analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

Un_A.zip

Full analysis: https://app.any.run/tasks/aa95e49b-99f8-4fc4-ab12-2981f20c214c
Verdict: Malicious activity
Analysis date: August 13, 2019, 13:42:56
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

2794A5457DA5EFF41DAFE6A0F82C22AE

SHA1:

7C5E5966B28717AC9C03A32D4225A49F3636F7CC

SHA256:

21F94B7D4ED622BB16950925AD12EF002A592137DDC4E70505ADB9E9B8718EC7

SSDEEP:

6144:+JskEKb9HMeQ2iJIL0O6x/qUMABetNln/3F:+auJ0O6xFmV9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • Un_A.exe (PID: 3728)
      • Un_B.exe (PID: 1328)
    • Application was dropped or rewritten from another process

      • Un_A.exe (PID: 1440)
      • Un_A.exe (PID: 3728)
      • nsF1B4.tmp (PID: 384)
      • nsF3BA.tmp (PID: 3472)
      • nsF2CE.tmp (PID: 2944)
      • Un_A.exe (PID: 3312)
      • ns6C3E.tmp (PID: 2764)
      • ns6D68.tmp (PID: 3172)
      • Un_A.exe (PID: 332)
      • Un_B.exe (PID: 1328)
      • ns6E54.tmp (PID: 2968)
    • Registers / Runs the DLL via REGSVR32.EXE

      • nsF2CE.tmp (PID: 2944)
      • nsF3BA.tmp (PID: 3472)
      • ns6D68.tmp (PID: 3172)
      • ns6E54.tmp (PID: 2968)
  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Un_A.exe (PID: 1440)
      • Un_A.exe (PID: 3728)
      • WinRAR.exe (PID: 1912)
      • Un_A.exe (PID: 332)
      • Un_B.exe (PID: 1328)
    • Starts application with an unusual extension

      • Un_A.exe (PID: 3728)
      • Un_B.exe (PID: 1328)
    • Starts Internet Explorer

      • Un_A.exe (PID: 3728)
    • Starts itself from another location

      • Un_A.exe (PID: 332)
  • INFO

    • Manual execution by user

      • explorer.exe (PID: 944)
      • Un_A.exe (PID: 1440)
      • explorer.exe (PID: 3368)
      • Un_A.exe (PID: 332)
    • Reads internet explorer settings

      • iexplore.exe (PID: 4088)
    • Creates files in the user directory

      • iexplore.exe (PID: 4088)
    • Changes internet zones settings

      • iexplore.exe (PID: 1716)
    • Reads Internet Cache Settings

      • iexplore.exe (PID: 4088)
    • Reads settings of System Certificates

      • iexplore.exe (PID: 4088)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: Un_A.exe
ZipUncompressedSize: 890392
ZipCompressedSize: 255390
ZipCRC: 0xbf24f5e2
ZipModifyDate: 2019:07:03 04:27:21
ZipCompression: Deflated
ZipBitFlag: 0x0001
ZipRequiredVersion: 20
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
70
Monitored processes
20
Malicious processes
4
Suspicious processes
4

Behavior graph

Click at the process to see the details
start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start drop and start winrar.exe explorer.exe no specs un_a.exe un_a.exe nsf1b4.tmp no specs nsf2ce.tmp no specs regsvr32.exe no specs nsf3ba.tmp no specs regsvr32.exe no specs iexplore.exe iexplore.exe explorer.exe no specs un_a.exe un_a.exe no specs un_b.exe ns6c3e.tmp no specs ns6d68.tmp no specs regsvr32.exe no specs ns6e54.tmp no specs regsvr32.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1912"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Un_A.zip"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
944"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1440"C:\Users\admin\AppData\Local\Temp\Un_A.exe" C:\Users\admin\AppData\Local\Temp\Un_A.exe
explorer.exe
User:
admin
Company:
TeamViewer
Integrity Level:
HIGH
Description:
TeamViewer Remote Control Application Installer
Exit code:
0
3728"C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\admin\AppData\Local\Temp\C:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
Un_A.exe
User:
admin
Company:
TeamViewer
Integrity Level:
HIGH
Description:
TeamViewer Remote Control Application Installer
Exit code:
0
384"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF1B4.tmp" "C:\Users\admin\AppData\Local\Temp\TeamViewer_Service.exe" -uninstallC:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF1B4.tmpUn_A.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3221225501
2944"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF2CE.tmp" "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim.dll"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF2CE.tmpUn_A.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3
2620"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim.dll"C:\Windows\system32\regsvr32.exensF2CE.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3472"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF3BA.tmp" "C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim64.dll"C:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF3BA.tmpUn_A.exe
User:
admin
Integrity Level:
HIGH
Exit code:
3
1640"C:\Windows\system32\regsvr32.exe" /s /u "C:\Users\admin\AppData\Local\Temp\outlook\TeamViewerMeetingAddinShim64.dll"C:\Windows\system32\regsvr32.exensF3BA.tmp
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft(C) Register Server
Exit code:
3
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1716"C:\Program Files\Internet Explorer\iexplore.exe" -nohomeC:\Program Files\Internet Explorer\iexplore.exe
Un_A.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Internet Explorer
Exit code:
1
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
Total events
2 299
Read events
2 197
Write events
0
Delete events
0

