File name:

Spark.zip

Full analysis: https://app.any.run/tasks/06224c90-c0ea-4d27-81d9-9728f144b49b
Verdict: Malicious activity
Analysis date: February 07, 2022, 21:51:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

860168A14356BE3E65650B8A3CF6C3A0

SHA1:

EA99E29E119D88CAF9D38FB6AAC04A97E9C5AC63

SHA256:

1AE2A53C8ADC94B1566EA6B3AA63CE7FE2A2B2FCBE4CEC3112F9EBE76E2E9BF9

SSDEEP:

49152:p0iszfe7OgN0Fw6KDfcqm6YvBK1+bgHXFZn:4CN0FHMcTvu+E3FZn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops executable file immediately after starts

      • NETFramework.exe (PID: 1688)

    • Actions looks like stealing of personal data

      • NETFramework.exe (PID: 1688)
      • Chris@Spark.exe (PID: 3004)

    • Application was dropped or rewritten from another process

      • NETFramework.exe (PID: 1688)
      • NETFramework.exe (PID: 3184)
      • SetupUtility.exe (PID: 2728)
      • Setup.exe (PID: 2744)
      • SetupUtility.exe (PID: 3476)
      • Chris@Spark.exe (PID: 2084)
      • Chris@Spark.exe (PID: 3004)

    • Runs injected code in another process

      • Setup.exe (PID: 2744)

    • Application was injected by another process

      • svchost.exe (PID: 924)

    • Changes settings of System certificates

      • Setup.exe (PID: 2744)

  • SUSPICIOUS

    • Checks supported languages

      • WinRAR.exe (PID: 3820)
      • NETFramework.exe (PID: 1688)
      • Setup.exe (PID: 2744)
      • SetupUtility.exe (PID: 2728)
      • SetupUtility.exe (PID: 3476)
      • Chris@Spark.exe (PID: 3004)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 3820)
      • NETFramework.exe (PID: 1688)
      • Chris@Spark.exe (PID: 3004)

    • Reads the computer name

      • WinRAR.exe (PID: 3820)
      • NETFramework.exe (PID: 1688)
      • Setup.exe (PID: 2744)
      • Chris@Spark.exe (PID: 3004)
      • SetupUtility.exe (PID: 2728)
      • SetupUtility.exe (PID: 3476)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 3820)
      • NETFramework.exe (PID: 1688)
      • Chris@Spark.exe (PID: 3004)

    • Reads Environment values

      • Setup.exe (PID: 2744)

    • Reads CPU info

      • Setup.exe (PID: 2744)

    • Creates files in the Windows directory

      • Chris@Spark.exe (PID: 3004)

    • Creates files in the program directory

      • Setup.exe (PID: 2744)

  • INFO

    • Checks Windows Trust Settings

      • Setup.exe (PID: 2744)

    • Reads settings of System Certificates

      • Setup.exe (PID: 2744)

    • Dropped object may contain Bitcoin addresses

      • SetupUtility.exe (PID: 2728)

    • Checks supported languages

      • svchost.exe (PID: 924)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Chris@Spark.exe
ZipUncompressedSize: 507392
ZipCompressedSize: 385497
ZipCRC: 0x00000000
ZipModifyDate: 2018:09:14 23:54:10
ZipCompression: Unknown (99)
ZipBitFlag: 0x0001
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
51
Monitored processes
9
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
drop and start drop and start drop and start drop and start start drop and start inject winrar.exe netframework.exe no specs netframework.exe setup.exe setuputility.exe no specs setuputility.exe no specs svchost.exe chris@spark.exe no specs chris@spark.exe

Process information

PID
CMD
Path
Indicators
Parent process
924C:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1688"C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.37372\NETFramework.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.37372\NETFramework.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.7.1 Setup
Exit code:
2148204801
Version:
4.7.02558.00
2084"C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.42410\Chris@Spark.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.42410\Chris@Spark.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
0.0.0.0
2728SetupUtility.exe /aupauseC:\99878908134376de4078\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
2744C:\99878908134376de4078\\Setup.exe /x86 /x64 /webC:\99878908134376de4078\Setup.exe
NETFramework.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Exit code:
2148204801
Version:
14.7.2558.0 built by: NET471REL1
3004"C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.42410\Chris@Spark.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.42410\Chris@Spark.exe
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
3762504530
Version:
0.0.0.0
3184"C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.37372\NETFramework.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb3820.37372\NETFramework.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework 4.7.1 Setup
Exit code:
3221226540
Version:
4.7.02558.00
3476SetupUtility.exe /screbootC:\99878908134376de4078\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
3820"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Spark.zip"C:\Program Files\WinRAR\WinRAR.exe
Explorer.EXE
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Total events
0
Read events
0
Write events
0
Delete events
0

