analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

1a842e98567798d45f0d37c29df2c04bfec4bccf7eaf6adad404f89d5cb5ca75.zip

Full analysis: https://app.any.run/tasks/2069b394-f4cc-4195-8d71-daef8b91f019
Verdict: Malicious activity
Analysis date: September 30, 2020, 08:36:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

D491360F55370BD5DAE2C7057F1E5D80

SHA1:

6AD12AD2CFD1BC7F4793F43306312FB56FFD1B27

SHA256:

20EB026BE35F2432AD1814C85CC5355CA70FBA61E7DA3CDFE0E67A0C56C5FC00

SSDEEP:

12288:KNOO3YrErA+ZFuNfxSAfbjB8FumGt/rhlkitjCt5wiB:KNOOIArx/e/jjXmorh3tmF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Executes PowerShell scripts

      • cmd.exe (PID: 3028)
    • Actions looks like stealing of personal data

      • InstallUtil.exe (PID: 1984)
  • SUSPICIOUS

    • PowerShell script executed

      • powershell.exe (PID: 2076)
    • Creates files in the user directory

      • powershell.exe (PID: 2076)
      • powershell.exe (PID: 1524)
    • Checks supported languages

      • InstallUtil.exe (PID: 1984)
    • Reads Environment values

      • InstallUtil.exe (PID: 1984)
    • Starts CMD.EXE for commands execution

      • InstallUtil.exe (PID: 1984)
    • Checks for external IP

      • InstallUtil.exe (PID: 1984)
  • INFO

    • Manual execution by user

      • powershell.exe (PID: 2076)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0003
ZipCompression: Unknown (99)
ZipModifyDate: 2020:09:30 08:36:03
ZipCRC: 0xee03acf4
ZipCompressedSize: 452032
ZipUncompressedSize: 1136528
ZipFileName: 1a842e98567798d45f0d37c29df2c04bfec4bccf7eaf6adad404f89d5cb5ca75.ps1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
42
Monitored processes
5
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs powershell.exe no specs installutil.exe cmd.exe no specs powershell.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2620"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\1a842e98567798d45f0d37c29df2c04bfec4bccf7eaf6adad404f89d5cb5ca75.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2076"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\1a842e98567798d45f0d37c29df2c04bfec4bccf7eaf6adad404f89d5cb5ca75.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1984"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
.NET Framework installation utility
Exit code:
0
Version:
4.7.3062.0 built by: NET472REL1
3028"cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' & exitC:\Windows\system32\cmd.exeInstallUtil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1524powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe' C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
1 006
Read events
858
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
4
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
2076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6ULFNHXOLY5FHSFSZHBM.temp
MD5:
SHA256:
1524powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3P1QTRDUIEZRTD3UL0P1.temp
MD5:
SHA256:
2076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1a0b1d.TMPbinary
MD5:907C5FD303717561FE1B4EA4297DAC9A
SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D
1524powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:907C5FD303717561FE1B4EA4297DAC9A
SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D
1524powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RF1adf93.TMPbinary
MD5:907C5FD303717561FE1B4EA4297DAC9A
SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D
2076powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:907C5FD303717561FE1B4EA4297DAC9A
SHA256:219788D162769A2E9475AF5337CA17B4D213A15ADE3E7F46F3FC02ADD48CD09D
2620WinRAR.exeC:\Users\admin\Desktop\1a842e98567798d45f0d37c29df2c04bfec4bccf7eaf6adad404f89d5cb5ca75.ps1text
MD5:2E088D7B5B8B09C559DE29649E370B2E
SHA256:1A842E98567798D45F0D37C29DF2C04BFEC4BCCF7EAF6ADAD404F89D5CB5CA75
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1984
InstallUtil.exe
GET
200
54.227.255.202:80
http://api.ipify.org/
US
text
13 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1984
InstallUtil.exe
94.127.7.174:21
milebgd.mycpanel.rs
Serbia BroadBand-Srpske Kablovske mreze d.o.o.
RS
malicious
1984
InstallUtil.exe
54.227.255.202:80
api.ipify.org
Amazon.com, Inc.
US
suspicious

DNS requests

Domain
IP
Reputation
api.ipify.org
  • 54.227.255.202
  • 54.225.195.221
  • 54.225.169.28
  • 23.21.252.4
  • 23.21.126.66
  • 23.21.109.69
  • 54.235.83.248
  • 54.235.169.38
shared
milebgd.mycpanel.rs
  • 94.127.7.174
malicious

Threats

PID
Process
Class
Message
1984
InstallUtil.exe
Misc activity
SUSPICIOUS [PTsecurity] External IP Lookup (possible MassLogger)
1984
InstallUtil.exe
Potential Corporate Privacy Violation
ET POLICY External IP Lookup api.ipify.org
No debug info