Modification events

No data
Executable files
24
Suspicious files
2
Text files
46
Unknown types
2

Dropped files

PID
Process
Filename
Type
3728Un_A.exeC:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF2CE.tmp
MD5:
SHA256:
1716iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\favicon[1].ico
MD5:
SHA256:
1716iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
4088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\index[1].aspx
MD5:
SHA256:
1912WinRAR.exeC:\Users\admin\AppData\Local\Temp\Un_A.exeexecutable
MD5:256EE46D53E632E36664E2938EDA8DBB
SHA256:AB8EF17A29F005964BA84BB7795EBB2F0195EB32E5E24B6A3723E12181B8B9F9
3728Un_A.exeC:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\uninstall_unicode.initext
MD5:24CAC3979E7F2C79EAE35214CB755FC3
SHA256:3FF506814F0C7C7614413327B9FB94487A795E135950037CC0444D838D6D8C67
1440Un_A.exeC:\Users\admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exeexecutable
MD5:256EE46D53E632E36664E2938EDA8DBB
SHA256:AB8EF17A29F005964BA84BB7795EBB2F0195EB32E5E24B6A3723E12181B8B9F9
3728Un_A.exeC:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF1B4.tmpexecutable
MD5:483A9B183523E7E2015DDEC730E59F7B
SHA256:AEF58B24CC84A798101F9603C986161B93D8BC3C84DE4D48050E10F50FF3FB27
4088iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LH043OAM\index[1].htmhtml
MD5:CF5B1BFDE00DA656472EE11E03529B33
SHA256:DD9C3A6EE6C52840084014FE332C073ACA3327B65CADCC27C3C736A12AA70CF6
3728Un_A.exeC:\Users\admin\AppData\Local\Temp\nsuB97D.tmp\nsF3BA.tmpexecutable
MD5:483A9B183523E7E2015DDEC730E59F7B
SHA256:AEF58B24CC84A798101F9603C986161B93D8BC3C84DE4D48050E10F50FF3FB27
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
8
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/index.aspx?ID=&Version=
NL
html
5.35 Kb
shared
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/images/teamviewer-logo.png
NL
image
4.50 Kb
shared
1716
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/images/blue-background.jpg
NL
image
20.4 Kb
shared
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/images/twitter_mini-b.png
NL
image
426 b
shared
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/images/rss.gif
NL
image
1.03 Kb
shared
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/images/blue-gradient.jpg
NL
image
357 b
shared
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/favicon.ico
NL
image
14.7 Kb
shared
4088
iexplore.exe
GET
200
52.232.106.174:80
http://client.teamviewer.com/uninstall/images/facebook.png
NL
image
201 b
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1716
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
4088
iexplore.exe
172.217.18.110:443
www.google-analytics.com
Google Inc.
US
whitelisted
4088
iexplore.exe
172.217.22.72:443
www.googletagmanager.com
Google Inc.
US
whitelisted
4088
iexplore.exe
52.232.106.174:80
client.teamviewer.com
Microsoft Corporation
NL
whitelisted

DNS requests

Domain
IP
Reputation
client.teamviewer.com
  • 52.232.106.174
shared
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
www.google-analytics.com
  • 172.217.18.110
whitelisted
www.googletagmanager.com
  • 172.217.22.72
whitelisted

Threats

No threats detected
No debug info