Modification events

No data
Executable files
36
Suspicious files
9
Text files
81
Unknown types
9

Dropped files

PID
Process
Filename
Type
1688NETFramework.exeC:\99878908134376de4078\watermark.bmpimage
MD5:B0075CEE80173D764C0237E840BA5879
SHA256:AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
3820WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb3820.37372\NETFramework.exeexecutable
MD5:4FB795478A8F346C337A1F84BACCC85B
SHA256:65A7CB8FD1C7C529C40345B4746818F8947BE736AA105007DFCC57B05897ED62
1688NETFramework.exeC:\99878908134376de4078\DisplayIcon.icoimage
MD5:F9657D290048E169FFABBBB9C7412BE0
SHA256:B74AD253B9B8F9FCADE725336509143828EE739CC2B24782BE3ECFF26F229160
1688NETFramework.exeC:\99878908134376de4078\header.bmpimage
MD5:41C22EFA84CA74F0CE7076EB9A482E38
SHA256:255025A0D79EF2DAC04BD610363F966EF58328400BF31E1F8915E676478CD750
1688NETFramework.exeC:\99878908134376de4078\SplashScreen.bmpimage
MD5:BC32088BFAA1C76BA4B56639A2DEC592
SHA256:B05141DBC71669A7872A8E735E5E43A7F9713D4363B7A97543E1E05DCD7470A7
1688NETFramework.exeC:\99878908134376de4078\Graphics\Rotate1.icoimage
MD5:9B70C7FA81DCA6D3B992037D0C251D92
SHA256:18226B9D56D2B1C070A2C606428892773CB00B5B4B95397E79D01DE26685CCD4
1688NETFramework.exeC:\99878908134376de4078\Graphics\Print.icoimage
MD5:D39BAD9DDA7B91613CB29B6BD55F0901
SHA256:D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6
1688NETFramework.exeC:\99878908134376de4078\Graphics\Rotate10.icoimage
MD5:0CCA04A3468575FDCEFEE9957E32F904
SHA256:B94E68C711B3B06D9A63C80AD013C7C7BBDB5F8E82CBC866B246FF22D99B03FE
1688NETFramework.exeC:\99878908134376de4078\Graphics\Rotate4.icoimage
MD5:267B198FEF022D3B1D44CCA7FE589373
SHA256:303989B692A57FE34B47BB2F926B91AC605F288AE6C9479B33EAF15A14EB33AC
1688NETFramework.exeC:\99878908134376de4078\Graphics\Rotate2.icoimage
MD5:F824905E5501603E6720B784ADD71BDD
SHA256:D15A6F1EEFEFE4F9CD51B7B22E9C7B07C7ACAD72FD53E5F277E6D4E0976036C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
80
DNS requests
6
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
924
svchost.exe
HEAD
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
924
svchost.exe
HEAD
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
924
svchost.exe
HEAD
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
2744
Setup.exe
GET
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
924
svchost.exe
HEAD
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
2744
Setup.exe
GET
200
104.85.1.163:80
http://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl
US
der
1.05 Kb
whitelisted
924
svchost.exe
HEAD
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
924
svchost.exe
HEAD
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
2744
Setup.exe
GET
302
23.2.175.10:80
http://go.microsoft.com/fwlink/?prd=11324&pver=netfx&sbp=Net471Rel1&plcid=0x409&clcid=0x409&ar=02558.00&sar=x86&o1=netfx_Full.mzz
US
whitelisted
2744
Setup.exe
GET
200
104.109.143.7:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
US
der
555 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2744
Setup.exe
104.110.191.140:80
ctldl.windowsupdate.com
Akamai Technologies, Inc.
US
unknown
2744
Setup.exe
104.109.143.7:80
crl.microsoft.com
Akamai Technologies, Inc.
US
unknown
924
svchost.exe
23.2.175.10:80
go.microsoft.com
Akamai International B.V.
US
malicious
924
svchost.exe
68.232.34.200:443
download.visualstudio.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2744
Setup.exe
23.2.175.10:80
go.microsoft.com
Akamai International B.V.
US
malicious
2744
Setup.exe
68.232.34.200:443
download.visualstudio.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2744
Setup.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
68.232.34.200:443
download.visualstudio.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2744
Setup.exe
104.85.1.163:80
www.microsoft.com
Time Warner Cable Internet LLC
US
suspicious

DNS requests

Domain
IP
Reputation
ctldl.windowsupdate.com
  • 104.110.191.140
whitelisted
crl.microsoft.com
  • 104.109.143.7
whitelisted
go.microsoft.com
  • 23.2.175.10
whitelisted
download.visualstudio.microsoft.com
  • 68.232.34.200
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
www.microsoft.com
  • 104.85.1.163
whitelisted

Threats

PID
Process
Class
Message
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
2744
Setup.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
924
svchost.exe
Potentially Bad Traffic
ET INFO TLS Handshake Failure
Process
Message
Setup.exe
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Setup.exe
A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Spark.zip