysis: https://app.any.run/tasks/8ae9b373-2809-4e8e-b353-4c500765fb33
Verdict: Malicious activity
Analysis date: January 17, 2020, 18:40:58
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

05D47E46F73C309D244325FDAF96A5B5

SHA1:

931C2E3B8F9ABFC73395F2279AD27F2D186AC6FC

SHA256:

193C16F62CDEA655610F28D170C43D6074509C8F2FC7FAB6DB307D81E39E33D4

SSDEEP:

196608:FjwpSiQ5zukJiSn2OsDqx0khG2VhGOhjPmwSAtBM6txO5fHfYLaPuDw5vzQnKwu:qYiW6kV76wSgM6tcAYw0jB

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3516)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2488)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2019:12:31 20:06:01
ZipCRC: 0xacd8dec0
ZipCompressedSize: 85475
ZipUncompressedSize: 238080
ZipFileName: Bunifu_UI_v1.5.3.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
35
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe searchprotocolhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2488"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Migraine.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
3516"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe2_ Global\UsGthrCtrlFltPipeMssGthrPipe2 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Total events
795
Read events
776
Write events
19
Delete events
0

Modification events

(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2488) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Migraine.zip
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Migraine
(PID) Process:(2488) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:1
Value:
C:\Users\admin\AppData\Local\Temp\Migraine
Executable files
24
Suspicious files
0
Text files
4
Unknown types
0

Dropped files

PID
Process
Filename
Type
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\RPC.jsontext
MD5:7118ADD1106D5E047309BC0874E71118
SHA256:51214C162DA95888CB2CACA68342E921F396FB5A2CA324918ECEF658C199EB35
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Discord.Net.WebSocket.dllexecutable
MD5:2C6D4D9B65A98BDF362E0F72468015F1
SHA256:6242703C0DD794596AFEC8CA1FD0748C7C16A07F40BE9A8E0A9D541FA0900D2C
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Guna.UI.dllexecutable
MD5:328718C56E2E6DDA76E66834E74E7E82
SHA256:E979C7DCDA1F471A56C1DDF58953BA73BAF9D6C759C67E8F0A335FF5B02DC8CE
2488WinRAR.exeC:\Users\admin\Desktop\Discord.Net.Rest.dllexecutable
MD5:855FA266CBA6A5B1B87D376ADC0A94AA
SHA256:D5AEF2F55F79959BDF2F34411B293AEEB1534368B350B60707171B4435A8ED3A
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Bunifu_UI_v1.5.3.dllexecutable
MD5:DD2A2E63363BB34029F3EC3F27DDF820
SHA256:94520DA13006B667463AE1AA41FA35858299C5D1591DB55D132F08A091E127DC
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Discord.Net.Rest.dllexecutable
MD5:855FA266CBA6A5B1B87D376ADC0A94AA
SHA256:D5AEF2F55F79959BDF2F34411B293AEEB1534368B350B60707171B4435A8ED3A
2488WinRAR.exeC:\Users\admin\Desktop\Discord.Net.WebSocket.dllexecutable
MD5:2C6D4D9B65A98BDF362E0F72468015F1
SHA256:6242703C0DD794596AFEC8CA1FD0748C7C16A07F40BE9A8E0A9D541FA0900D2C
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Settings.jsontext
MD5:23EA8DAF684C4BFA8F74F22F943F141A
SHA256:3FAD7A5B49253EDB0AE0C8C0CD7D4749E3C329E6BC0BAD720FA88590A0CEB53D
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Migraine_v2.exeexecutable
MD5:6202AF0EF09C2066F5FA4B6111F46932
SHA256:F39AF748DBDF49797CB3B24C97F6C336422315E5548F79FD441C7D620ABD8E87
2488WinRAR.exeC:\Users\admin\AppData\Local\Temp\Migraine\Discord.Net.Commands.dllexecutable
MD5:B61541CC9100BF5134ECC24CF73D2FB8
SHA256:6F464F13DBBDE89CF4E22319A553679A2C5851232E7363BFF2AA8D1524FE282D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info