analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Spark.zip

Full analysis: https://app.any.run/tasks/61b13877-e919-4704-984e-821cb5a27315
Verdict: Malicious activity
Analysis date: November 29, 2020, 15:40:59
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract
MD5:

860168A14356BE3E65650B8A3CF6C3A0

SHA1:

EA99E29E119D88CAF9D38FB6AAC04A97E9C5AC63

SHA256:

1AE2A53C8ADC94B1566EA6B3AA63CE7FE2A2B2FCBE4CEC3112F9EBE76E2E9BF9

SSDEEP:

49152:p0iszfe7OgN0Fw6KDfcqm6YvBK1+bgHXFZn:4CN0FHMcTvu+E3FZn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

    • Actions looks like stealing of personal data

    • Changes settings of System certificates

      • Setup.exe (PID: 1732)

    • Loads dropped or rewritten executable

      • Setup.exe (PID: 1732)

    • Drops executable file immediately after starts

      • NETFramework.exe (PID: 4032)

  • SUSPICIOUS

  • INFO

    • Manual execution by user

    • Reads settings of System Certificates

      • Setup.exe (PID: 1732)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: [email protected]
ZipUncompressedSize: 507392
ZipCompressedSize: 385497
ZipCRC: 0x00000000
ZipModifyDate: 2018:09:14 23:54:10
ZipCompression: Unknown (99)
ZipBitFlag: 0x0001
ZipRequiredVersion: 51
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
61
Monitored processes
12
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start drop and start start drop and start winrar.exe [email protected] no specs [email protected] netframework.exe no specs netframework.exe setup.exe setuputility.exe no specs setuputility.exe no specs setuputility.exe no specs setuputility.exe no specs [email protected] no specs [email protected]

Process information

PID
CMD
Path
Indicators
Parent process
2364"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Spark.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2832"C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]" C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Exit code:
3221226540
Version:
0.0.0.0
3204"C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]" C:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]
WinRAR.exe
User:
admin
Integrity Level:
HIGH
Description:
Exit code:
3762504530
Version:
0.0.0.0
2400"C:\Users\admin\Desktop\NETFramework.exe" C:\Users\admin\Desktop\NETFramework.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Framework 4.7.1 Setup
Exit code:
3221226540
Version:
4.7.02558.00
4032"C:\Users\admin\Desktop\NETFramework.exe" C:\Users\admin\Desktop\NETFramework.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.7.1 Setup
Exit code:
0
Version:
4.7.02558.00
1732C:\cb5a6f3baae017cbbc4e12e4\\Setup.exe /x86 /x64 /webC:\cb5a6f3baae017cbbc4e12e4\Setup.exe
NETFramework.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Setup Installer
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
2492SetupUtility.exe /aupauseC:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
3728SetupUtility.exe /screbootC:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
1332SetupUtility.exe /msureboot 461310C:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
2808SetupUtility.exe /auresumeC:\cb5a6f3baae017cbbc4e12e4\SetupUtility.exeSetup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft .NET Framework 4.5 Setup
Exit code:
0
Version:
14.7.2558.0 built by: NET471REL1
Total events
604
Read events
561
Write events
39
Delete events
4

Modification events

(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2364) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Spark.zip
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
0
(PID) Process:(2364) WinRAR.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
37
Suspicious files
6
Text files
82
Unknown types
3

Dropped files

PID
Process
Filename
Type
2364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2364.33183\[email protected]
MD5:
SHA256:
2364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb2364.33183\NETFramework.exe
MD5:
SHA256:
2364WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb2364.31169\[email protected]executable
MD5:181EE63003E5C3EC8C378030286ED7A2
SHA256:55BFCB784904477EF62EF7E4994DEE42F03D69BFEC3591989513CCCBBA3FC8FE
3204[email protected]C:\Windows\File Cache\IFEO.exeexecutable
MD5:4A741EE0A43E437B2F12D3CF355A0234
SHA256:9E919B9D333E5084427C4AAF4C00D058D9E2955F0428962DCB87FD48E163E65D
3204[email protected]C:\Windows\File Cache\DLL.dllexecutable
MD5:A61C26B360471C8258C7571037C4BCA0
SHA256:E77316A1FD682E1AF8AF3CCD03C170F886B9EC8EDF7013E1BE6A6207CB5A6F16
4032NETFramework.exeC:\cb5a6f3baae017cbbc4e12e4\Graphics\Rotate5.icoimage
MD5:25F0D572761CB610BDAD6DD980C46CC7
SHA256:CE2AFC0AA52B3D459D6D8D7C551F7B8FBF323E2260326908C37A13F21FEE423E
4032NETFramework.exeC:\cb5a6f3baae017cbbc4e12e4\watermark.bmpimage
MD5:B0075CEE80173D764C0237E840BA5879
SHA256:AB18374B3AAB10E5979E080D0410579F9771DB888BA1B80A5D81BA8896E2D33A
4032NETFramework.exeC:\cb5a6f3baae017cbbc4e12e4\header.bmpimage
MD5:41C22EFA84CA74F0CE7076EB9A482E38
SHA256:255025A0D79EF2DAC04BD610363F966EF58328400BF31E1F8915E676478CD750
4032NETFramework.exeC:\cb5a6f3baae017cbbc4e12e4\Graphics\Print.icoimage
MD5:D39BAD9DDA7B91613CB29B6BD55F0901
SHA256:D80FFEB020927F047C11FC4D9F34F985E0C7E5DFEA9FB23F2BC134874070E4E6
4032NETFramework.exeC:\cb5a6f3baae017cbbc4e12e4\Graphics\Rotate2.icoimage
MD5:F824905E5501603E6720B784ADD71BDD
SHA256:D15A6F1EEFEFE4F9CD51B7B22E9C7B07C7ACAD72FD53E5F277E6D4E0976036C3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
3
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1732
Setup.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl
unknown
der
550 b
whitelisted
1732
Setup.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl
unknown
der
564 b
whitelisted
1732
Setup.exe
GET
200
2.16.186.120:80
http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl
unknown
der
781 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1732
Setup.exe
2.16.186.120:80
crl.microsoft.com
Akamai International B.V.
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 2.16.186.120
  • 2.16.186.74
whitelisted

Threats

No threats detected
Process
Message
Setup.exe
The operation completed successfully.
Setup.exe
The operation completed successfully.
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
Spark.zip