analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

844ac16506d5ed2c0290e1a1ef4a1459-sample.zip

Full analysis: https://app.any.run/tasks/f50a0c2f-2686-4afd-8849-1b4094782c41
Verdict: Malicious activity
Analysis date: February 21, 2020, 20:27:33
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract
MD5:

5317C0F282E9DCB2CB72D1B6727771BE

SHA1:

08409024D439ED688B725874813559FDF60629E4

SHA256:

22426830FA6B77934A68F893BC109060B204D8DADC8D5C1392042A9E5871B540

SSDEEP:

384:Ux3+fHUeXvBktf1p+WuiS0kvSv6yQHnCF:UF+fO100kva0HCF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • powershell.exe (PID: 3588)
  • SUSPICIOUS

    • Creates files in the user directory

      • powershell.exe (PID: 2992)
      • notepad++.exe (PID: 3776)
      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 3588)
    • Executes PowerShell scripts

      • WinRAR.exe (PID: 2492)
    • PowerShell script executed

      • powershell.exe (PID: 2780)
      • powershell.exe (PID: 3588)
    • Adds / modifies Windows certificates

      • powershell.exe (PID: 3588)
  • INFO

    • Manual execution by user

      • powershell.exe (PID: 2780)
      • notepad++.exe (PID: 3776)
      • powershell.exe (PID: 3588)
    • Reads settings of System Certificates

      • powershell.exe (PID: 3588)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: 0x0009
ZipCompression: Deflated
ZipModifyDate: 2020:02:21 20:23:02
ZipCRC: 0x66a91bdf
ZipCompressedSize: 13277
ZipUncompressedSize: 31840
ZipFileName: 7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
6
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs powershell.exe no specs notepad++.exe gup.exe powershell.exe no specs powershell.exe

Process information

PID
CMD
Path
Indicators
Parent process
2492"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\844ac16506d5ed2c0290e1a1ef4a1459-sample.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
2992"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\AppData\Local\Temp\Rar$DIb2492.38364\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWinRAR.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3776"C:\Program Files\Notepad++\notepad++.exe" "C:\Users\admin\Desktop\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1"C:\Program Files\Notepad++\notepad++.exe
explorer.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Notepad++ : a free (GNU) source code editor
Version:
7.51
3260"C:\Program Files\Notepad++\updater\gup.exe" -v7.51C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
GUP : a free (LGPL) Generic Updater
Exit code:
0
Version:
4.1
2780"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-file" "C:\Users\admin\Desktop\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3588"C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 370
Read events
958
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
6
Text files
6
Unknown types
0

Dropped files

PID
Process
Filename
Type
2992powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FMP30J2Z1KOR62F2W0UE.temp
MD5:
SHA256:
2780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\R6WAESYILMSEFTQEENRI.temp
MD5:
SHA256:
3588powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DE04Z09QLYQVD4JG7EIP.temp
MD5:
SHA256:
2992powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa6b510.TMPbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
2780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
2780powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms~RFa7c9cb.TMPbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
2492WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb2492.38364\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1text
MD5:5053CF06F049652057693628C66A80F5
SHA256:C79169FB51DC09DB30463BB4578B5AD18AAFB848462C998B11643C73D0349CE7
2492WinRAR.exeC:\Users\admin\Desktop\7DC6B6F1-E7F6-43C1-96E0-E1D16BC25C14_c79169fb51dc09db30463bb4578b5ad18aafb848462c998b11643c73d0349ce7.ps1text
MD5:5053CF06F049652057693628C66A80F5
SHA256:C79169FB51DC09DB30463BB4578B5AD18AAFB848462C998B11643C73D0349CE7
2992powershell.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msbinary
MD5:3B712DE36DC1672EC51A90C5EE31744F
SHA256:DDE2E429BD6DAA8AA6C9FED090F7C8B96BB95A0AD3E53FE900F99F21E3780AA1
3776notepad++.exeC:\Users\admin\AppData\Roaming\Notepad++\stylers.xmlxml
MD5:44982E1D48434C0AB3E8277E322DD1E4
SHA256:3E661D3F1FF3977B022A0ACC26B840B5E57D600BC03DCFC6BEFDB408C665904C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
2
DNS requests
2
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
93.184.220.29:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2Fz5hY5qj0aEmX0H4s05bY%3D
US
der
1.47 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
93.184.220.29:80
ocsp.digicert.com
MCI Communications Services, Inc. d/b/a Verizon Business
US
whitelisted
3260
gup.exe
104.31.88.28:443
notepad-plus-plus.org
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
notepad-plus-plus.org
  • 104.31.88.28
  • 104.31.89.28
whitelisted
ocsp.digicert.com
  • 93.184.220.29
whitelisted

Threats

No threats detected
Process
Message
notepad++.exe
VerifyLibrary: certificate revocation checking is disablŒ
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
42C4C5846BB675C74E2B2C90C69AB44366401093