analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

BUROFAX_SOSPECHOSO_045796_FLQ.zip

Full analysis: https://app.any.run/tasks/176a4519-2f3e-4369-bb03-27cf2d5b3f84
Verdict: Malicious activity
Analysis date: October 20, 2020, 07:22:31
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

F673AFDDDE2BC63D9F536AFD3AAAA2D4

SHA1:

F952BA791B8B441B62623550005F967971EEE525

SHA256:

1C8E004C06EF51BAA7B579E591361E4CAAEFB009BF54C4FEA18993E1658260B3

SSDEEP:

12288:E50P71GT9fabBCkCg6c3sstqoPzIyLVmph:E50jQBfUEBg0stLVmn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts Internet Explorer

      • WinRAR.exe (PID: 2616)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2616)
      • msiexec.exe (PID: 1652)

    • Reads Internet Cache Settings

      • MsiExec.exe (PID: 584)

    • Starts Microsoft Installer

      • WinRAR.exe (PID: 2616)

  • INFO

    • Application launched itself

      • iexplore.exe (PID: 2472)
      • iexplore.exe (PID: 3708)
      • msiexec.exe (PID: 1652)

    • Changes internet zones settings

      • iexplore.exe (PID: 2472)

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 2472)
      • iexplore.exe (PID: 1896)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3708)

    • Reads settings of System Certificates

      • iexplore.exe (PID: 2472)

    • Adds / modifies Windows certificates

      • iexplore.exe (PID: 2472)

    • Changes settings of System certificates

      • iexplore.exe (PID: 2472)

    • Loads dropped or rewritten executable

      • MsiExec.exe (PID: 584)

    • Creates files in the user directory

      • iexplore.exe (PID: 2472)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: Deflated
ZipModifyDate: 2020:10:19 22:51:04
ZipCRC: 0xca7d79f9
ZipCompressedSize: 503846
ZipUncompressedSize: 1053696
ZipFileName: 045796_FLQ.msi
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
45
Monitored processes
7
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe iexplore.exe iexplore.exe iexplore.exe no specs msiexec.exe no specs msiexec.exe msiexec.exe

Process information

PID
CMD
Path
Indicators
Parent process
2616"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\BUROFAX_SOSPECHOSO_045796_FLQ.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2472"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\admin\AppData\Local\Temp\Rar$DIa2616.40475\icone_6964611.gifC:\Program Files\Internet Explorer\iexplore.exe
WinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
3708"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2472 CREDAT:144385 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
1896"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2472 CREDAT:333057 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exeiexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
752"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\Rar$EXa2616.44884\045796_FLQ.msi" C:\Windows\System32\msiexec.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
1603
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
1652C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
584C:\Windows\system32\MsiExec.exe -Embedding 9FADE16A12C1C9CF47243ADCDCA82251C:\Windows\system32\MsiExec.exe
msiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Total events
1 723
Read events
1 580
Write events
0
Delete events
0

Modification events

No data
Executable files
4
Suspicious files
13
Text files
5
Unknown types
6

Dropped files

PID
Process
Filename
Type
2472iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
2472iexplore.exeC:\Users\admin\AppData\Local\Temp\CabE544.tmp
MD5:
SHA256:
2472iexplore.exeC:\Users\admin\AppData\Local\Temp\TarE555.tmp
MD5:
SHA256:
2472iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verE585.tmp
MD5:
SHA256:
1652msiexec.exeC:\Windows\Installer\MSI159C.tmp
MD5:
SHA256:
1652msiexec.exeC:\Windows\Installer\MSI15CC.tmp
MD5:
SHA256:
1652msiexec.exeC:\Users\admin\AppData\Local\Temp\~DFBBD258BFBBA0D06A.TMP
MD5:
SHA256:
1652msiexec.exeC:\Windows\Installer\MSI167A.tmp
MD5:
SHA256:
2472iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\BUCKCQXG.txt
MD5:
SHA256:
2472iexplore.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\P627D3OT.txt
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
12
DNS requests
8
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
2472
iexplore.exe
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8sEMlbBsCTf7jUSfg%2BhWk%3D
US
der
1.47 Kb
whitelisted
584
MsiExec.exe
GET
52.152.133.113:80
http://sorprenderse.eastus.cloudapp.azure.com/32bits.php
US
malicious
2472
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3708
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2472
iexplore.exe
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2472
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
584
MsiExec.exe
52.152.133.113:80
sorprenderse.eastus.cloudapp.azure.com
Microsoft Corporation
US
malicious
2472
iexplore.exe
152.199.19.161:443
iecvlist.microsoft.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
2472
iexplore.exe
204.79.197.200:443
www.bing.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
api.bing.com
  • 13.107.13.80
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted
r20swj13mr.microsoft.com
  • 152.199.19.161
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted
sorprenderse.eastus.cloudapp.azure.com
  • 52.152.133.113
malicious
ieonline.microsoft.com
  • 204.79.197.200
whitelisted

Threats

Found threats are available for the paid subscriptions
1 ETPRO signatures available at the full report
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
BUROFAX_SOSPECHOSO_045796_FLQ.zip